hawkeye_reborn | 5024c970c93f71f337a7a013d96a40d0c74870f1b6b25480bd5a507b70580cf1

General

Target

0000000347034555_06052020.exe
Size

688KB
MD5

47b0196de05f2982f986ad83c571729b
SHA1

410dd7090a599d42f343c74b3c5b72092a55ee61
SHA256

5024c970c93f71f337a7a013d96a40d0c74870f1b6b25480bd5a507b70580cf1
SHA512

5a7488326eeaf0217b2d481bb93ae83960b9b3a75cc39be8ab04e8bfd0562cccc866ab279a6e6867d0ef8cd07ea216977f0bb2ae57721e27979e090e60237aeb

Score

10^/10

hawkeye_reborn m00nd3v_logger keylogger rezer0 spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

Protocol: ftp
Host:
ftp.airbiast.com
Port:
21
Username:
[email protected]
Password:
playboy123#

Mutex

40f2c4d7-d616-43ae-974d-93b4bdc7e04d

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:playboy123# _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.airbiast.com _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:43800 _MeltFile:false _Mutex:40f2c4d7-d616-43ae-974d-93b4bdc7e04d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 4 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1780-7-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1780-8-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral1/memory/1780-9-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1780-10-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/336-4-0x0000000004B50000-0x0000000004BE1000-memory.dmp	rezer0

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

0000000347034555_06052020.exe

description pid process target process

PID 336 set thread context of 1780 336 0000000347034555_06052020.exe 0000000347034555_06052020.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1048 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0000000347034555_06052020.exe0000000347034555_06052020.exe

description pid process

Token: SeDebugPrivilege 336 0000000347034555_06052020.exe
Token: SeDebugPrivilege 1780 0000000347034555_06052020.exe

flow	ioc
5	bot.whatismyipaddress.com

description	pid	process	target process
PID 336 set thread context of 1780	336	0000000347034555_06052020.exe	0000000347034555_06052020.exe

pid	process
1048	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	336	0000000347034555_06052020.exe
Token: SeDebugPrivilege	1780	0000000347034555_06052020.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0000000347034555_06052020.exe

description	pid	process	target process
PID 336 wrote to memory of 1048	336	0000000347034555_06052020.exe	schtasks.exe
PID 336 wrote to memory of 1048	336	0000000347034555_06052020.exe	schtasks.exe
PID 336 wrote to memory of 1048	336	0000000347034555_06052020.exe	schtasks.exe
PID 336 wrote to memory of 1048	336	0000000347034555_06052020.exe	schtasks.exe
PID 336 wrote to memory of 1780	336	0000000347034555_06052020.exe	0000000347034555_06052020.exe
PID 336 wrote to memory of 1780	336	0000000347034555_06052020.exe	0000000347034555_06052020.exe
PID 336 wrote to memory of 1780	336	0000000347034555_06052020.exe	0000000347034555_06052020.exe
PID 336 wrote to memory of 1780	336	0000000347034555_06052020.exe	0000000347034555_06052020.exe
PID 336 wrote to memory of 1780	336	0000000347034555_06052020.exe	0000000347034555_06052020.exe
PID 336 wrote to memory of 1780	336	0000000347034555_06052020.exe	0000000347034555_06052020.exe
PID 336 wrote to memory of 1780	336	0000000347034555_06052020.exe	0000000347034555_06052020.exe
PID 336 wrote to memory of 1780	336	0000000347034555_06052020.exe	0000000347034555_06052020.exe
PID 336 wrote to memory of 1780	336	0000000347034555_06052020.exe	0000000347034555_06052020.exe

C:\Users\Admin\AppData\Local\Temp\0000000347034555_06052020.exe
"C:\Users\Admin\AppData\Local\Temp\0000000347034555_06052020.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiQVpIZAeSJIEc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7224.tmp"
2⤵
- Creates scheduled task(s)
PID:1048

C:\Users\Admin\AppData\Local\Temp\0000000347034555_06052020.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7224.tmp

MD5
1c815eb7319db48b2e50bf6c4a4e415d

SHA1
c868699dcc550b88b4695ebdbba8620e73ff21d4

SHA256
d35801c14767cf15a9be3081512bb53d2c4acc3b00368c90d82344b374ccc15c

SHA512
7c14ad2471c35214297557e255450bd19e557008b55f8bfc01fa96b3a673c3fb060395c8f5e7693df86750b65132d6c390d5c360114f643dcc6db018e716f6d5

Download Submit
memory/336-1-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/336-3-0x0000000000430000-0x0000000000433000-memory.dmp

Filesize
12KB

Download
memory/336-4-0x0000000004B50000-0x0000000004BE1000-memory.dmp

Filesize
580KB

Download
memory/336-0-0x0000000074DA0000-0x000000007548E000-memory.dmp

Filesize
6.9MB

Download
memory/832-15-0x000007FEF7D30000-0x000007FEF7FAA000-memory.dmp

Filesize
2.5MB

Download
memory/1048-5-0x0000000000000000-mapping.dmp

Download
memory/1780-7-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1780-9-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1780-10-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1780-11-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/1780-14-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1780-8-0x000000000048A1DE-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads