hawkeye_reborn | 289fa0412fadf3775429d27cbe5434cca821ff908a7e635c28262aeabe601baa

General

Target

scan00238393903,pdf.exe
Size

594KB
MD5

48140b427e5241a5a806bbb0b925b7d2
SHA1

772d2f450c44f05ac4132d7c9cb8b72e5e54332c
SHA256

ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593
SHA512

ecd026fc3a7aeb5baeabd811c15b279773a4c51457525b72baa1437231d523889596b2b4905c68cbdaedb7045404b878984bf94fee006e1e71435ac7ac8bdcb3

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 7 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/1684-67-0x00000000052C0000-0x0000000005350000-memory.dmp	m00nd3v_logger
behavioral1/memory/2036-71-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2036-72-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2036-73-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2036-74-0x000000000048B1CE-mapping.dmp	m00nd3v_logger
behavioral1/memory/2036-76-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2036-78-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

Processes:

scan00238393903,pdf.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQEnFW.url scan00238393903,pdf.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

scan00238393903,pdf.exe

description pid process target process

PID 1684 set thread context of 2036 1684 scan00238393903,pdf.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

scan00238393903,pdf.exe

pid process

1684 scan00238393903,pdf.exe
1684 scan00238393903,pdf.exe
1684 scan00238393903,pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

scan00238393903,pdf.exe

description pid process

Token: SeDebugPrivilege 1684 scan00238393903,pdf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQEnFW.url	scan00238393903,pdf.exe

flow	ioc
4	bot.whatismyipaddress.com

description	pid	process	target process
PID 1684 set thread context of 2036	1684	scan00238393903,pdf.exe	RegAsm.exe

pid	process
1684	scan00238393903,pdf.exe
1684	scan00238393903,pdf.exe
1684	scan00238393903,pdf.exe

description	pid	process
Token: SeDebugPrivilege	1684	scan00238393903,pdf.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

scan00238393903,pdf.execsc.exe

description	pid	process	target process
PID 1684 wrote to memory of 284	1684	scan00238393903,pdf.exe	csc.exe
PID 1684 wrote to memory of 284	1684	scan00238393903,pdf.exe	csc.exe
PID 1684 wrote to memory of 284	1684	scan00238393903,pdf.exe	csc.exe
PID 1684 wrote to memory of 284	1684	scan00238393903,pdf.exe	csc.exe
PID 284 wrote to memory of 1656	284	csc.exe	cvtres.exe
PID 284 wrote to memory of 1656	284	csc.exe	cvtres.exe
PID 284 wrote to memory of 1656	284	csc.exe	cvtres.exe
PID 284 wrote to memory of 1656	284	csc.exe	cvtres.exe
PID 1684 wrote to memory of 1188	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 1188	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 1188	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 1188	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 1188	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 1188	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 1188	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 2036	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 2036	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 2036	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 2036	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 2036	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 2036	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 2036	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 2036	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 2036	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 2036	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 2036	1684	scan00238393903,pdf.exe	RegAsm.exe
PID 1684 wrote to memory of 2036	1684	scan00238393903,pdf.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\scan00238393903,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\scan00238393903,pdf.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h5qwcjah\h5qwcjah.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56F7.tmp" "c:\Users\Admin\AppData\Local\Temp\h5qwcjah\CSCF38ACFF49C484716BA653720D673299.TMP"
3⤵
PID:1656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:1188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES56F7.tmp
Filesize
1KB

MD5
8a22c8fa2180c96cba4769961a408d99

SHA1
8c0185f5e33ed4c19c96d4581fbd2b2c0b53f489

SHA256
48ce7e206fe681a917183088cbbec888e9d8ee5566fb3f478fddf1bba518c4aa

SHA512
b62405f38de9ba1d9accc281740c0c5453f19cf592e327d992777aa0ad91c5c3c6f0696b837a4d4ae06d2d159e195ddd233af69cf16e901624bf4e1131b6ab1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\h5qwcjah\h5qwcjah.dll
Filesize
15KB

MD5
4d1fb7d0aff145bce724837029728f95

SHA1
43c4bed79101bfd63901ea2ecadc8000ebe23a89

SHA256
329637648e8ac1bf61ea7f8449540e3e658187e125f5e10cbe35ac08b8bb5b6d

SHA512
4f0814c9d21e5d914b284ccc6daf10b3c2cfe17a07aa773e5e02c014d87aaa5a0e22a170274f30c798c60b8456b6fadf5454bdb75a1a4e805cd6b53198b4502f

Download Submit
C:\Users\Admin\AppData\Local\Temp\h5qwcjah\h5qwcjah.pdb
Filesize
51KB

MD5
7fdd68d2534f136311423bfba20bf302

SHA1
2fec97500c6371192d4efa6810551fbecee3931a

SHA256
530308f9d4d4e46d2aaeea3129362854d840f465551d7264f4ceb5eb0159f689

SHA512
11ad4bcab22594e4f0af2a9812022c137ab947e9ed60425f6f02a3899489c3c87e09e8e7bdb78e18df413312076e98acf8282780e097275f7ae628397e6d03f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h5qwcjah\CSCF38ACFF49C484716BA653720D673299.TMP
Filesize
1KB

MD5
96b0990345470fae76b3409b8ecd0f26

SHA1
f5eff14ec0db6ef541aee5a530f0344f6dd3c31d

SHA256
f21e77b38eb6d0355bddd63e62423ef05c422bcfc95025da3fab3e2e1a9e34f7

SHA512
7be7514fba8e40c88aae2ff2201b87ee9c60ca75ac98769219c5cf0fd6148afe13bd43db4efa7b9e71da9fc520b430950f650bc6efbadc7c82b2e312af0de115

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h5qwcjah\h5qwcjah.0.cs
Filesize
29KB

MD5
b1b4726fefa6a60ae6c9372b54778396

SHA1
a2ba26bcd86e61188abe1856a9260c103181b62c

SHA256
bb621394d0af84a7bda3e5775694058126f77d9c63e4dcd863a9acb2f57ab2f5

SHA512
335a9f42de2e4b1f9465d64cdea3979d3667f88d3b5681a77701d4f2fe41f3c02386f4a66e99d8a94d978fd6260b411c2670c1f4340c9cff9011db89f639509c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h5qwcjah\h5qwcjah.cmdline
Filesize
312B

MD5
971446c21ba70e47526abdca8a4e9b6a

SHA1
ea2d92b644c39288f34efcabf1124d8b1e949788

SHA256
3f3e7eab7cfd9f3b1b602b5fa70ac3f0fb1992e247cb2ff899123e21dfb174a7

SHA512
3f02f9c10773f20fc71f2786b2adce47da6e0531ae9c49fe04b585ccb0a59a3719385379c5a902a47348ee3715fc8de26bcf7a3a231ea5d6490a6f5983dfe903

Download Submit
memory/284-55-0x0000000000000000-mapping.dmp

Download
memory/1656-58-0x0000000000000000-mapping.dmp

Download
memory/1684-66-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1684-63-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1684-64-0x0000000005220000-0x00000000052BA000-memory.dmp

Filesize
616KB

Download
memory/1684-65-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1684-54-0x00000000001F0000-0x000000000028A000-memory.dmp

Filesize
616KB

Download
memory/1684-67-0x00000000052C0000-0x0000000005350000-memory.dmp

Filesize
576KB

Download
memory/2036-68-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2036-69-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2036-71-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2036-72-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2036-73-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2036-74-0x000000000048B1CE-mapping.dmp

Download
memory/2036-76-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2036-78-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2036-80-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-81-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-82-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing