hawkeye_reborn | 08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd

General

Target

08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe
Size

772KB
MD5

114f9255de59954ae627cc7bf2869cf9
SHA1

6d4f439a590083f4dc4bdcf25b1aae93fdde99e0
SHA256

08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd
SHA512

3fedb776d22a0fc626f35c6b12653083be52298765b97ecbb234b7c960440de7e808e6c15d5d8aff15148b1319781fdaafc717274e601cce02df8c0f2d5aa04d

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/1416-142-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4460-155-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4460-157-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4460-158-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/652-147-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/652-149-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/652-152-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/652-147-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/652-149-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/652-152-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4460-155-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4460-157-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4460-158-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exeRegAsm.exe

description	pid	process	target process
PID 932 set thread context of 1416	932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe	RegAsm.exe
PID 1416 set thread context of 652	1416	RegAsm.exe	vbc.exe
PID 1416 set thread context of 4460	1416	RegAsm.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exevbc.exeRegAsm.exe

pid	process
932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe
932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe
652	vbc.exe
652	vbc.exe
652	vbc.exe
652	vbc.exe
652	vbc.exe
652	vbc.exe
652	vbc.exe
652	vbc.exe
652	vbc.exe
652	vbc.exe
652	vbc.exe
652	vbc.exe
1416	RegAsm.exe
1416	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe
Token: SeDebugPrivilege	1416	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

1416 RegAsm.exe

pid	process
1416	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.execsc.exeRegAsm.exe

description	pid	process	target process
PID 932 wrote to memory of 4840	932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe	csc.exe
PID 932 wrote to memory of 4840	932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe	csc.exe
PID 932 wrote to memory of 4840	932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe	csc.exe
PID 4840 wrote to memory of 4536	4840	csc.exe	cvtres.exe
PID 4840 wrote to memory of 4536	4840	csc.exe	cvtres.exe
PID 4840 wrote to memory of 4536	4840	csc.exe	cvtres.exe
PID 932 wrote to memory of 1416	932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe	RegAsm.exe
PID 932 wrote to memory of 1416	932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe	RegAsm.exe
PID 932 wrote to memory of 1416	932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe	RegAsm.exe
PID 932 wrote to memory of 1416	932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe	RegAsm.exe
PID 932 wrote to memory of 1416	932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe	RegAsm.exe
PID 932 wrote to memory of 1416	932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe	RegAsm.exe
PID 932 wrote to memory of 1416	932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe	RegAsm.exe
PID 932 wrote to memory of 1416	932	08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe	RegAsm.exe
PID 1416 wrote to memory of 652	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 652	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 652	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 652	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 652	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 652	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 652	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 652	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 652	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 4460	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 4460	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 4460	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 4460	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 4460	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 4460	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 4460	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 4460	1416	RegAsm.exe	vbc.exe
PID 1416 wrote to memory of 4460	1416	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe
"C:\Users\Admin\AppData\Local\Temp\08601dfa46006125bee6f0d7b3c8f18e824756992e2638872c7e8050d59686dd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\04q3uh5u\04q3uh5u.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB877.tmp" "c:\Users\Admin\AppData\Local\Temp\04q3uh5u\CSC455B6CF338E34B1F8871DEAC90BE50D6.TMP"
3⤵
PID:4536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE89F.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF0AF.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:4460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\04q3uh5u\04q3uh5u.dll

Filesize
9KB

MD5
7f1c2043310aa37c97bd9f17a238eeb0

SHA1
d08423e77ada71d23bbacbc19c5335f530f5340f

SHA256
bc8d35c544ae6e0862640c1b413279c84ab35603be9042090b4d9d1e450b766a

SHA512
606d9e7aff71dd86f5423c34c1956054abc957623f75343f147f2b632e8d174bf47ed60aacb82196332a0cdb7adafee56b97a6627df322f854d27e0fd04c4ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\04q3uh5u\04q3uh5u.pdb

Filesize
27KB

MD5
5a9019dda3dae8aeb31db792e6972818

SHA1
428ae6cfd616651a16356bd26b67249c37fcc058

SHA256
827dbe277a2d3d99b8c1078952391b2b5a1c79e8f4a8c82682ee7e705f1263b9

SHA512
b769157b4eee6c352716546258b5dcbc56c97a50c6a4859c4e28a257e219454d992d88f840b9b09b3874ad0f3ee4b2c704c07b0312d15bfa8d68fad8bd380176

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB877.tmp

Filesize
1KB

MD5
c7e90887bb2d0db75f01871f6c5544f5

SHA1
c0ceea8c12989c9dfff62dbf091df76d349af752

SHA256
5ef815863b05a56f60a5f3bb5e7a1a6250142b3693aa642194607de7fb4383d9

SHA512
fc96a61d47886214357427038fab70265edb6d1c91e45c19fa741a8106849f1095afdebc26b8c95b26def0cf6f8caef89f03a996e157b91e523e0e832dcbd673

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE89F.tmp

Filesize
4KB

MD5
bdf65f70610625cc771c5cc7ce168c7d

SHA1
a8829b1c071ed0521d11925a98468c12a53a03b8

SHA256
b66236dd86f140ca02db0c296e45032b272de2895c4f047a562e73bc8395dba5

SHA512
add2db50b0440b07ecc48a5fde7f0b72e84b76f11ea060944afa28ddd03791e6adb3bfca704254131fb3f591f484b37f7276fab96b0c4776a27cb526bcf5f3a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\04q3uh5u\04q3uh5u.0.cs

Filesize
17KB

MD5
1eed8b456610b069b7fb3bc76ddbec96

SHA1
9b17e2f62631775b89cca34c1cdc9ea9fbd3d4ba

SHA256
2bba3ab6332f7a3196ee3b0ee29ffac3e1cf206803b96f7a7b39a261ddd741b1

SHA512
c950a13ae648284f0c0b4090a57f45c68a0393055085ab8d74ca7363d3bc7985be6962546510fa5655e85d2f7c1037a008591556a1c4e979443e5ea11364c801

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\04q3uh5u\04q3uh5u.cmdline

Filesize
312B

MD5
c6fbc61395d5f49773ae93209608da33

SHA1
2a3396133e3c95631962a97b528d21b322b9c6ef

SHA256
ebc8fbb4b1d25686591e8ddf884b105f44a31f25f0e5c5770921352ccaead0b4

SHA512
3b953260bd6ce910994c95c46c7efb42729fc5351340e4fe8ca7c3b977ab83ce8ab7d5c821369dd0cadec248955e5e16ca4094b51ca1760757468de691f880be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\04q3uh5u\CSC455B6CF338E34B1F8871DEAC90BE50D6.TMP

Filesize
1KB

MD5
b1437fc6c722e1ebf24fb78cbda24e48

SHA1
0c37f746e02dd27c9c633b8ebe5d630755765b5e

SHA256
8dd09e61ad193a92ba54ad03bbff86306a31f8da35573bc1782428b2fe48195d

SHA512
a37f652264144bea2e1139878bf299e0326c719472a1b7a05b9866b67f1c982bbd1c8dc08ead8ceed0ea6ef84f864094f2f31fcf967f6de7a6a7784d46b67ff4

Download Submit
memory/652-152-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/652-146-0x0000000000000000-mapping.dmp

Download
memory/652-149-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/652-147-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/932-131-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/932-140-0x0000000005C50000-0x0000000005CEC000-memory.dmp

Filesize
624KB

Download
memory/932-130-0x0000000000A30000-0x0000000000AF6000-memory.dmp

Filesize
792KB

Download
memory/1416-143-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/1416-141-0x0000000000000000-mapping.dmp

Download
memory/1416-144-0x0000000074260000-0x0000000074D60000-memory.dmp

Filesize
11.0MB

Download
memory/1416-159-0x0000000073970000-0x0000000074118000-memory.dmp

Filesize
7.7MB

Download
memory/1416-142-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1416-150-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/1416-151-0x0000000074260000-0x0000000074D60000-memory.dmp

Filesize
11.0MB

Download
memory/1416-145-0x0000000073970000-0x0000000074118000-memory.dmp

Filesize
7.7MB

Download
memory/4460-154-0x0000000000000000-mapping.dmp

Download
memory/4460-155-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4460-157-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4460-158-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4536-135-0x0000000000000000-mapping.dmp

Download
memory/4840-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads