hawkeye_reborn | 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e

General

Target

615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe
Size

928KB
MD5

4e1c63f6dea273fa69557ad90b9d4df6
SHA1

f08df5fba2f8abb1cb90c9448400f40ace024293
SHA256

615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e
SHA512

ca97efeabedce4a76bfc09d47e87193185cc9004976340d0a76c72b61dce72d40b374a24f38f266bb2d9bb84f2ac6d800dad65fc16f1889a9fd90e5486f421eb

Score

10^/10

hawkeye_reborn m00nd3v_logger keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.0.0

Credentials

Protocol: smtp
Host:
mail.eagleeyeapparels.com
Port:
587
Username:
[email protected]
Password:
eagle*qaz

Mutex

f9a93be0-7cc8-469a-b7ec-5d228b464786

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:eagle*qaz _EmailPort:587 _EmailSSL:true _EmailServer:mail.eagleeyeapparels.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:f9a93be0-7cc8-469a-b7ec-5d228b464786 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 3 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1712-60-0x0000000000400000-0x00000000004AA000-memory.dmp	m00nd3v_logger
behavioral1/memory/1712-61-0x0000000000400000-0x00000000004AA000-memory.dmp	m00nd3v_logger
behavioral1/memory/1712-62-0x0000000000400000-0x00000000004AA000-memory.dmp	m00nd3v_logger

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1380-70-0x0000000000400000-0x0000000000477000-memory.dmp	WebBrowserPassView
behavioral1/memory/1380-73-0x0000000000400000-0x0000000000477000-memory.dmp	WebBrowserPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1380-70-0x0000000000400000-0x0000000000477000-memory.dmp	Nirsoft
behavioral1/memory/1380-73-0x0000000000400000-0x0000000000477000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

Processes:

615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exeMSBuild.exe

description	pid	process	target process
PID 2000 set thread context of 1712	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	MSBuild.exe
PID 1712 set thread context of 1380	1712	MSBuild.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exevbc.exeMSBuild.exe

pid process

2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe
1380 vbc.exe
1712 MSBuild.exe
1712 MSBuild.exe

pid	process
2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe
1380	vbc.exe
1712	MSBuild.exe
1712	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe
Token: SeDebugPrivilege	1712	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

1712 MSBuild.exe

pid	process
1712	MSBuild.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exeMSBuild.exe

description	pid	process	target process
PID 2000 wrote to memory of 1408	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	MSBuild.exe
PID 2000 wrote to memory of 1408	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	MSBuild.exe
PID 2000 wrote to memory of 1408	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	MSBuild.exe
PID 2000 wrote to memory of 1408	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	MSBuild.exe
PID 2000 wrote to memory of 1712	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	MSBuild.exe
PID 2000 wrote to memory of 1712	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	MSBuild.exe
PID 2000 wrote to memory of 1712	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	MSBuild.exe
PID 2000 wrote to memory of 1712	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	MSBuild.exe
PID 2000 wrote to memory of 1712	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	MSBuild.exe
PID 2000 wrote to memory of 1712	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	MSBuild.exe
PID 2000 wrote to memory of 1712	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	MSBuild.exe
PID 2000 wrote to memory of 1712	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	MSBuild.exe
PID 2000 wrote to memory of 1712	2000	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	MSBuild.exe
PID 1712 wrote to memory of 1380	1712	MSBuild.exe	vbc.exe
PID 1712 wrote to memory of 1380	1712	MSBuild.exe	vbc.exe
PID 1712 wrote to memory of 1380	1712	MSBuild.exe	vbc.exe
PID 1712 wrote to memory of 1380	1712	MSBuild.exe	vbc.exe
PID 1712 wrote to memory of 1380	1712	MSBuild.exe	vbc.exe
PID 1712 wrote to memory of 1380	1712	MSBuild.exe	vbc.exe
PID 1712 wrote to memory of 1380	1712	MSBuild.exe	vbc.exe
PID 1712 wrote to memory of 1380	1712	MSBuild.exe	vbc.exe
PID 1712 wrote to memory of 1380	1712	MSBuild.exe	vbc.exe
PID 1712 wrote to memory of 1380	1712	MSBuild.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe
"C:\Users\Admin\AppData\Local\Temp\615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
2⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp666F.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp666F.tmp

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1380-65-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1380-73-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1380-69-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1380-70-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1380-68-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1380-67-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1380-66-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1712-60-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1712-64-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1712-62-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1712-61-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1712-59-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1712-58-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1712-72-0x0000000000CC1000-0x0000000000CC2000-memory.dmp

Filesize
4KB

Download
memory/1712-75-0x0000000000CC6000-0x0000000000CD7000-memory.dmp

Filesize
68KB

Download
memory/2000-55-0x0000000076731000-0x0000000076733000-memory.dmp

Filesize
8KB

Download
memory/2000-57-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/2000-56-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads