hawkeye_reborn | 56b02707b5f12fd4e8f79fdd9dd9f7eb82394798317a76e499c7d0d659b2d759

General

Target

Po reference Details 00001.exe
Size

690KB
MD5

779713e710d891c7de1bf69bb5557684
SHA1

1d48c2c1bd87c68cdeeda3aee856833f10400ed4
SHA256

56b02707b5f12fd4e8f79fdd9dd9f7eb82394798317a76e499c7d0d659b2d759
SHA512

ea90c8e3302b2562cc5d545523ea442604a739ae56af1fcc13250016b18903bf996e8333401b6c9a792da15aa9c85b4a47ead233648a7554d0b93543d5e0a214

Score

10^/10

hawkeye_reborn m00nd3v_logger keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.5

Credentials

Protocol: smtp
Host:
mail.gajjarlaser.com
Port:
587
Username:
info@gajjarlaser.com
Password:
#info#123$

Mutex

10351c26-c9ab-4c8e-9c6c-194a12242888

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:#info#123$ _EmailPort:587 _EmailSSL:true _EmailServer:mail.gajjarlaser.com _EmailUsername:info@gajjarlaser.com _EmptyClipboard:false _EmptyKeyStroke:false _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _LoopPasswordStealer:false _MeltFile:false _Mutex:10351c26-c9ab-4c8e-9c6c-194a12242888 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.5, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 4 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1972-0-0x0000000000400000-0x000000000049C000-memory.dmp	m00nd3v_logger
behavioral1/memory/1972-1-0x0000000000497C3E-mapping.dmp	m00nd3v_logger
behavioral1/memory/1972-2-0x0000000000400000-0x000000000049C000-memory.dmp	m00nd3v_logger
behavioral1/memory/1972-3-0x0000000000400000-0x000000000049C000-memory.dmp	m00nd3v_logger

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

Po reference Details 00001.exeRegSvcs.exe

description	pid	process	target process
PID 1640 set thread context of 1972	1640	Po reference Details 00001.exe	RegSvcs.exe
PID 1972 set thread context of 1080	1972	RegSvcs.exe	vbc.exe
PID 1972 set thread context of 1100	1972	RegSvcs.exe	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Po reference Details 00001.exeRegSvcs.exe

description	pid	process	target process
PID 1640 wrote to memory of 1972	1640	Po reference Details 00001.exe	RegSvcs.exe
PID 1640 wrote to memory of 1972	1640	Po reference Details 00001.exe	RegSvcs.exe
PID 1640 wrote to memory of 1972	1640	Po reference Details 00001.exe	RegSvcs.exe
PID 1640 wrote to memory of 1972	1640	Po reference Details 00001.exe	RegSvcs.exe
PID 1640 wrote to memory of 1972	1640	Po reference Details 00001.exe	RegSvcs.exe
PID 1640 wrote to memory of 1972	1640	Po reference Details 00001.exe	RegSvcs.exe
PID 1640 wrote to memory of 1972	1640	Po reference Details 00001.exe	RegSvcs.exe
PID 1640 wrote to memory of 1972	1640	Po reference Details 00001.exe	RegSvcs.exe
PID 1640 wrote to memory of 1972	1640	Po reference Details 00001.exe	RegSvcs.exe
PID 1640 wrote to memory of 1972	1640	Po reference Details 00001.exe	RegSvcs.exe
PID 1640 wrote to memory of 1972	1640	Po reference Details 00001.exe	RegSvcs.exe
PID 1640 wrote to memory of 1972	1640	Po reference Details 00001.exe	RegSvcs.exe
PID 1972 wrote to memory of 1080	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1080	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1080	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1080	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1080	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1080	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1080	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1080	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1080	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1080	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1100	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1100	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1100	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1100	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1100	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1100	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1100	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1100	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1100	1972	RegSvcs.exe	vbc.exe
PID 1972 wrote to memory of 1100	1972	RegSvcs.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Po reference Details 00001.exe
"C:\Users\Admin\AppData\Local\Temp\Po reference Details 00001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA6CA.tmp"
3⤵
PID:1080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA851.tmp"
3⤵
PID:1100

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-4-0x000007FEF8800000-0x000007FEF8A7A000-memory.dmp

Filesize
2.5MB

Download
memory/1080-6-0x000000000041211A-mapping.dmp

Download
memory/1080-5-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1080-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1100-9-0x000000000041211A-mapping.dmp

Download
memory/1100-10-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1972-0-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1972-1-0x0000000000497C3E-mapping.dmp

Download
memory/1972-2-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1972-3-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads