hawkeye_reborn | 12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945

General

Target

12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe
Size

805KB
MD5

4337923547cb41e7154154dde5b24a8b
SHA1

3df315533ef1a9a72eaee16b7feb21f8a7f316f3
SHA256

12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945
SHA512

af074e5809bd0908a302e45af481ab7ec70bcf1db0096e30618fae4bfc1b887142a189924a527e1da6ad7246c4a664964e42f5e831b108fc77d55431ffde9332

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/2192-142-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uVgseumhvkdwhui89674dtfvybfelsd.,9x7654edf6g7h98jwfszxkjmn.url	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1608 set thread context of 2192	1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe
1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 752	1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	81
PID 1608 wrote to memory of 752	1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	81
PID 1608 wrote to memory of 752	1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	81
PID 752 wrote to memory of 2516	752	csc.exe	83
PID 752 wrote to memory of 2516	752	csc.exe	83
PID 752 wrote to memory of 2516	752	csc.exe	83
PID 1608 wrote to memory of 2192	1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	84
PID 1608 wrote to memory of 2192	1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	84
PID 1608 wrote to memory of 2192	1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	84
PID 1608 wrote to memory of 2192	1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	84
PID 1608 wrote to memory of 2192	1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	84
PID 1608 wrote to memory of 2192	1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	84
PID 1608 wrote to memory of 2192	1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	84
PID 1608 wrote to memory of 2192	1608	12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe	84

C:\Users\Admin\AppData\Local\Temp\12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe
"C:\Users\Admin\AppData\Local\Temp\12ea87a0cb19ce067aab71b015a08e252be1a2e1dc6198438ffe8d917b17a945.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yspduwzq\yspduwzq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CA2.tmp" "c:\Users\Admin\AppData\Local\Temp\yspduwzq\CSC1584FEBF6657471CB354B72AD2CBA14F.TMP"
    3⤵
    PID:2516
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:2192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9CA2.tmp

Filesize
1KB

MD5
b1dee2008f391376c708827a0b7d6ba2

SHA1
1b77592d18b00bf396423467bc96ef7605aac6e3

SHA256
2295c4f41f9c72f9f801cb52f8b00d20829dbd0d680f291727ed55ee150e00d9

SHA512
b0fa7e6c81e3a7abe1dbe4b5033e1964d4e233248ae0dcc2b0af97c799dc3e7e0b99a63ce7c9c4787f748dedf9b8df4c9bd189d70cd36fd447b25c9a0a4bdc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yspduwzq\yspduwzq.dll

Filesize
9KB

MD5
0bb6034f62af6542756930ce72e80616

SHA1
20c27fa6961e677f9564420d69e2e4767df6bea4

SHA256
39a9a5747de4bc3c522478cd820b4c044fc6ea46e0fc3567a5812d38349b20c6

SHA512
fe8ba763526fc3fb9578439075a3eba2dbf6ad6209b95ff63d17fa6ac35eec444d3bffdba6c85443c0506a45dbe9260af530f934bf8dc85b3749bb83c2d04841

Download Submit
C:\Users\Admin\AppData\Local\Temp\yspduwzq\yspduwzq.pdb

Filesize
29KB

MD5
cebbe3183d0487b5b17ebb637e928eae

SHA1
93d304dd988d59d8a28f50172c847dc0c716deba

SHA256
7447e331acfe9073d564df7f67b444ff40400308c44505ddc689006021c0d480

SHA512
b7236b1cddb6bd3dc766b14ff25744ec54ffb277d2188f303209599a0722949f492006d75dd34e74a4e0f34138df43a4e515a054a00743d1cf1ef2824ca64467

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yspduwzq\CSC1584FEBF6657471CB354B72AD2CBA14F.TMP

Filesize
1KB

MD5
5f62a2eb3286663ffe6fd473a1852231

SHA1
c98abcd6943e1395e471b212bce65695d2b33cfd

SHA256
43b1759d573e549b06d298de3d11e1d420c08d13f15f9f8e2a8e3a40008a1974

SHA512
e841b6bc98e12a7aaf442eeb66c44b1e5d41958d84d4d09da0105ea4294da5f5725818824f4cc652506aa06bcdaf710f4f727384a0b9ce6f3fcd67ffad609b07

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yspduwzq\yspduwzq.0.cs

Filesize
10KB

MD5
7810d4b85959769f5aa5d1d7888d5323

SHA1
7ebad72cedba6b34c719b9d6d1a2b00d6208600f

SHA256
6d2663c086b5001eabc604f2f020331d4297498af995180f0211037e73184ef5

SHA512
939a41b482093572d0e459d361c74c6c0e2245650e98381ccd66519bc9e1a2525b2c56e8fad5e70145c7fc22c101b8dcfb03f5b12744e04a7ae83b58d5acf325

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yspduwzq\yspduwzq.cmdline

Filesize
312B

MD5
80d9ce1769b4bcdbea3c2009251bb35e

SHA1
cc3c498a174e55397e6a2322b2054fcd924f0a2a

SHA256
d2a97505f3964358380eab2d31db29de6214b94db98d9edb95c7e27fddaaf5be

SHA512
7140f40a3111fc1a3681297a5d793f38af4552835beced54be796aa946518f4acfef9135ccc15baa65174cad3e87b0ed37f6b14c2b947d886c67748631a94395

Download Submit
memory/1608-140-0x0000000005B10000-0x0000000005BAC000-memory.dmp

Filesize
624KB

Download
memory/1608-139-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/1608-130-0x00000000008E0000-0x00000000009B0000-memory.dmp

Filesize
832KB

Download
memory/2192-142-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2192-143-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/2192-144-0x0000000073AF0000-0x00000000745F0000-memory.dmp

Filesize
11.0MB

Download
memory/2192-145-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/2192-146-0x0000000073200000-0x00000000739A8000-memory.dmp

Filesize
7.7MB

Download
memory/2192-147-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/2192-148-0x0000000073AF0000-0x00000000745F0000-memory.dmp

Filesize
11.0MB

Download
memory/2192-149-0x0000000073200000-0x00000000739A8000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing