hawkeye_reborn | 935a43c31588bdde6e27396f3e0e704f3e8c71820080101fdf707b7595d9ba0b

General

Target

xSL4FcGiFNAXgLg.exe
Size

987KB
MD5

13448c9fe9b5e6b6a6d3994bba8f9555
SHA1

962eb66a7322172d457bfd81be7502cec6d7b5f9
SHA256

d9f2a175430adc77bc769e257717d0c3afdef060686fd7da3b7f3871f1e9a9d2
SHA512

1cbf63a85385baef34dab3fc18c080a18c3a89de3c18177e1c3e7372f1acdba3c25635855355b2de937bc667ec47f6749693f9130fb15e80b9d9e4f61d4f7bc8

Score

10^/10

hawkeye_reborn m00nd3v_logger keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.0.0

Credentials

Protocol: smtp
Host:
mail.continentalmanpower.com
Port:
26
Username:
[email protected]
Password:
MumCon05

Mutex

51386575-9c41-482f-8c0b-bba72d83b6ee

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:MumCon05 _EmailPort:26 _EmailSSL:true _EmailServer:mail.continentalmanpower.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:51386575-9c41-482f-8c0b-bba72d83b6ee _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 3 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1036-61-0x0000000000400000-0x00000000004AA000-memory.dmp	m00nd3v_logger
behavioral1/memory/1036-62-0x0000000000400000-0x00000000004AA000-memory.dmp	m00nd3v_logger
behavioral1/memory/1036-63-0x0000000000400000-0x00000000004AA000-memory.dmp	m00nd3v_logger

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1700-72-0x0000000000400000-0x0000000000477000-memory.dmp	WebBrowserPassView
behavioral1/memory/1700-74-0x0000000000400000-0x0000000000477000-memory.dmp	WebBrowserPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1700-72-0x0000000000400000-0x0000000000477000-memory.dmp	Nirsoft
behavioral1/memory/1700-74-0x0000000000400000-0x0000000000477000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

Processes:

xSL4FcGiFNAXgLg.exexSL4FcGiFNAXgLg.exe

description	pid	process	target process
PID 760 set thread context of 1036	760	xSL4FcGiFNAXgLg.exe	xSL4FcGiFNAXgLg.exe
PID 1036 set thread context of 1700	1036	xSL4FcGiFNAXgLg.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

784 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

vbc.exexSL4FcGiFNAXgLg.exe

pid process

1700 vbc.exe
1036 xSL4FcGiFNAXgLg.exe
1036 xSL4FcGiFNAXgLg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

xSL4FcGiFNAXgLg.exe

description pid process

Token: SeDebugPrivilege 1036 xSL4FcGiFNAXgLg.exe

pid	process
784	schtasks.exe

pid	process
1700	vbc.exe
1036	xSL4FcGiFNAXgLg.exe
1036	xSL4FcGiFNAXgLg.exe

description	pid	process
Token: SeDebugPrivilege	1036	xSL4FcGiFNAXgLg.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

xSL4FcGiFNAXgLg.exexSL4FcGiFNAXgLg.exe

description	pid	process	target process
PID 760 wrote to memory of 784	760	xSL4FcGiFNAXgLg.exe	schtasks.exe
PID 760 wrote to memory of 784	760	xSL4FcGiFNAXgLg.exe	schtasks.exe
PID 760 wrote to memory of 784	760	xSL4FcGiFNAXgLg.exe	schtasks.exe
PID 760 wrote to memory of 784	760	xSL4FcGiFNAXgLg.exe	schtasks.exe
PID 760 wrote to memory of 1036	760	xSL4FcGiFNAXgLg.exe	xSL4FcGiFNAXgLg.exe
PID 760 wrote to memory of 1036	760	xSL4FcGiFNAXgLg.exe	xSL4FcGiFNAXgLg.exe
PID 760 wrote to memory of 1036	760	xSL4FcGiFNAXgLg.exe	xSL4FcGiFNAXgLg.exe
PID 760 wrote to memory of 1036	760	xSL4FcGiFNAXgLg.exe	xSL4FcGiFNAXgLg.exe
PID 760 wrote to memory of 1036	760	xSL4FcGiFNAXgLg.exe	xSL4FcGiFNAXgLg.exe
PID 760 wrote to memory of 1036	760	xSL4FcGiFNAXgLg.exe	xSL4FcGiFNAXgLg.exe
PID 760 wrote to memory of 1036	760	xSL4FcGiFNAXgLg.exe	xSL4FcGiFNAXgLg.exe
PID 760 wrote to memory of 1036	760	xSL4FcGiFNAXgLg.exe	xSL4FcGiFNAXgLg.exe
PID 760 wrote to memory of 1036	760	xSL4FcGiFNAXgLg.exe	xSL4FcGiFNAXgLg.exe
PID 1036 wrote to memory of 1700	1036	xSL4FcGiFNAXgLg.exe	vbc.exe
PID 1036 wrote to memory of 1700	1036	xSL4FcGiFNAXgLg.exe	vbc.exe
PID 1036 wrote to memory of 1700	1036	xSL4FcGiFNAXgLg.exe	vbc.exe
PID 1036 wrote to memory of 1700	1036	xSL4FcGiFNAXgLg.exe	vbc.exe
PID 1036 wrote to memory of 1700	1036	xSL4FcGiFNAXgLg.exe	vbc.exe
PID 1036 wrote to memory of 1700	1036	xSL4FcGiFNAXgLg.exe	vbc.exe
PID 1036 wrote to memory of 1700	1036	xSL4FcGiFNAXgLg.exe	vbc.exe
PID 1036 wrote to memory of 1700	1036	xSL4FcGiFNAXgLg.exe	vbc.exe
PID 1036 wrote to memory of 1700	1036	xSL4FcGiFNAXgLg.exe	vbc.exe
PID 1036 wrote to memory of 1700	1036	xSL4FcGiFNAXgLg.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\xSL4FcGiFNAXgLg.exe
"C:\Users\Admin\AppData\Local\Temp\xSL4FcGiFNAXgLg.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LbCowtz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D29.tmp"
2⤵
- Creates scheduled task(s)
PID:784

C:\Users\Admin\AppData\Local\Temp\xSL4FcGiFNAXgLg.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE3E9.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9D29.tmp

MD5
3bb7923d81db2a5d96e46b5fe5eb6fcf

SHA1
aadb052a1879176a1e85303aa535810f35049aaa

SHA256
cea8cddc25a15acd2e102f6f38488f3bd9218e49d70e4bc8d24da79ba66bd640

SHA512
ba9929fec4d75e8c42a12b0a682d97790f4a03384d41b1ef19ca0e5a7a95077a1c6dfb06f981fe2f6a5f2cd918aeee1b3ecf19e68c9355f57267e64140976f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE3E9.tmp

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/760-55-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/760-56-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/760-57-0x0000000000171000-0x0000000000172000-memory.dmp

Filesize
4KB

Download
memory/1036-63-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1036-61-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1036-62-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1036-60-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1036-65-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1036-59-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1700-67-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1700-68-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1700-69-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1700-70-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1700-71-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1700-72-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1700-74-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads