hawkeye_reborn | 9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0

General

Target

9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe
Size

1.9MB
MD5

b4d77d39b5e0483fc1e5281874391d7f
SHA1

7bbeed46600eb5a61805815ab289666223c89565
SHA256

9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0
SHA512

aabfff6231b642b057ff6a756a2e6b0b7946b81c5d1be71747241e9a2af5757b36289789e72db04ccc95f770c5bedfa1f5b47aa5ce9dbabf05d92805a9f313b6

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
money65

Mutex

607a40b2-219b-4874-862f-01235e2a93a7

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:money65 _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:607a40b2-219b-4874-862f-01235e2a93a7 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/632-136-0x0000000000432000-0x00000000004BC000-memory.dmp	m00nd3v_logger
behavioral2/memory/632-137-0x0000000000430000-0x00000000004C0000-memory.dmp	m00nd3v_logger

Suspicious use of SetThreadContext 1 IoCs

Processes:

9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe

description	pid	process	target process
PID 3532 set thread context of 632	3532	9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe	RegAsm.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000d90244a43b66a3477e942a3920455f8463f7ed1372292fe1601f656db781e592000000000e80000000020000200000007e72a011b724410e19633cb66f29ab57d4ede7ca3ad191c68cf2cbd7861db1e6200d00007c21ddd83b6498e4dac28bb929d063c5bf6a014658311fd4fc6a8eb8624131aac4aa866ac277cc4a1c846813bfaa0f97be86b5a774f29710c2421a6579ac2d35c9f2a0b1f21a62b3ecde9ad410f02e68ef5a5b2af6e78bd0e14fc72ebdde25f402132fffec5b07f4720ae3847e45f98d53e5efcb2e494ac4c8367f822c663eefab746ffe8b6ec08a16ca80649200941a558269a6d86715e4706e3043b22749f7b4fb05c884d3c0efe6c66e38c49e3fa182cdcf9a06f2746e69c09ce69c3aa7a87b81dfe07b57295bb17b2343c0847ff71106d580a0b0d7d5ceeb1c0908b2785c41dad1896d9de8cb63d7b8f94f94a3973fc77c33d91a2b758ebd1bd67aa81b68539f01143362d21168ebdb368f7261e50d60ba5c9ad695db012dd67fac7f849eeb3ccd6fa95d9b5030417ed66895619b7cb6495185be6193a3a0ca3e54c8e08304a426aca6ce5af0ce8dc91f148c8583c37e184ad417c30a367ae6c3c958e3affc4a15aa62eed93d94792a345d4951eff433e14d76489cf980b8208b9c2f8c6b23bf936f75a858d521f9f370ca581741f5778917fe3e8144e75f91211836adb558cd89380d7081110918e24689e61cbcd39ccab73d766c377260b7fcf065459388469b7ba5483179b8c74811c2b826795ed6a541e0a0648ad00d2faac618ce79ae1f48894d58f8c9a14a44b1da76e6ffdca6f97bd19cd2122ffb8dfa045bf0053052f8032451fa4dea65b71f9c333ddb0a86aae194f2e1fe39553555e575830bbe997dc495035bccab07a06a99f7011250f6e623390fd5208ad83b16634668532ae36b6b21ddf148fa1f9f9ae3abf2c64abf638d545ca034d6d2b2ac66b7942485336da2016ad0e3e5ac108f56ccf412bdacd04bb4b9d522940f6abec75bdb2f80532afeab12cbb74b5fbf2e718287732d74160ef59154c3c7eb365bd8d8036ffbfe698205580c8a83d8c91f6c8c4f9002d8a168de6c7e5b1b7ca39a89a19cf32f9713043c68caace3bdc38aafb877482e9b9c23748cb67687384378eecbcde78834518053f264ea18cfb175154305ba3db3507a1aac3afaf63dbd55a909c5b3c3e5d743c62e63047105cf4a2c56c9668850a890f2a4ed6738a02c456d0c35e795b368e7a9b069b3c7fd5ab3e8980f545d9055700f834ada370ce37b8acc5f5307886510497d660467db15e06744083c8a305315a909d6ba2eebc37a35a9586d006422280045fca5ec8af55734293ed80d6475602c2770c12a05b551c0598b4c363889712f30b847bec9702912935c7737301acf4ce6e6a8152e2f4d1d9fd52382f495abeaea5b299b1053982ec6462f768c6ed6d23dfe31972dc69a77ca6c2b10b533a212e22b2620e400a6a2a06fd3ba28d178979924d3bbde23dc687f31f7113f0881f66097e093e3910bdc8475291e1e8fba8897993180b42dbfa2d43592896e80578fabb7a5539ca7de3d985d6f86260a880fc7a4a4ccbbf5f5837550454c71455c4357eb07d1e4bedcaeadf224d57735261dd05830df475571de991b6619d9995bb2d98e9b6f3de91bb19a97b97691b200aba78863fbfc9158ef46a661897dcc6704412517372f6fcd1d4c3630d8cd68a2a88ac264c9de8c10ad5dc3c425b63ae3c2679bf84c7c79e9fdc052284196ce3b372e825224414fd521b392bf9dfd8e63d73e643941226ccd319de62d1584e9a0302e83e7918d8358c49dab714fda0fcbf1b6147b1c25f014eed0cb9e6714707192b937cc5b786926ee83f951759a80316d33a47f4a075c5a42f3e3a584610d088ea51b5e4958d684bfd0f6744cf57bfb0d1fdffac7991db51f43fbde8436d4d427f442ff2adf10def4daab230d227d1e501dd84c347d4e596559586ba5b4bd2009e59e8ec01a0046e7c4223b96a08a4e2bb70c71157b43fc52cef59d7c445383ed7f78a007139e0bda45f7e45e324a686489d25320d51c3fd176b04df998b7cfcc48be82890742c7d88c24a4743a08ebebf5b38bdf63b73b97c4f0899772c379b7a252917b45c236f67b710f08e1e85ce191a3dd5f99e461ba054a0ddafa442e7272576aa9ce987220c2e1e9c1abd38f3e5a709ae1b0ac0afe1ef868cf464259fea73bb432f70dbb55d58b3339133775852b4f71411e8ed008ed81b0a991ad957a2b511634e6425107f77803e14e7d585898b64cd8b230b20f862e5b4d264b52a57266b68dee4dd25dacaab00077562b2fc6375fc7a71413c906c1f3ab885a9e730cddfdd8af2136b9d17c3de5be63db22294c632838e5a9e7ff50fbb6f80e4ab0944a1b157a165a398ff712e8853d9502db36cfeca06bd0badb04711f67ac6fe17c9a6b02b04d786c5889f02a44980489f9f549de7f10e436dfbc8e38c61fa35bfc3441de9b790db02959a54ae9b7053dcae577579178c1983bd3e1360e2b19961948dd1eefe504c45afd8238d6f521c84587b251c7c5dc652f39bcac2695ee30be049c325078e279337a5dd074ce73edd63dd77ffce13eaf4ee696aeebc2f555a14b3224f6010c6958b089fd9c3ffe2fdd59abf947c4b3b6bd49dc78569ebbb55f21b779aac2f78854da845236596c8292c069b60fa4293de2ada072f0df822ced553afaf9ae19a4e9cbfd38c3c7c717f8079c3182a23def77bf864b4156263e80e5bc827764393edab28f1398c51496a99cfeb35e2e19f5424c1eab21f2bb87e6b10b802ca70c0ba48ca61c4a823475a36b580599ff6f940fe266a9240c15712eafaf7d1163b5333905145b8beebf4790e79722272b8fc4e1ee6d2b563cb778f1c496c83ea3caae1d4302ed9a45fc0b3f7cc91bfe438d40faa1ddcc2e2b47adc2cb9fed53ca2d94a1c50d04cb854ed486c7f85f3f476f5bc16bbe6eba9efc061b9725d670006c0966782ba97508a3c3b10217beb35c0ebd9c1002000d8c7d0bbebea1868f6fc3f00656dbbbd58cbfbbbb4a5c93826776da647efba28070a82c6a886f4e81d4c91c3d33693b071e2096a6136f4262f353458f59d901d0dd2e31f498c2051acdcae7e2f7ca3d6a58ddb2191186269213566999576c17c76522e7a73068b0a9f7ce25a6216549f6d1c4998a0aad201e21c9ad98d521480b44d24e33db0d91b4bf9712c648e76dea49210aee7578d7f76702eff8f934c6e4b106b22417b4e952732c4a79052d077d3399d18efc753fb2bac0b7d0f4ad9291ae962c4931b674c0d5a52e43953d215339368bff79b55812a305906de1501a2f0832201ab768ea34534bb7600b90bcbe24048d74704de6974f5495eae2746469d3816d4d433da0045c7019d0e5d9e97cdec14c592828626ef1fe1c34e5b1acf3d0347dfde8262885600da296cc6790c982c367f77b25e397345bb05394b099e828f54179fe496cbc578ae13484d2e7ae6a14b43a6a8c0f5cc3dfe036fa3dad2cbe9fbba64f7f7558c9272cc25f51a0a9b50e23d93fcd681029127eed3092536611c28af0d3843285ac0271ec4754c4736f45cae3c8d58deb41d3e43eb8d160924f812f0876014f46135c11cc20be706360e1847af704d81aa92b3754524d74a0b8791a197b519426092e2c545cac08c3cc253dece111454f0a66ac8ac24f56f296e4f963f20ac4723932cfa8d2a0f42f024d5b17ab64aeb98d733a0bfaa5ee57a6ed5749d0ef23515213b4140ce4072d65b4b3dd3e9349472ab05b1717b44033a2cf6729a2b200bc78e5b64c0a0679f9a5c75a632bb41a99f3ea649bfaf588ac410385e64da842a8d2439708de73c0423af703931a94e841391d90305717b9fd9e4987bece8a3d58ac2c1396b7de111cf8cc3bc48539f089b616ccce11febec328f900cb26058bcb587980dba0f1e7496543d0b2bfb5f8bd4c92ce959a15ecce7148bf983cb09da0549a524c89f12431a9da37f99f000ed73b23f9434016d4fbc15f8b8c64d08447c1f9f83a00219827bb6ca3a73da730595d335654ac716bd8d0f7b411a4dbaf6ccba0d74d73db594204f98ac2503eeac9cc15351c14724a36ee7acd485555d6a9cf0ad3a59536ca16d1efc88165d1d40c72b748cf50b59ff7c7754eaed3e00ea73f1c898073b2da40fd0eb619e9abd778f7f753bf729a40d222b02980c01f6ab04bc496b851f0ef6b09834c9c8e16a40e37f84012f62e87a38787946cffa08bd3f0e2f2b64024b2000de5a96d727c4a08178c0924b664552f6d1e106a5932d04dde8760562277c88c94b04b9fcd106641e58a64f2efe6c5f7a5e15a98ce4f57d6249b239d30b6a3f5110e9c10ec40f196f1c3796d129ec4eedc06efc2cab796ae8b3d7e5aefcd6ddf1ed3726c8700c6b645200cff1ac9fa677ea8a63a5f043c6346fde4e47fecd38be340a45b48d8fba7ef25f1861ed54587b8eb81c1cb80ad57a1e12cf0acb6e03b4867fe3207dd1917b85f4f88192450c23b18ed94266e676c3205b9453bfa84a6cccddd2df3e712a3cd484d0044d1324e7147b7cc9d47a9f6b082ab3a3f765baa78d0efc039ed4ba2f73afb2eba6788635b6a88e28b6d7d922866c029a10358fbfd8a3cbe1df77bee368c568d2a089287c5b2984f0cb360064ba400bf38591c922b570dfc3907d00b7cdf0f88b53c8f2b2e997f37d1509f9316a768ace86e29ad3bb3a9ac5d2e159a0d727a331aa9d3b9ed25f863e4becb283bf8c164e6871c27ea3ab8d9c8b4fcec60c896e04ededaecdc7658b2b4abbe8340f89f1679c559e3a0d75de520db8e0eb987842cb26f9f76675341c6c430fa1157b62bc4ba484000000051fd7a687b73f3c013f32be9247fd94803768a92c83a166ae4e3a3a1c33af66ffb52767f77c74ff5273cfa1110d0234974435cc1638ee7284f042ea55b357552	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "001800081D648310"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\001800081D648310 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e0000000002000000000010660000000100002000000054b1515f6ec7805c6b1881e79a692a4e5462eb3617f30b7a512c70e3dd0c7a7f000000000e8000000002000020000000eeab0e53a86416c37494dc8f460b6d5edc75ca35577416ccfa5b037d57b3877f80000000f634bf4b2dfba28cf67c437348aa8cf480a115467b34106eff4248c373326c7c177bdfd353e3534c4491cde485cf62162efef164b2a8530b4c75f1fcfd96a365587babb30b055439bb465fac1c0e7a5059f5293b4fcd0a76af93a1a54d760b8832ab985c99d5bd178c30fad79542b50ab35aa277a38a40de8fb529ad4a708b50400000002ea723e62f70ae2eb4e4f6211ad6270ebebb72783b905ef81a67dc114cf65f9c324cbbd1e50e26d38c6aa56f8cd6d58fcb671dc85b3269d0327687ec93fd3662	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

RegAsm.exe

pid process

632 RegAsm.exe
632 RegAsm.exe
632 RegAsm.exe
632 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 632 RegAsm.exe

pid	process
632	RegAsm.exe
632	RegAsm.exe
632	RegAsm.exe
632	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	632	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe

pid	process
3532	9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe
3532	9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe
3532	9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe

pid	process
3532	9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe
3532	9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe
3532	9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

632 RegAsm.exe

pid	process
632	RegAsm.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe

description	pid	process	target process
PID 3532 wrote to memory of 632	3532	9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe	RegAsm.exe
PID 3532 wrote to memory of 632	3532	9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe	RegAsm.exe
PID 3532 wrote to memory of 632	3532	9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe	RegAsm.exe
PID 3532 wrote to memory of 632	3532	9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe	RegAsm.exe
PID 3532 wrote to memory of 632	3532	9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe
"C:\Users\Admin\AppData\Local\Temp\9e43cc8bd4f65a53703633036ac759771477b7f901fd3bcf51b34243f86c8af0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:4256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/632-134-0x0000000000000000-mapping.dmp

Download
memory/632-136-0x0000000000432000-0x00000000004BC000-memory.dmp

Filesize
552KB

Download
memory/632-137-0x0000000000430000-0x00000000004C0000-memory.dmp

Filesize
576KB

Download
memory/632-140-0x0000000009640000-0x0000000009BE4000-memory.dmp

Filesize
5.6MB

Download
memory/632-141-0x0000000009130000-0x00000000091CC000-memory.dmp

Filesize
624KB

Download
memory/632-142-0x0000000004B00000-0x0000000004B66000-memory.dmp

Filesize
408KB

Download
memory/632-143-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/632-144-0x0000000005860000-0x000000000586A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads