hawkeye_reborn | 12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945

Analysis

max time kernel
40s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-06-2022 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe
Size

805KB
MD5

4337923547cb41e7154154dde5b24a8b
SHA1

3df315533ef1a9a72eaee16b7feb21f8a7f316f3
SHA256

12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945
SHA512

af074e5809bd0908a302e45af481ab7ec70bcf1db0096e30618fae4bfc1b887142a189924a527e1da6ad7246c4a664964e42f5e831b108fc77d55431ffde9332

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 7 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/1880-69-0x0000000004E50000-0x0000000004EE0000-memory.dmp	m00nd3v_logger
behavioral1/memory/2044-75-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2044-76-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2044-77-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2044-78-0x000000000048B1CE-mapping.dmp	m00nd3v_logger
behavioral1/memory/2044-80-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2044-83-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uVgseumhvkdwhui89674dtfvybfelsd.,9x7654edf6g7h98jwfszxkjmn.url	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1880 set thread context of 2044	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe
1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1348	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	26
PID 1880 wrote to memory of 1348	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	26
PID 1880 wrote to memory of 1348	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	26
PID 1880 wrote to memory of 1348	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	26
PID 1348 wrote to memory of 940	1348	csc.exe	28
PID 1348 wrote to memory of 940	1348	csc.exe	28
PID 1348 wrote to memory of 940	1348	csc.exe	28
PID 1348 wrote to memory of 940	1348	csc.exe	28
PID 1880 wrote to memory of 2044	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	29
PID 1880 wrote to memory of 2044	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	29
PID 1880 wrote to memory of 2044	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	29
PID 1880 wrote to memory of 2044	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	29
PID 1880 wrote to memory of 2044	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	29
PID 1880 wrote to memory of 2044	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	29
PID 1880 wrote to memory of 2044	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	29
PID 1880 wrote to memory of 2044	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	29
PID 1880 wrote to memory of 2044	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	29
PID 1880 wrote to memory of 2044	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	29
PID 1880 wrote to memory of 2044	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	29
PID 1880 wrote to memory of 2044	1880	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	29

C:\Users\Admin\AppData\Local\Temp\12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe
"C:\Users\Admin\AppData\Local\Temp\12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jwdsnv2w\jwdsnv2w.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES952F.tmp" "c:\Users\Admin\AppData\Local\Temp\jwdsnv2w\CSC81C63630DC4A44AD80DE2AA6F4E75A66.TMP"
    3⤵
    PID:940
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:2044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES952F.tmp

Filesize
1KB

MD5
02cb5ffc10a6d4a4f4fbda343f4a5633

SHA1
73ad7269060dcdb979204e722d5427168a6cf78c

SHA256
74d1d99a39a4757f776ff2c9763fbd355d1b9daf856d4e03dd8990fe3721d3a4

SHA512
4ee0118211a5fba75d89a46d9ac782023088e8e0a2edd07bfa08358bc57829e61094b8503ce453bdba086e32e3aa612ee4783a0e3a79d33148ff44d2a472056a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwdsnv2w\jwdsnv2w.dll

Filesize
9KB

MD5
5a90392af9ce3a253dd6bd16ad910d30

SHA1
ff1427e320b0f3d202c774faff26ded1a0ba3032

SHA256
3cc10b623b7e5da03183e6e740d313848d46da9b31dce42c6eaaebf84193bce0

SHA512
58cedac306a093fdaee0a2d66f1bc8d731b0c9c3bc385bd2fb22c9ac470576ad65113155f8e0e312aa250a357a9ee2aba900cd4adb6f8b3c22816106b26da210

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwdsnv2w\jwdsnv2w.pdb

Filesize
29KB

MD5
56bcf8c8573783e2b99a2cfc11af922d

SHA1
624a6485b2acac1cc237d6b611ea5faf5d2accf5

SHA256
2b9cf2232e85849c8bc51e3e01d35e8aa260f99afed9e55ffffdc4452bd93037

SHA512
8dd06919e2ffaf89b8f5d7abd7c3098ec738bc3ed6719629039e1d45e75b5bf2a403853b1269d41f8dd1190b322f3afdbe4590a1750d3450ae64a9e1a37e9a24

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jwdsnv2w\CSC81C63630DC4A44AD80DE2AA6F4E75A66.TMP

Filesize
1KB

MD5
fb0637b441743b50929a495810d00081

SHA1
da8764bd9e58aef408e4900b72e4c5abbb6b03af

SHA256
a7347d3a9ca36f2c35fae6b6f729b8dcfc17a3cf0476d064e272972d8714f1d7

SHA512
fd3602accccc8b419139c48fffcfceb85e6babd7db4a9097f92b76baea01ee2acf36a67fbe149ff248dc774bbe4561c614d1038283da88f36e7baee526afb0cd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jwdsnv2w\jwdsnv2w.0.cs

Filesize
10KB

MD5
7810d4b85959769f5aa5d1d7888d5323

SHA1
7ebad72cedba6b34c719b9d6d1a2b00d6208600f

SHA256
6d2663c086b5001eabc604f2f020331d4297498af995180f0211037e73184ef5

SHA512
939a41b482093572d0e459d361c74c6c0e2245650e98381ccd66519bc9e1a2525b2c56e8fad5e70145c7fc22c101b8dcfb03f5b12744e04a7ae83b58d5acf325

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jwdsnv2w\jwdsnv2w.cmdline

Filesize
312B

MD5
b6625c9a07a3caebe5a0a69ee52d6e7a

SHA1
7624a25b68b95a9b6f5ee98d9df43420571c0ea4

SHA256
1280ba0d16c988bb6b2873d36cc385c5f9e27a412b879e88c93c9a3ae675b7bb

SHA512
e1d2ab38b36eff784ca4f2fa0f2c0977f4b311776a594d4740cb70d279620870903434c2dae0dbbe339c6011b5f30bea61526e0ec6c240350b1a1e3b265812c2

Download Submit
memory/1880-59-0x0000000071B30000-0x0000000072540000-memory.dmp

Filesize
10.1MB

Download
memory/1880-69-0x0000000004E50000-0x0000000004EE0000-memory.dmp

Filesize
576KB

Download
memory/1880-55-0x0000000072540000-0x00000000738CF000-memory.dmp

Filesize
19.6MB

Download
memory/1880-65-0x0000000000210000-0x0000000000218000-memory.dmp

Filesize
32KB

Download
memory/1880-66-0x0000000004820000-0x00000000048BA000-memory.dmp

Filesize
616KB

Download
memory/1880-67-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1880-68-0x0000000075311000-0x0000000075313000-memory.dmp

Filesize
8KB

Download
memory/1880-54-0x0000000000BC0000-0x0000000000C90000-memory.dmp

Filesize
832KB

Download
memory/1880-70-0x0000000074060000-0x00000000741F4000-memory.dmp

Filesize
1.6MB

Download
memory/1880-86-0x0000000073B40000-0x0000000073D11000-memory.dmp

Filesize
1.8MB

Download
memory/1880-72-0x0000000071350000-0x0000000071B30000-memory.dmp

Filesize
7.9MB

Download
memory/1880-88-0x0000000074060000-0x00000000741F4000-memory.dmp

Filesize
1.6MB

Download
memory/1880-87-0x0000000071350000-0x0000000071B30000-memory.dmp

Filesize
7.9MB

Download
memory/1880-84-0x0000000072540000-0x00000000738CF000-memory.dmp

Filesize
19.6MB

Download
memory/1880-82-0x0000000071B30000-0x0000000072540000-memory.dmp

Filesize
10.1MB

Download
memory/2044-80-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2044-94-0x0000000074610000-0x00000000747AB000-memory.dmp

Filesize
1.6MB

Download
memory/2044-77-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2044-83-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2044-76-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2044-75-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2044-71-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2044-73-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2044-89-0x0000000070B10000-0x00000000710BB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-90-0x0000000072DD0000-0x00000000738C8000-memory.dmp

Filesize
11.0MB

Download
memory/2044-91-0x0000000072630000-0x0000000072DCC000-memory.dmp

Filesize
7.6MB

Download
memory/2044-92-0x00000000747B0000-0x0000000074938000-memory.dmp

Filesize
1.5MB

Download
memory/2044-93-0x0000000071A50000-0x000000007262E000-memory.dmp

Filesize
11.9MB

Download
memory/2044-95-0x0000000074A90000-0x0000000074B94000-memory.dmp

Filesize
1.0MB

Download
memory/2044-96-0x0000000074350000-0x0000000074441000-memory.dmp

Filesize
964KB

Download
memory/2044-97-0x0000000071510000-0x0000000071A46000-memory.dmp

Filesize
5.2MB

Download
memory/2044-98-0x0000000072DD0000-0x00000000738C8000-memory.dmp

Filesize
11.0MB

Download
memory/2044-100-0x0000000074610000-0x00000000747AB000-memory.dmp

Filesize
1.6MB

Download
memory/2044-99-0x0000000070B10000-0x00000000710BB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-101-0x0000000070B10000-0x00000000710BB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-103-0x0000000071A50000-0x000000007262E000-memory.dmp

Filesize
11.9MB

Download
memory/2044-102-0x0000000072630000-0x0000000072DCC000-memory.dmp

Filesize
7.6MB

Download
memory/2044-104-0x0000000072630000-0x0000000072DCC000-memory.dmp

Filesize
7.6MB

Download
memory/2044-105-0x0000000072DD0000-0x00000000738C8000-memory.dmp

Filesize
11.0MB

Download