hawkeye_reborn | 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d

General

Target

49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
Size

1.0MB
MD5

a8ce97b006581f5df23ab2b23c2d0d18
SHA1

8f5b076487470b2ae6f8d51243315a14ded7da58
SHA256

49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d
SHA512

cd6f1c402a0ad2dd7688ed97fe67ba1374044eba85f4446f061db5a03bda5a7f597b3e73364bcc2cfe5c4affe6514cc6c5e49d14bcaba7597ba71beac44f7671

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/2024-136-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/380-139-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/380-139-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

Processes:

49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe

description	pid	process	target process
PID 3368 set thread context of 2024	3368	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
PID 2024 set thread context of 380	2024	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe

description pid process

Token: SeDebugPrivilege 3368 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe

description	pid	process
Token: SeDebugPrivilege	3368	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe

description	pid	process	target process
PID 3368 wrote to memory of 2024	3368	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
PID 3368 wrote to memory of 2024	3368	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
PID 3368 wrote to memory of 2024	3368	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
PID 3368 wrote to memory of 2024	3368	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
PID 3368 wrote to memory of 2024	3368	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
PID 3368 wrote to memory of 2024	3368	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
PID 3368 wrote to memory of 2024	3368	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
PID 3368 wrote to memory of 2024	3368	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
PID 2024 wrote to memory of 380	2024	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	vbc.exe
PID 2024 wrote to memory of 380	2024	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	vbc.exe
PID 2024 wrote to memory of 380	2024	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	vbc.exe
PID 2024 wrote to memory of 380	2024	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	vbc.exe
PID 2024 wrote to memory of 380	2024	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	vbc.exe
PID 2024 wrote to memory of 380	2024	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	vbc.exe
PID 2024 wrote to memory of 380	2024	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	vbc.exe
PID 2024 wrote to memory of 380	2024	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	vbc.exe
PID 2024 wrote to memory of 380	2024	49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
"C:\Users\Admin\AppData\Local\Temp\49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368

C:\Users\Admin\AppData\Local\Temp\49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
"C:\Users\Admin\AppData\Local\Temp\49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8875.tmp"
3⤵
PID:380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/380-138-0x0000000000000000-mapping.dmp

Download
memory/380-139-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2024-135-0x0000000000000000-mapping.dmp

Download
memory/2024-136-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2024-137-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/3368-130-0x0000000000AF0000-0x0000000000BFE000-memory.dmp

Filesize
1.1MB

Download
memory/3368-131-0x0000000005B50000-0x00000000060F4000-memory.dmp

Filesize
5.6MB

Download
memory/3368-132-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/3368-133-0x00000000057E0000-0x00000000057EA000-memory.dmp

Filesize
40KB

Download
memory/3368-134-0x0000000001250000-0x00000000012EC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads