hawkeye_reborn | 1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449

Analysis

max time kernel
36s
max time network
53s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-06-2022 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe
Size

878KB
MD5

3e79df1bd7f679a54a47c6bca00aca9e
SHA1

289dfbff64c3912dccda857cae04f3c5c3c1d221
SHA256

1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449
SHA512

7fbfd83ba85eb5615d116d2226ae8b8691d0f8a6bcd534873f4681c8cac103e8390f9b877371001f0cb5556ae68372e7b5e40c9fb9c26a83d8cef7a9685f0007

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 7 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/1468-57-0x0000000006F40000-0x0000000007006000-memory.dmp	m00nd3v_logger
behavioral1/memory/1728-63-0x0000000000400000-0x00000000004A4000-memory.dmp	m00nd3v_logger
behavioral1/memory/1728-64-0x0000000000400000-0x00000000004A4000-memory.dmp	m00nd3v_logger
behavioral1/memory/1728-65-0x0000000000400000-0x00000000004A4000-memory.dmp	m00nd3v_logger
behavioral1/memory/1728-66-0x000000000049EB7E-mapping.dmp	m00nd3v_logger
behavioral1/memory/1728-68-0x0000000000400000-0x00000000004A4000-memory.dmp	m00nd3v_logger
behavioral1/memory/1728-70-0x0000000000400000-0x00000000004A4000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 7 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1468-57-0x0000000006F40000-0x0000000007006000-memory.dmp	MailPassView
behavioral1/memory/1728-63-0x0000000000400000-0x00000000004A4000-memory.dmp	MailPassView
behavioral1/memory/1728-64-0x0000000000400000-0x00000000004A4000-memory.dmp	MailPassView
behavioral1/memory/1728-65-0x0000000000400000-0x00000000004A4000-memory.dmp	MailPassView
behavioral1/memory/1728-66-0x000000000049EB7E-mapping.dmp	MailPassView
behavioral1/memory/1728-68-0x0000000000400000-0x00000000004A4000-memory.dmp	MailPassView
behavioral1/memory/1728-70-0x0000000000400000-0x00000000004A4000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 7 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1468-57-0x0000000006F40000-0x0000000007006000-memory.dmp	WebBrowserPassView
behavioral1/memory/1728-63-0x0000000000400000-0x00000000004A4000-memory.dmp	WebBrowserPassView
behavioral1/memory/1728-64-0x0000000000400000-0x00000000004A4000-memory.dmp	WebBrowserPassView
behavioral1/memory/1728-65-0x0000000000400000-0x00000000004A4000-memory.dmp	WebBrowserPassView
behavioral1/memory/1728-66-0x000000000049EB7E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1728-68-0x0000000000400000-0x00000000004A4000-memory.dmp	WebBrowserPassView
behavioral1/memory/1728-70-0x0000000000400000-0x00000000004A4000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral1/memory/1468-57-0x0000000006F40000-0x0000000007006000-memory.dmp	Nirsoft
behavioral1/memory/1728-63-0x0000000000400000-0x00000000004A4000-memory.dmp	Nirsoft
behavioral1/memory/1728-64-0x0000000000400000-0x00000000004A4000-memory.dmp	Nirsoft
behavioral1/memory/1728-65-0x0000000000400000-0x00000000004A4000-memory.dmp	Nirsoft
behavioral1/memory/1728-66-0x000000000049EB7E-mapping.dmp	Nirsoft
behavioral1/memory/1728-68-0x0000000000400000-0x00000000004A4000-memory.dmp	Nirsoft
behavioral1/memory/1728-70-0x0000000000400000-0x00000000004A4000-memory.dmp	Nirsoft

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 1728	1468	1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe	28

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe
Token: SeDebugPrivilege	1728	1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1728	1468	1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe	28
PID 1468 wrote to memory of 1728	1468	1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe	28
PID 1468 wrote to memory of 1728	1468	1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe	28
PID 1468 wrote to memory of 1728	1468	1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe	28
PID 1468 wrote to memory of 1728	1468	1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe	28
PID 1468 wrote to memory of 1728	1468	1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe	28
PID 1468 wrote to memory of 1728	1468	1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe	28
PID 1468 wrote to memory of 1728	1468	1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe	28
PID 1468 wrote to memory of 1728	1468	1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe	28

C:\Users\Admin\AppData\Local\Temp\1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe
"C:\Users\Admin\AppData\Local\Temp\1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe
  "C:\Users\Admin\AppData\Local\Temp\1363179794d9442bd5a5d430c1d1192e22662adebee044ba1b45f2187d4de449.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1468-71-0x0000000000B00000-0x0000000000BE0000-memory.dmp

Filesize
896KB

Download
memory/1468-55-0x0000000000B00000-0x0000000000BE0000-memory.dmp

Filesize
896KB

Download
memory/1468-56-0x0000000072E00000-0x000000007418F000-memory.dmp

Filesize
19.6MB

Download
memory/1468-57-0x0000000006F40000-0x0000000007006000-memory.dmp

Filesize
792KB

Download
memory/1468-58-0x0000000074AE0000-0x0000000074C74000-memory.dmp

Filesize
1.6MB

Download
memory/1468-59-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download
memory/1468-76-0x0000000072E00000-0x000000007418F000-memory.dmp

Filesize
19.6MB

Download
memory/1468-74-0x00000000716D0000-0x00000000723ED000-memory.dmp

Filesize
13.1MB

Download
memory/1468-73-0x00000000723F0000-0x0000000072E00000-memory.dmp

Filesize
10.1MB

Download
memory/1468-54-0x0000000000B00000-0x0000000000BE0000-memory.dmp

Filesize
896KB

Download
memory/1468-72-0x00000000716D0000-0x00000000723ED000-memory.dmp

Filesize
13.1MB

Download
memory/1728-64-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1728-81-0x0000000070EF0000-0x00000000716D0000-memory.dmp

Filesize
7.9MB

Download
memory/1728-70-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1728-65-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1728-63-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1728-60-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1728-61-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1728-75-0x0000000072E00000-0x000000007418F000-memory.dmp

Filesize
19.6MB

Download
memory/1728-77-0x00000000723F0000-0x0000000072E00000-memory.dmp

Filesize
10.1MB

Download
memory/1728-78-0x0000000074AE0000-0x0000000074C74000-memory.dmp

Filesize
1.6MB

Download
memory/1728-79-0x00000000716D0000-0x00000000723ED000-memory.dmp

Filesize
13.1MB

Download
memory/1728-80-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1728-68-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1728-82-0x0000000074810000-0x00000000749E1000-memory.dmp

Filesize
1.8MB

Download
memory/1728-83-0x0000000074680000-0x00000000747A3000-memory.dmp

Filesize
1.1MB

Download
memory/1728-84-0x0000000072E00000-0x000000007418F000-memory.dmp

Filesize
19.6MB

Download
memory/1728-85-0x00000000723F0000-0x0000000072E00000-memory.dmp

Filesize
10.1MB

Download
memory/1728-86-0x0000000000B00000-0x0000000000BE0000-memory.dmp

Filesize
896KB

Download
memory/1728-87-0x0000000070DF0000-0x0000000070EEC000-memory.dmp

Filesize
1008KB

Download
memory/1728-88-0x00000000706B0000-0x0000000070DEE000-memory.dmp

Filesize
7.2MB

Download
memory/1728-90-0x0000000074810000-0x00000000749E1000-memory.dmp

Filesize
1.8MB

Download
memory/1728-91-0x00000000723F0000-0x0000000072E00000-memory.dmp

Filesize
10.1MB

Download
memory/1728-89-0x0000000072E00000-0x000000007418F000-memory.dmp

Filesize
19.6MB

Download
memory/1728-93-0x0000000000B00000-0x0000000000BE0000-memory.dmp

Filesize
896KB

Download
memory/1728-94-0x0000000074680000-0x00000000747A3000-memory.dmp

Filesize
1.1MB

Download
memory/1728-92-0x00000000716D0000-0x00000000723ED000-memory.dmp

Filesize
13.1MB

Download