hawkeye_reborn | e83be3e4db904d9f9896cd039170dc3fba0f316b6be60affea209aae96da71b8

General

Target

AjovBsK6skyH9YF.exe
Size

678KB
MD5

27f2b3826d5a67edd9723735f56a4618
SHA1

5658651dd0048f9ee597326670f5a3f934862f6c
SHA256

e83be3e4db904d9f9896cd039170dc3fba0f316b6be60affea209aae96da71b8
SHA512

d60931eb34c346388cd3fbc600beee4af3d1a084f2b4d9d9e117ec33d41863550edabd2bcab295c08ab50efb55ba66f02bc5e16e0b471b9f797c0aaa434326f4

Score

10^/10

hawkeye_reborn m00nd3v_logger keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.5

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
info23@huatengaccessfloor.icu
Password:
1234567890

Mutex

6350b6c8-ea52-47b7-965a-70bcc39b86e5

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:1234567890 _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:info23@huatengaccessfloor.icu _EmptyClipboard:false _EmptyKeyStroke:false _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _LoopPasswordStealer:true _MeltFile:false _Mutex:6350b6c8-ea52-47b7-965a-70bcc39b86e5 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.5, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 2 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/184-2-0x0000000000400000-0x000000000049C000-memory.dmp	m00nd3v_logger
behavioral2/memory/184-3-0x0000000000497C3E-mapping.dmp	m00nd3v_logger

Suspicious use of SetThreadContext 1 IoCs

Processes:

AjovBsK6skyH9YF.exe

description pid process target process

PID 3980 set thread context of 184 3980 AjovBsK6skyH9YF.exe MSBuild.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4036 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

184 MSBuild.exe

description	pid	process	target process
PID 3980 set thread context of 184	3980	AjovBsK6skyH9YF.exe	MSBuild.exe

pid	process
4036	schtasks.exe

pid	process
184	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

AjovBsK6skyH9YF.exe

description	pid	process	target process
PID 3980 wrote to memory of 4036	3980	AjovBsK6skyH9YF.exe	schtasks.exe
PID 3980 wrote to memory of 4036	3980	AjovBsK6skyH9YF.exe	schtasks.exe
PID 3980 wrote to memory of 4036	3980	AjovBsK6skyH9YF.exe	schtasks.exe
PID 3980 wrote to memory of 184	3980	AjovBsK6skyH9YF.exe	MSBuild.exe
PID 3980 wrote to memory of 184	3980	AjovBsK6skyH9YF.exe	MSBuild.exe
PID 3980 wrote to memory of 184	3980	AjovBsK6skyH9YF.exe	MSBuild.exe
PID 3980 wrote to memory of 184	3980	AjovBsK6skyH9YF.exe	MSBuild.exe
PID 3980 wrote to memory of 184	3980	AjovBsK6skyH9YF.exe	MSBuild.exe
PID 3980 wrote to memory of 184	3980	AjovBsK6skyH9YF.exe	MSBuild.exe
PID 3980 wrote to memory of 184	3980	AjovBsK6skyH9YF.exe	MSBuild.exe
PID 3980 wrote to memory of 184	3980	AjovBsK6skyH9YF.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\AjovBsK6skyH9YF.exe
"C:\Users\Admin\AppData\Local\Temp\AjovBsK6skyH9YF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tkqxkyVUWfaxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3C05.tmp"
2⤵
- Creates scheduled task(s)
PID:4036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
2⤵
- Suspicious use of SetWindowsHookEx
PID:184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3C05.tmp
MD5
6e1dd869027c5ae154ecf4b8aeffd9c3

SHA1
6cac952e5363d1c78204e7d44d8fa21fe7c19c96

SHA256
db3c3af0de40af9ea643e2e27371a7f30ed45842c92bd33b76bde46d2068eed9

SHA512
35ff96d7a41ed068020b6df888492d95446e800023697fdf227cb22eba8b7dcddc5fc80d9175d80fab6b315658875f5ab3cee1056faa0b506bcb2935da537947

Download Submit
memory/184-2-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/184-3-0x0000000000497C3E-mapping.dmp

Download
memory/4036-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads