hawkeye_reborn | 6fae483946b9dc71f99282194f9d91b43b5fa1e279be3915f41cda094d28f524

General

Target

Contract Offer.exe
Size

672KB
MD5

5d560917f54b8b3c532bccae250dd558
SHA1

fd1e8e6d71eeb4ed9d4288c62e3c6627c6bab15f
SHA256

5fb3c9a42ded740fdc4f9329592f9bc151b184e052cb17ee3e084e3f23e86465
SHA512

1ee040dc84695fb1a71d0cc86dd4f12ad5dd76882d18499b3560e1b948365142a56796af182dcde323f7d5a3c33c75c25c7e9d0c5b1cee6ca550982c957f0fbf

Score

10^/10

hawkeye_reborn m00nd3v_logger keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
333link00win

Mutex

6ab1d9e0-a54f-4834-962b-f8a6a128cbbe

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:333link00win _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:6ab1d9e0-a54f-4834-962b-f8a6a128cbbe _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 3 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1120-61-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1120-62-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1120-63-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1936-71-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1936-73-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1936-71-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1936-73-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

Processes:

Contract Offer.exeContract Offer.exe

description	pid	process	target process
PID 2032 set thread context of 1120	2032	Contract Offer.exe	Contract Offer.exe
PID 1120 set thread context of 1936	1120	Contract Offer.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

652 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Contract Offer.exe

pid process

2032 Contract Offer.exe
2032 Contract Offer.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Contract Offer.exe

description pid process

Token: SeDebugPrivilege 2032 Contract Offer.exe

pid	process
652	schtasks.exe

pid	process
2032	Contract Offer.exe
2032	Contract Offer.exe

description	pid	process
Token: SeDebugPrivilege	2032	Contract Offer.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Contract Offer.exeContract Offer.exe

description	pid	process	target process
PID 2032 wrote to memory of 652	2032	Contract Offer.exe	schtasks.exe
PID 2032 wrote to memory of 652	2032	Contract Offer.exe	schtasks.exe
PID 2032 wrote to memory of 652	2032	Contract Offer.exe	schtasks.exe
PID 2032 wrote to memory of 652	2032	Contract Offer.exe	schtasks.exe
PID 2032 wrote to memory of 1628	2032	Contract Offer.exe	Contract Offer.exe
PID 2032 wrote to memory of 1628	2032	Contract Offer.exe	Contract Offer.exe
PID 2032 wrote to memory of 1628	2032	Contract Offer.exe	Contract Offer.exe
PID 2032 wrote to memory of 1628	2032	Contract Offer.exe	Contract Offer.exe
PID 2032 wrote to memory of 1120	2032	Contract Offer.exe	Contract Offer.exe
PID 2032 wrote to memory of 1120	2032	Contract Offer.exe	Contract Offer.exe
PID 2032 wrote to memory of 1120	2032	Contract Offer.exe	Contract Offer.exe
PID 2032 wrote to memory of 1120	2032	Contract Offer.exe	Contract Offer.exe
PID 2032 wrote to memory of 1120	2032	Contract Offer.exe	Contract Offer.exe
PID 2032 wrote to memory of 1120	2032	Contract Offer.exe	Contract Offer.exe
PID 2032 wrote to memory of 1120	2032	Contract Offer.exe	Contract Offer.exe
PID 2032 wrote to memory of 1120	2032	Contract Offer.exe	Contract Offer.exe
PID 2032 wrote to memory of 1120	2032	Contract Offer.exe	Contract Offer.exe
PID 1120 wrote to memory of 1936	1120	Contract Offer.exe	vbc.exe
PID 1120 wrote to memory of 1936	1120	Contract Offer.exe	vbc.exe
PID 1120 wrote to memory of 1936	1120	Contract Offer.exe	vbc.exe
PID 1120 wrote to memory of 1936	1120	Contract Offer.exe	vbc.exe
PID 1120 wrote to memory of 1936	1120	Contract Offer.exe	vbc.exe
PID 1120 wrote to memory of 1936	1120	Contract Offer.exe	vbc.exe
PID 1120 wrote to memory of 1936	1120	Contract Offer.exe	vbc.exe
PID 1120 wrote to memory of 1936	1120	Contract Offer.exe	vbc.exe
PID 1120 wrote to memory of 1936	1120	Contract Offer.exe	vbc.exe
PID 1120 wrote to memory of 1936	1120	Contract Offer.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Contract Offer.exe
"C:\Users\Admin\AppData\Local\Temp\Contract Offer.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fnqjKoK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8526.tmp"
2⤵
- Creates scheduled task(s)
PID:652

C:\Users\Admin\AppData\Local\Temp\Contract Offer.exe
"{path}"
2⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\Contract Offer.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp76F.tmp"
3⤵
PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8526.tmp

MD5
2d749d13a9fe8379095e985a2c38953d

SHA1
99bce2cdfc36ebd2170d07cd06a03a1815f01733

SHA256
e86f4540f7d6470c6eb65e1a875faf3bdd0dcccec788586f4c95fe25745db34d

SHA512
d67b53fb17035fb7c62b000fc141188ce3c68568a60ca0dc2ee782c23c1d53d9bf90d4ae13979afd3c3c98261987023668013f1e000a7b89720f22e1c1f02260

Download Submit
memory/1120-63-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1120-62-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1120-60-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1120-59-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1120-65-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1120-61-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1936-66-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1936-67-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1936-68-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1936-69-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1936-70-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1936-71-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1936-73-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2032-57-0x0000000000C21000-0x0000000000C22000-memory.dmp

Filesize
4KB

Download
memory/2032-55-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/2032-56-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads