hawkeye_reborn | f2dc1174c060668495a3835ca8af6c2c49c8539163c6913dce2f34b5f7e987c1

General

Target

zicccc.exe
Size

676KB
MD5

ed0bde32aec725b166afb3510ebc730c
SHA1

6a530b42aa9948620c08e41f4ecc95e5f97844e0
SHA256

f2dc1174c060668495a3835ca8af6c2c49c8539163c6913dce2f34b5f7e987c1
SHA512

27132f088cab367ffdc1f665bae4fdfc420a2583602a7c0f569549d21a5bb4abee55a03af5c4809f29a275d73e77a1d0f7d3007f82029fcaee607e2d0d114fff

Score

10^/10

hawkeye_reborn m00nd3v_logger keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.5

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
@Mexico3,.

Mutex

156377e6-d566-42fd-9fad-3b7b01cb6f5b

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:@Mexico3,. _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:[email protected] _EmptyClipboard:false _EmptyKeyStroke:false _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _LoopPasswordStealer:true _MeltFile:false _Mutex:156377e6-d566-42fd-9fad-3b7b01cb6f5b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.5, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 4 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1752-2-0x0000000000400000-0x000000000049C000-memory.dmp	m00nd3v_logger
behavioral1/memory/1752-5-0x0000000000400000-0x000000000049C000-memory.dmp	m00nd3v_logger
behavioral1/memory/1752-4-0x0000000000400000-0x000000000049C000-memory.dmp	m00nd3v_logger
behavioral1/memory/1752-3-0x0000000000497C3E-mapping.dmp	m00nd3v_logger

Suspicious use of SetThreadContext 1 IoCs

Processes:

zicccc.exe

description pid process target process

PID 1916 set thread context of 1752 1916 zicccc.exe MSBuild.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

316 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

1752 MSBuild.exe

description	pid	process	target process
PID 1916 set thread context of 1752	1916	zicccc.exe	MSBuild.exe

pid	process
316	schtasks.exe

pid	process
1752	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

zicccc.exe

description	pid	process	target process
PID 1916 wrote to memory of 316	1916	zicccc.exe	schtasks.exe
PID 1916 wrote to memory of 316	1916	zicccc.exe	schtasks.exe
PID 1916 wrote to memory of 316	1916	zicccc.exe	schtasks.exe
PID 1916 wrote to memory of 316	1916	zicccc.exe	schtasks.exe
PID 1916 wrote to memory of 1752	1916	zicccc.exe	MSBuild.exe
PID 1916 wrote to memory of 1752	1916	zicccc.exe	MSBuild.exe
PID 1916 wrote to memory of 1752	1916	zicccc.exe	MSBuild.exe
PID 1916 wrote to memory of 1752	1916	zicccc.exe	MSBuild.exe
PID 1916 wrote to memory of 1752	1916	zicccc.exe	MSBuild.exe
PID 1916 wrote to memory of 1752	1916	zicccc.exe	MSBuild.exe
PID 1916 wrote to memory of 1752	1916	zicccc.exe	MSBuild.exe
PID 1916 wrote to memory of 1752	1916	zicccc.exe	MSBuild.exe
PID 1916 wrote to memory of 1752	1916	zicccc.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\zicccc.exe
"C:\Users\Admin\AppData\Local\Temp\zicccc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JFNkwuovkAO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBD0.tmp"
2⤵
- Creates scheduled task(s)
PID:316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBBD0.tmp

MD5
43b585327f7ce0975b95da60c4981dba

SHA1
f5bf79e9061e0daf3001fcce87a2c5ff6853ec4c

SHA256
4e840ff9482ba02f96f397f2f257d9a2de6acab18051d4fa3d9eb4daea4e6c15

SHA512
60ae54785e72b8c7e5e6ae0c7dd463b6fe8f8296d871abf5e7341f8d09608bb262da3592167ec5ac7db9209c017c1e14ad0b7c4faa09b4258b96314c5b608b8b

Download Submit
memory/316-0-0x0000000000000000-mapping.dmp

Download
memory/1752-2-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1752-5-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1752-4-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1752-3-0x0000000000497C3E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads