hawkeye_reborn | 0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f

General

Target

0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe
Size

1.1MB
MD5

e6ab0c06dd34718d2471d34f92bc4710
SHA1

96c687dccf0e761234701914b548f0c567d5396f
SHA256

0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f
SHA512

7da751a18d325c1f351a0445d824db3c7b873d09912cc0efbd0c3e1c8e480a9e74c4a0ad8110c7dfe59e29ca55d06a4f03aefc6c495eab0a51aa285e33524461

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
*aM$m4sTh(J2$

Mutex

c1f985bf-a670-47a2-82ed-7c0cc5b408ef

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:*aM$m4sTh(J2$ _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:c1f985bf-a670-47a2-82ed-7c0cc5b408ef _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/4696-139-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4572-156-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4572-158-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4572-159-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3008-146-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3008-148-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3008-152-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3008-153-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3008-146-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3008-148-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3008-152-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3008-153-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4572-156-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4572-158-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4572-159-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 bot.whatismyipaddress.com

flow	ioc
42	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exeRegAsm.exe

description	pid	process	target process
PID 3148 set thread context of 4696	3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe	RegAsm.exe
PID 4696 set thread context of 3008	4696	RegAsm.exe	vbc.exe
PID 4696 set thread context of 4572	4696	RegAsm.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4144 schtasks.exe

pid	process
4144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exevbc.exeRegAsm.exe

pid	process
3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe
3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe
3008	vbc.exe
3008	vbc.exe
3008	vbc.exe
3008	vbc.exe
3008	vbc.exe
3008	vbc.exe
3008	vbc.exe
3008	vbc.exe
3008	vbc.exe
3008	vbc.exe
3008	vbc.exe
3008	vbc.exe
4696	RegAsm.exe
4696	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe
Token: SeDebugPrivilege	4696	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

4696 RegAsm.exe

pid	process
4696	RegAsm.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exeRegAsm.exe

description	pid	process	target process
PID 3148 wrote to memory of 4144	3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe	schtasks.exe
PID 3148 wrote to memory of 4144	3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe	schtasks.exe
PID 3148 wrote to memory of 4144	3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe	schtasks.exe
PID 3148 wrote to memory of 4696	3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe	RegAsm.exe
PID 3148 wrote to memory of 4696	3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe	RegAsm.exe
PID 3148 wrote to memory of 4696	3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe	RegAsm.exe
PID 3148 wrote to memory of 4696	3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe	RegAsm.exe
PID 3148 wrote to memory of 4696	3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe	RegAsm.exe
PID 3148 wrote to memory of 4696	3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe	RegAsm.exe
PID 3148 wrote to memory of 4696	3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe	RegAsm.exe
PID 3148 wrote to memory of 4696	3148	0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe	RegAsm.exe
PID 4696 wrote to memory of 3008	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 3008	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 3008	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 3008	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 3008	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 3008	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 3008	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 3008	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 3008	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 4572	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 4572	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 4572	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 4572	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 4572	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 4572	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 4572	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 4572	4696	RegAsm.exe	vbc.exe
PID 4696 wrote to memory of 4572	4696	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe
"C:\Users\Admin\AppData\Local\Temp\0d86e57fef572f267f5987db2d97f29ec09f9735d68b0844b671fe30378c9f7f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vhncOLJtirFGz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F1E.tmp"
2⤵
- Creates scheduled task(s)
PID:4144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCBCC.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD7E2.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:4572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9F1E.tmp

Filesize
1KB

MD5
76e72bc0df57b1a897c9096447807137

SHA1
c6d25809fff289659dbb14c641bc58877c75eaaf

SHA256
6141782551ed080949592f9a25949fa75ccc856470ab9644051047c7a9695e51

SHA512
40349fdaa0f181edc9df8beb7a58b6f4802c9a5da9731177f6bc930e359fd2e4dc20f4a2572f59479de54c9a9a0cff546d1c0a0cfec382af54a08a31dba95d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCBCC.tmp

Filesize
4KB

MD5
bdf65f70610625cc771c5cc7ce168c7d

SHA1
a8829b1c071ed0521d11925a98468c12a53a03b8

SHA256
b66236dd86f140ca02db0c296e45032b272de2895c4f047a562e73bc8395dba5

SHA512
add2db50b0440b07ecc48a5fde7f0b72e84b76f11ea060944afa28ddd03791e6adb3bfca704254131fb3f591f484b37f7276fab96b0c4776a27cb526bcf5f3a4

Download Submit
memory/3008-152-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3008-148-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3008-145-0x0000000000000000-mapping.dmp

Download
memory/3008-146-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3008-153-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3148-130-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/3148-131-0x0000000073460000-0x0000000073F60000-memory.dmp

Filesize
11.0MB

Download
memory/3148-133-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/3148-140-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/3148-141-0x0000000073460000-0x0000000073F60000-memory.dmp

Filesize
11.0MB

Download
memory/3148-142-0x0000000072BD0000-0x0000000073378000-memory.dmp

Filesize
7.7MB

Download
memory/3148-132-0x0000000072BD0000-0x0000000073378000-memory.dmp

Filesize
7.7MB

Download
memory/3148-135-0x0000000072BD0000-0x0000000073378000-memory.dmp

Filesize
7.7MB

Download
memory/3148-134-0x0000000073460000-0x0000000073F60000-memory.dmp

Filesize
11.0MB

Download
memory/4144-136-0x0000000000000000-mapping.dmp

Download
memory/4572-159-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4572-155-0x0000000000000000-mapping.dmp

Download
memory/4572-156-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4572-158-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4696-149-0x0000000072BD0000-0x0000000073378000-memory.dmp

Filesize
7.7MB

Download
memory/4696-143-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/4696-150-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/4696-151-0x0000000073460000-0x0000000073F60000-memory.dmp

Filesize
11.0MB

Download
memory/4696-139-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4696-138-0x0000000000000000-mapping.dmp

Download
memory/4696-144-0x0000000073460000-0x0000000073F60000-memory.dmp

Filesize
11.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads