hawkeye_reborn | f2dc1174c060668495a3835ca8af6c2c49c8539163c6913dce2f34b5f7e987c1

General

Target

zicccc.exe
Size

676KB
MD5

ed0bde32aec725b166afb3510ebc730c
SHA1

6a530b42aa9948620c08e41f4ecc95e5f97844e0
SHA256

f2dc1174c060668495a3835ca8af6c2c49c8539163c6913dce2f34b5f7e987c1
SHA512

27132f088cab367ffdc1f665bae4fdfc420a2583602a7c0f569549d21a5bb4abee55a03af5c4809f29a275d73e77a1d0f7d3007f82029fcaee607e2d0d114fff

Score

10^/10

hawkeye_reborn m00nd3v_logger keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.5

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
@Mexico3,.

Mutex

156377e6-d566-42fd-9fad-3b7b01cb6f5b

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:@Mexico3,. _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:[email protected] _EmptyClipboard:false _EmptyKeyStroke:false _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _LoopPasswordStealer:true _MeltFile:false _Mutex:156377e6-d566-42fd-9fad-3b7b01cb6f5b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.5, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 2 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/200-2-0x0000000000400000-0x000000000049C000-memory.dmp	m00nd3v_logger
behavioral2/memory/200-3-0x0000000000497C3E-mapping.dmp	m00nd3v_logger

Suspicious use of SetThreadContext 1 IoCs

Processes:

zicccc.exe

description pid process target process

PID 2604 set thread context of 200 2604 zicccc.exe MSBuild.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3552 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

zicccc.exe

pid process

2604 zicccc.exe
2604 zicccc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

zicccc.exe

description pid process

Token: SeDebugPrivilege 2604 zicccc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

200 MSBuild.exe

description	pid	process	target process
PID 2604 set thread context of 200	2604	zicccc.exe	MSBuild.exe

pid	process
3552	schtasks.exe

pid	process
2604	zicccc.exe
2604	zicccc.exe

description	pid	process
Token: SeDebugPrivilege	2604	zicccc.exe

pid	process
200	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

zicccc.exe

description	pid	process	target process
PID 2604 wrote to memory of 3552	2604	zicccc.exe	schtasks.exe
PID 2604 wrote to memory of 3552	2604	zicccc.exe	schtasks.exe
PID 2604 wrote to memory of 3552	2604	zicccc.exe	schtasks.exe
PID 2604 wrote to memory of 196	2604	zicccc.exe	MSBuild.exe
PID 2604 wrote to memory of 196	2604	zicccc.exe	MSBuild.exe
PID 2604 wrote to memory of 196	2604	zicccc.exe	MSBuild.exe
PID 2604 wrote to memory of 200	2604	zicccc.exe	MSBuild.exe
PID 2604 wrote to memory of 200	2604	zicccc.exe	MSBuild.exe
PID 2604 wrote to memory of 200	2604	zicccc.exe	MSBuild.exe
PID 2604 wrote to memory of 200	2604	zicccc.exe	MSBuild.exe
PID 2604 wrote to memory of 200	2604	zicccc.exe	MSBuild.exe
PID 2604 wrote to memory of 200	2604	zicccc.exe	MSBuild.exe
PID 2604 wrote to memory of 200	2604	zicccc.exe	MSBuild.exe
PID 2604 wrote to memory of 200	2604	zicccc.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\zicccc.exe
"C:\Users\Admin\AppData\Local\Temp\zicccc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JFNkwuovkAO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp51FE.tmp"
2⤵
- Creates scheduled task(s)
PID:3552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
2⤵
PID:196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
2⤵
- Suspicious use of SetWindowsHookEx
PID:200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp51FE.tmp

MD5
a132397472cf37c9496cc3dc9ff67b37

SHA1
096bd6a4d1f1d81ce7dea12f2fc726f7a758070c

SHA256
acbd925b163a9f21f2852329a2cb97c8ca6053c29461df7ec4ead8ac24513b56

SHA512
4af5ce7587556bc23cb1c8b59cee735164ff8e2b41bbb29b2fba1041d8e8993fbb6adae89fa8ac2196aa2deb903fa114010ccba93a56b19b80d72b5db1ea8910

Download Submit
memory/200-2-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/200-3-0x0000000000497C3E-mapping.dmp

Download
memory/3552-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads