hawkeye_reborn | ac03353f0ee1e9305418c42b3abe85bcd93b610d75aa4ed6a511ad80efbd58e8

General

Target

scan00238393903,pdf.exe
Size

594KB
MD5

48140b427e5241a5a806bbb0b925b7d2
SHA1

772d2f450c44f05ac4132d7c9cb8b72e5e54332c
SHA256

ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593
SHA512

ecd026fc3a7aeb5baeabd811c15b279773a4c51457525b72baa1437231d523889596b2b4905c68cbdaedb7045404b878984bf94fee006e1e71435ac7ac8bdcb3

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral4/memory/4044-142-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

Processes:

scan00238393903,pdf.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQEnFW.url scan00238393903,pdf.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

scan00238393903,pdf.exe

description pid process target process

PID 4124 set thread context of 4044 4124 scan00238393903,pdf.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

scan00238393903,pdf.exe

pid process

4124 scan00238393903,pdf.exe
4124 scan00238393903,pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

scan00238393903,pdf.exe

description pid process

Token: SeDebugPrivilege 4124 scan00238393903,pdf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQEnFW.url	scan00238393903,pdf.exe

flow	ioc
35	bot.whatismyipaddress.com

description	pid	process	target process
PID 4124 set thread context of 4044	4124	scan00238393903,pdf.exe	RegAsm.exe

pid	process
4124	scan00238393903,pdf.exe
4124	scan00238393903,pdf.exe

description	pid	process
Token: SeDebugPrivilege	4124	scan00238393903,pdf.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

scan00238393903,pdf.execsc.exe

description	pid	process	target process
PID 4124 wrote to memory of 4564	4124	scan00238393903,pdf.exe	csc.exe
PID 4124 wrote to memory of 4564	4124	scan00238393903,pdf.exe	csc.exe
PID 4124 wrote to memory of 4564	4124	scan00238393903,pdf.exe	csc.exe
PID 4564 wrote to memory of 4292	4564	csc.exe	cvtres.exe
PID 4564 wrote to memory of 4292	4564	csc.exe	cvtres.exe
PID 4564 wrote to memory of 4292	4564	csc.exe	cvtres.exe
PID 4124 wrote to memory of 4044	4124	scan00238393903,pdf.exe	RegAsm.exe
PID 4124 wrote to memory of 4044	4124	scan00238393903,pdf.exe	RegAsm.exe
PID 4124 wrote to memory of 4044	4124	scan00238393903,pdf.exe	RegAsm.exe
PID 4124 wrote to memory of 4044	4124	scan00238393903,pdf.exe	RegAsm.exe
PID 4124 wrote to memory of 4044	4124	scan00238393903,pdf.exe	RegAsm.exe
PID 4124 wrote to memory of 4044	4124	scan00238393903,pdf.exe	RegAsm.exe
PID 4124 wrote to memory of 4044	4124	scan00238393903,pdf.exe	RegAsm.exe
PID 4124 wrote to memory of 4044	4124	scan00238393903,pdf.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\scan00238393903,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\scan00238393903,pdf.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qyfapov4\qyfapov4.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9678.tmp" "c:\Users\Admin\AppData\Local\Temp\qyfapov4\CSCEC4EB62613504F2A99E28CC152DFD48.TMP"
3⤵
PID:4292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:4044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9678.tmp
Filesize
1KB

MD5
a0057871c507b8825510a8c834ba823a

SHA1
ed7611e3951a81642d7a84d8568c13d9cc2f66a2

SHA256
c0928c928fb8ba28219fe127eee61771eacf44087f55f39f4295677f9f9a3487

SHA512
c24bdda3fd2341cf28558b1c4ca55f701cbc568f62a0f456bcf24a979a4054862c9f9e7fca60d76e902da005871e2ef3953334e4a7c555e98cf2f1dd13ae1105

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyfapov4\qyfapov4.dll
Filesize
15KB

MD5
db0c34a33b6bf29db92ffe3eba7b070b

SHA1
6d78087b6f36d31a6466e3fb0a3442adcf79496a

SHA256
b661421c0476961e072394c2456ffb90b92e38bfc034f17d8fcd70e397817d36

SHA512
6a87f608d0c2cdc4d9a0c0e8c8d92c26989d10a6852263d4cb6dca3c51a8454fb2a8051f8cdce86edb0d5e7b5be4d8551c0770b365410c493a7d54ef94d1b3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyfapov4\qyfapov4.pdb
Filesize
51KB

MD5
ab02f03484edb66ec364bea0a501d7e0

SHA1
bc2a8efff0cab01e49c862aa2b38c5376a045ec1

SHA256
fae0616049fa0ec2a8507bd95ee85e933f826ae59bdb76a23d5841f8ff7745b2

SHA512
275508e60e623696f4f028fc5f0f6534532ccd4e4b8130b3b01e9c5e16d97f157c58afb98a147b689c9882fe65e387361bb98a0739b02eb23532e9215da58247

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qyfapov4\CSCEC4EB62613504F2A99E28CC152DFD48.TMP
Filesize
1KB

MD5
57ff8630597b54026ef3efca71da82e0

SHA1
d09d51704dd3b657cb8e049809e36cd546ca057d

SHA256
cacccc13c989c1c74a6fc9f136f932f392b9879d7200e53cbaeb0df8bf61803b

SHA512
c50a5642a97451c1f96c3d0d5a4ef49d083f8936932aa569872676229b4440090dacc9968664b077519a8e00e68e144d81e87e2cd47ae0671daf3ea60143c36c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qyfapov4\qyfapov4.0.cs
Filesize
29KB

MD5
b1b4726fefa6a60ae6c9372b54778396

SHA1
a2ba26bcd86e61188abe1856a9260c103181b62c

SHA256
bb621394d0af84a7bda3e5775694058126f77d9c63e4dcd863a9acb2f57ab2f5

SHA512
335a9f42de2e4b1f9465d64cdea3979d3667f88d3b5681a77701d4f2fe41f3c02386f4a66e99d8a94d978fd6260b411c2670c1f4340c9cff9011db89f639509c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qyfapov4\qyfapov4.cmdline
Filesize
312B

MD5
082ea8791729fb32339991d8e1be18cc

SHA1
4c1d4e3a7602a75b413e362f1cb7b437086c1209

SHA256
798fd6258e44763f8330a4f4d2a01c80f9026ab659d03d2b5cf1b7cb5b4df986

SHA512
6cc295cf5cd1398be1f46c8f48540371564691a8d5226ea6299d8e602fc9d93d64b6bd059f034efe3625f9a8160d87f72c1c2f21b1129073f77d327ed3c0a08a

Download Submit
memory/4044-142-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4044-141-0x0000000000000000-mapping.dmp

Download
memory/4044-143-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4044-144-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4044-145-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4124-139-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/4124-140-0x00000000056A0000-0x000000000573C000-memory.dmp

Filesize
624KB

Download
memory/4124-130-0x0000000000240000-0x00000000002DA000-memory.dmp

Filesize
616KB

Download
memory/4292-134-0x0000000000000000-mapping.dmp

Download
memory/4564-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing