hawkeye_reborn | 269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177

General

Target

269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe
Size

911KB
MD5

51667a5b1127b0a1b4ef6c2746a62c26
SHA1

a47db208970a0ea9edec216e7dfc7ea372e8a2a9
SHA256

269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177
SHA512

107ce8c918ea9eddd0c51811028d630041b6e0bc8f23606524efbfa1a1c38f0cfea38f6dbabad0d7b22086c672314e00c6f5d3575ec73c1504c94eb8a634f439

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.0.5

Credentials

Protocol: smtp
Host:
mail.firstmetalcorp.ml
Port:
25
Username:
[email protected]
Password:
chinonsonkechi22#

Mutex

71edc002-be96-423f-a992-741c9f579010

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:chinonsonkechi22# _EmailPort:25 _EmailSSL:false _EmailServer:mail.firstmetalcorp.ml _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:true _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:71edc002-be96-423f-a992-741c9f579010 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:true _Version:9.0.0.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.0.5, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/3864-137-0x0000000000510000-0x00000000005A0000-memory.dmp	m00nd3v_logger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 3864	2232	269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe	84

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe
Token: 33	2232	269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe
Token: SeIncBasePriorityPrivilege	2232	269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe
Token: SeDebugPrivilege	3864	269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 3864	2232	269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe	84
PID 2232 wrote to memory of 3864	2232	269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe	84
PID 2232 wrote to memory of 3864	2232	269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe	84
PID 2232 wrote to memory of 3864	2232	269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe	84
PID 2232 wrote to memory of 3864	2232	269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe	84
PID 2232 wrote to memory of 3864	2232	269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe	84
PID 2232 wrote to memory of 3864	2232	269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe	84
PID 2232 wrote to memory of 3864	2232	269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe	84

C:\Users\Admin\AppData\Local\Temp\269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe
"C:\Users\Admin\AppData\Local\Temp\269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe
  "C:\Users\Admin\AppData\Local\Temp\269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe.log

Filesize
706B

MD5
0110f3d722cddd9753644c78a308ff57

SHA1
c461bb3812ae8a3c77d0ec99850b3a88eda2ccc7

SHA256
03c3a90b4c2615ddd7bc4b663ba3cce4969223c0a21c53624c6f792ffde91de4

SHA512
8a581416a1a9e355e6cda1d4f2a93df807421ec2706c717c5d5d2acd004af2c14ee77d94c48e6643320dd2cd2e1072b9cfd8ecf37c0e8fb38df7d9f0c40cdf63

Download Submit
memory/2232-130-0x0000000000740000-0x000000000082A000-memory.dmp

Filesize
936KB

Download
memory/2232-131-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/2232-132-0x0000000005830000-0x0000000005DD4000-memory.dmp

Filesize
5.6MB

Download
memory/2232-133-0x00000000066D0000-0x000000000676C000-memory.dmp

Filesize
624KB

Download
memory/3864-137-0x0000000000510000-0x00000000005A0000-memory.dmp

Filesize
576KB

Download
memory/3864-138-0x0000000004C50000-0x0000000004CB6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing