hawkeye_reborn | 289fa0412fadf3775429d27cbe5434cca821ff908a7e635c28262aeabe601baa

General

Target

scan00238393903,pdf.exe
Size

594KB
MD5

48140b427e5241a5a806bbb0b925b7d2
SHA1

772d2f450c44f05ac4132d7c9cb8b72e5e54332c
SHA256

ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593
SHA512

ecd026fc3a7aeb5baeabd811c15b279773a4c51457525b72baa1437231d523889596b2b4905c68cbdaedb7045404b878984bf94fee006e1e71435ac7ac8bdcb3

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/5096-144-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQEnFW.url	scan00238393903,pdf.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1004 set thread context of 5096	1004	scan00238393903,pdf.exe	88

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1004	scan00238393903,pdf.exe
1004	scan00238393903,pdf.exe
1004	scan00238393903,pdf.exe
1004	scan00238393903,pdf.exe
1004	scan00238393903,pdf.exe
1004	scan00238393903,pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1004	scan00238393903,pdf.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 2156	1004	scan00238393903,pdf.exe	83
PID 1004 wrote to memory of 2156	1004	scan00238393903,pdf.exe	83
PID 1004 wrote to memory of 2156	1004	scan00238393903,pdf.exe	83
PID 2156 wrote to memory of 3176	2156	csc.exe	85
PID 2156 wrote to memory of 3176	2156	csc.exe	85
PID 2156 wrote to memory of 3176	2156	csc.exe	85
PID 1004 wrote to memory of 5012	1004	scan00238393903,pdf.exe	86
PID 1004 wrote to memory of 5012	1004	scan00238393903,pdf.exe	86
PID 1004 wrote to memory of 5012	1004	scan00238393903,pdf.exe	86
PID 1004 wrote to memory of 2256	1004	scan00238393903,pdf.exe	87
PID 1004 wrote to memory of 2256	1004	scan00238393903,pdf.exe	87
PID 1004 wrote to memory of 2256	1004	scan00238393903,pdf.exe	87
PID 1004 wrote to memory of 5096	1004	scan00238393903,pdf.exe	88
PID 1004 wrote to memory of 5096	1004	scan00238393903,pdf.exe	88
PID 1004 wrote to memory of 5096	1004	scan00238393903,pdf.exe	88
PID 1004 wrote to memory of 5096	1004	scan00238393903,pdf.exe	88
PID 1004 wrote to memory of 5096	1004	scan00238393903,pdf.exe	88
PID 1004 wrote to memory of 5096	1004	scan00238393903,pdf.exe	88
PID 1004 wrote to memory of 5096	1004	scan00238393903,pdf.exe	88
PID 1004 wrote to memory of 5096	1004	scan00238393903,pdf.exe	88

C:\Users\Admin\AppData\Local\Temp\scan00238393903,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\scan00238393903,pdf.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gytzn4e5\gytzn4e5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D67.tmp" "c:\Users\Admin\AppData\Local\Temp\gytzn4e5\CSCF417960B6DD24C46B245AF3927AB8.TMP"
    3⤵
    PID:3176
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:5012
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:5096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3D67.tmp

Filesize
1KB

MD5
827deb5eef5ba70b0b7bbfd9fb5216d7

SHA1
b9b902a7386c92970d1c50262524a91c16383f1b

SHA256
36d43a64794b0f2abb84e543d3b2d5e7238c24ed55eecfe4b2b19ea3f3071afa

SHA512
790dbc65e01be1e0966d5f220271e5d585779d5ca9900e13d7b5de32cdd3bac1fa07cdb5c02aad6955f24a72622e42d44f9f0aebbd6ef57370579fe8d74333b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gytzn4e5\gytzn4e5.dll

Filesize
15KB

MD5
ca095fb7a861e6ec37c0920804cc03cb

SHA1
2144d54f6117947bec33714c4e30e729d67790f3

SHA256
c5df821a73833fb037fa726cd4852e97cb6306d07070ef750dfb2647a97a72b0

SHA512
f25cd46cc50b852f65054d6c9dc26f7f9d8ae87568512630c22cac1436746f273847953f967dda32fdf59db69d489e4f8efb4865e66cb572557c6dbaec503e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\gytzn4e5\gytzn4e5.pdb

Filesize
51KB

MD5
def68a8497f88d125c1f34d0f4e9e920

SHA1
d250f24c23c7d0da02a95eeb3ab14cdd31cabe6e

SHA256
60bb8a196b84fdeccc276791fb8123666b2e47057533aa635ee0a7a542f8f354

SHA512
78ad0cd43a18a9c19abff4b46b041b4010ffc08f4c65b54c46c9b9d4b8c349250dd630c3bf3e718cf22669a314b1797b4d49c9ac4fbcc5c8b4e4e1e41ca4a174

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gytzn4e5\CSCF417960B6DD24C46B245AF3927AB8.TMP

Filesize
1KB

MD5
3cd2b2e45f4c335ab6cd1e3203848105

SHA1
274a4b94821a28139edf21eefb530d5c78c28374

SHA256
89cc926cb38b5f165394fb22f32a03a888bee04a04c86b4dc6082918c1bdb368

SHA512
a3ae22d9249d88fb12b5e7d7b93799197660cddfa5a6537bfaec71a9e363b4961d4165b0ed85a9c168a4bd1efd897af2263fb095ae73aeff853a1df900548dc1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gytzn4e5\gytzn4e5.0.cs

Filesize
29KB

MD5
b1b4726fefa6a60ae6c9372b54778396

SHA1
a2ba26bcd86e61188abe1856a9260c103181b62c

SHA256
bb621394d0af84a7bda3e5775694058126f77d9c63e4dcd863a9acb2f57ab2f5

SHA512
335a9f42de2e4b1f9465d64cdea3979d3667f88d3b5681a77701d4f2fe41f3c02386f4a66e99d8a94d978fd6260b411c2670c1f4340c9cff9011db89f639509c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gytzn4e5\gytzn4e5.cmdline

Filesize
312B

MD5
83d26beff8ade4b54feeb6bf5668b9bc

SHA1
582a64525536cbbdb6589076f8ce5d5e54cdf4d3

SHA256
2295bc42c6cd6b3492926574f647effd6fe54ff3fa58bbbe4db631f9ffece9d0

SHA512
accbd758aad6cb4cc0beadb52e7494ba691027ed632246ced25ec767c012703bcb2ce622e5e0d668082683655a147b6989865f504cb8f9955e98a7e5577b1b27

Download Submit
memory/1004-140-0x00000000059A0000-0x0000000005A3C000-memory.dmp

Filesize
624KB

Download
memory/1004-130-0x00000000007B0000-0x000000000084A000-memory.dmp

Filesize
616KB

Download
memory/1004-139-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/5096-144-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5096-145-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/5096-146-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/5096-147-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing