hawkeye_reborn | ac03353f0ee1e9305418c42b3abe85bcd93b610d75aa4ed6a511ad80efbd58e8

General

Target

scan00238393903,pdf.exe
Size

594KB
MD5

48140b427e5241a5a806bbb0b925b7d2
SHA1

772d2f450c44f05ac4132d7c9cb8b72e5e54332c
SHA256

ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593
SHA512

ecd026fc3a7aeb5baeabd811c15b279773a4c51457525b72baa1437231d523889596b2b4905c68cbdaedb7045404b878984bf94fee006e1e71435ac7ac8bdcb3

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 7 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral3/memory/1836-67-0x0000000002110000-0x00000000021A0000-memory.dmp	m00nd3v_logger
behavioral3/memory/1628-72-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral3/memory/1628-71-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral3/memory/1628-76-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral3/memory/1628-78-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral3/memory/1628-74-0x000000000048B1CE-mapping.dmp	m00nd3v_logger
behavioral3/memory/1628-73-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

Processes:

scan00238393903,pdf.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQEnFW.url scan00238393903,pdf.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

scan00238393903,pdf.exe

description pid process target process

PID 1836 set thread context of 1628 1836 scan00238393903,pdf.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

scan00238393903,pdf.exe

pid process

1836 scan00238393903,pdf.exe
1836 scan00238393903,pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

scan00238393903,pdf.exe

description pid process

Token: SeDebugPrivilege 1836 scan00238393903,pdf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQEnFW.url	scan00238393903,pdf.exe

flow	ioc
4	bot.whatismyipaddress.com

description	pid	process	target process
PID 1836 set thread context of 1628	1836	scan00238393903,pdf.exe	RegAsm.exe

pid	process
1836	scan00238393903,pdf.exe
1836	scan00238393903,pdf.exe

description	pid	process
Token: SeDebugPrivilege	1836	scan00238393903,pdf.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

scan00238393903,pdf.execsc.exe

description	pid	process	target process
PID 1836 wrote to memory of 1384	1836	scan00238393903,pdf.exe	csc.exe
PID 1836 wrote to memory of 1384	1836	scan00238393903,pdf.exe	csc.exe
PID 1836 wrote to memory of 1384	1836	scan00238393903,pdf.exe	csc.exe
PID 1836 wrote to memory of 1384	1836	scan00238393903,pdf.exe	csc.exe
PID 1384 wrote to memory of 1632	1384	csc.exe	cvtres.exe
PID 1384 wrote to memory of 1632	1384	csc.exe	cvtres.exe
PID 1384 wrote to memory of 1632	1384	csc.exe	cvtres.exe
PID 1384 wrote to memory of 1632	1384	csc.exe	cvtres.exe
PID 1836 wrote to memory of 1628	1836	scan00238393903,pdf.exe	RegAsm.exe
PID 1836 wrote to memory of 1628	1836	scan00238393903,pdf.exe	RegAsm.exe
PID 1836 wrote to memory of 1628	1836	scan00238393903,pdf.exe	RegAsm.exe
PID 1836 wrote to memory of 1628	1836	scan00238393903,pdf.exe	RegAsm.exe
PID 1836 wrote to memory of 1628	1836	scan00238393903,pdf.exe	RegAsm.exe
PID 1836 wrote to memory of 1628	1836	scan00238393903,pdf.exe	RegAsm.exe
PID 1836 wrote to memory of 1628	1836	scan00238393903,pdf.exe	RegAsm.exe
PID 1836 wrote to memory of 1628	1836	scan00238393903,pdf.exe	RegAsm.exe
PID 1836 wrote to memory of 1628	1836	scan00238393903,pdf.exe	RegAsm.exe
PID 1836 wrote to memory of 1628	1836	scan00238393903,pdf.exe	RegAsm.exe
PID 1836 wrote to memory of 1628	1836	scan00238393903,pdf.exe	RegAsm.exe
PID 1836 wrote to memory of 1628	1836	scan00238393903,pdf.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\scan00238393903,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\scan00238393903,pdf.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n2ymklod\n2ymklod.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES704.tmp" "c:\Users\Admin\AppData\Local\Temp\n2ymklod\CSC2F9E10A88D9C47CCB260541749CAB4B0.TMP"
3⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:1628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES704.tmp
Filesize
1KB

MD5
2cb308a3fb40979b7d291a662897ec9a

SHA1
bad6998f8bb5c722be6e5874803bd35dde50eca9

SHA256
f2b12906e991a474e9e7e6c2233f2f24c7eded2d9c07a0e81880cb6f08613594

SHA512
655669b5d5dca6fc20fa536856a23f8300c40842847ebed03bd84b2ccc4c21386a2f3e7739408930c2eab3a861420286047b44878546b84ac5339b238330aded

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2ymklod\n2ymklod.dll
Filesize
15KB

MD5
3501968541ad37c5432323b719b198f6

SHA1
3bf47224b50ec11a2cb3dae671f805dcbddbe26c

SHA256
8f736c10b04d4cf0850fdd900b9ff7173567a10ca12c7278cccb25bf244c50b9

SHA512
3117ec525948669ffc42b2d18ec0f9e70b8fb8cf0428a2b37f56e226f5ad409e95d8f0424499f525ce6a0bfc90c83b78d42acd8cd6f8b460e05392a826af71c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2ymklod\n2ymklod.pdb
Filesize
51KB

MD5
3880500d5d69bf4a364188916979b67d

SHA1
1de1da0e4fc7a1ac1dc9b1b13cfda435d31516bf

SHA256
66e7fddf6472483f6493ec628e02ae7b16108f38970973e3852224ce149419bf

SHA512
e0d756fe0337679ce9a24f1e33bc3f60a32acbdaf79a69149be54f03f72555e3bacaedb9a5dcc01c3a1f74b7ebdd148bbd314d5e888bf3d56d4b3fca7cc08bf2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n2ymklod\CSC2F9E10A88D9C47CCB260541749CAB4B0.TMP
Filesize
1KB

MD5
6066b5f352901d1c41d5a42e9dc0f23c

SHA1
86f6ad2b6ecdcc059f5db6858c687eefd2de0e2d

SHA256
2bb52d8e4cd475fb3f22d4d6754eee578a1853c4e49468bd9668fde2b156a4e7

SHA512
49ef0782f89d331cfbdfe378bb78e5690ad3f23c9c82cfdb2847e5b800031069690e8e7f0b2c6ede60209bda8b9e9fb34903c5c0f5caf3fa3a1810241706aa28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n2ymklod\n2ymklod.0.cs
Filesize
29KB

MD5
b1b4726fefa6a60ae6c9372b54778396

SHA1
a2ba26bcd86e61188abe1856a9260c103181b62c

SHA256
bb621394d0af84a7bda3e5775694058126f77d9c63e4dcd863a9acb2f57ab2f5

SHA512
335a9f42de2e4b1f9465d64cdea3979d3667f88d3b5681a77701d4f2fe41f3c02386f4a66e99d8a94d978fd6260b411c2670c1f4340c9cff9011db89f639509c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n2ymklod\n2ymklod.cmdline
Filesize
312B

MD5
c3bda7645cb8fbacc59cfa0fda4c139f

SHA1
a61210750ea86eb1646a759b5651d72ea8e9753c

SHA256
1dfc3906daa53aaf2a9de910df44268d8ba82754dacfcb7dd6fde9c83bfeeb62

SHA512
9f1a34c4e0020bbe7fcead1e86928d5639a5e2c5ee114268f8e072fe12cf119479646fcdbc10712c3e2e989fd228135c02907ad13cabe65e6f0dcad48acdd6f8

Download Submit
memory/1384-55-0x0000000000000000-mapping.dmp

Download
memory/1628-76-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1628-74-0x000000000048B1CE-mapping.dmp

Download
memory/1628-82-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-81-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-80-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-73-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1628-78-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1628-69-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1628-68-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1628-72-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1628-71-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1632-58-0x0000000000000000-mapping.dmp

Download
memory/1836-54-0x0000000000300000-0x000000000039A000-memory.dmp

Filesize
616KB

Download
memory/1836-67-0x0000000002110000-0x00000000021A0000-memory.dmp

Filesize
576KB

Download
memory/1836-66-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/1836-65-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/1836-64-0x00000000050F0000-0x000000000518A000-memory.dmp

Filesize
616KB

Download
memory/1836-63-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing