hawkeye_reborn | 3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174

General

Target

3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe
Size

772KB
MD5

ca9c2913e35c74a38b7f8ece1cb17785
SHA1

15e2e333efb22376e11e7983aa85b70a1875eb19
SHA256

3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174
SHA512

dd675a29e4436e294824aba0384985c874269e93a25ee0836edc5e17d294d48a47b81e9a0627a93d863f556aa627c2aa2672e7aeba6db5683c0df361005f224f

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.0.5

Credentials

Protocol: smtp
Host:
mail.123tracein.com
Port:
587
Username:
[email protected]
Password:
Vvt.5rffGwtH

Mutex

50d9bce9-6693-4df8-986d-11678ab9d9c5

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Vvt.5rffGwtH _EmailPort:587 _EmailSSL:true _EmailServer:mail.123tracein.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:30 _MeltFile:false _Mutex:50d9bce9-6693-4df8-986d-11678ab9d9c5 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:true _Version:9.0.0.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.0.5, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 6 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/980-69-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/980-70-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/980-71-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/980-72-0x000000000048B20E-mapping.dmp	m00nd3v_logger
behavioral1/memory/980-75-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/980-77-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/980-78-0x0000000000CB0000-0x0000000000D26000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/980-78-0x0000000000CB0000-0x0000000000D26000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/980-78-0x0000000000CB0000-0x0000000000D26000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

app.exeapp.exe

pid process

1220 app.exe
980 app.exe
Drops startup file 1 IoCs

Processes:

app.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.lnk app.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exeapp.exe

pid process

908 cmd.exe
1220 app.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

app.exe

description pid process target process

PID 1220 set thread context of 980 1220 app.exe app.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1220	app.exe
980	app.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.lnk	app.exe

pid	process
908	cmd.exe
1220	app.exe

flow	ioc
4	bot.whatismyipaddress.com

description	pid	process	target process
PID 1220 set thread context of 980	1220	app.exe	app.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exeapp.exeapp.exe

description	pid	process
Token: SeDebugPrivilege	1292	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe
Token: 33	1292	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe
Token: SeIncBasePriorityPrivilege	1292	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe
Token: SeDebugPrivilege	1220	app.exe
Token: 33	1220	app.exe
Token: SeIncBasePriorityPrivilege	1220	app.exe
Token: SeDebugPrivilege	980	app.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.execmd.exeapp.exe

description	pid	process	target process
PID 1292 wrote to memory of 1464	1292	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe	cmd.exe
PID 1292 wrote to memory of 1464	1292	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe	cmd.exe
PID 1292 wrote to memory of 1464	1292	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe	cmd.exe
PID 1292 wrote to memory of 1464	1292	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe	cmd.exe
PID 1292 wrote to memory of 908	1292	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe	cmd.exe
PID 1292 wrote to memory of 908	1292	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe	cmd.exe
PID 1292 wrote to memory of 908	1292	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe	cmd.exe
PID 1292 wrote to memory of 908	1292	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe	cmd.exe
PID 908 wrote to memory of 1220	908	cmd.exe	app.exe
PID 908 wrote to memory of 1220	908	cmd.exe	app.exe
PID 908 wrote to memory of 1220	908	cmd.exe	app.exe
PID 908 wrote to memory of 1220	908	cmd.exe	app.exe
PID 1220 wrote to memory of 980	1220	app.exe	app.exe
PID 1220 wrote to memory of 980	1220	app.exe	app.exe
PID 1220 wrote to memory of 980	1220	app.exe	app.exe
PID 1220 wrote to memory of 980	1220	app.exe	app.exe
PID 1220 wrote to memory of 980	1220	app.exe	app.exe
PID 1220 wrote to memory of 980	1220	app.exe	app.exe
PID 1220 wrote to memory of 980	1220	app.exe	app.exe
PID 1220 wrote to memory of 980	1220	app.exe	app.exe
PID 1220 wrote to memory of 980	1220	app.exe	app.exe

C:\Users\Admin\AppData\Local\Temp\3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe
"C:\Users\Admin\AppData\Local\Temp\3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
  2⤵
  PID:1464
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe

Filesize
772KB

MD5
ca9c2913e35c74a38b7f8ece1cb17785

SHA1
15e2e333efb22376e11e7983aa85b70a1875eb19

SHA256
3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174

SHA512
dd675a29e4436e294824aba0384985c874269e93a25ee0836edc5e17d294d48a47b81e9a0627a93d863f556aa627c2aa2672e7aeba6db5683c0df361005f224f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe

Filesize
772KB

MD5
ca9c2913e35c74a38b7f8ece1cb17785

SHA1
15e2e333efb22376e11e7983aa85b70a1875eb19

SHA256
3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174

SHA512
dd675a29e4436e294824aba0384985c874269e93a25ee0836edc5e17d294d48a47b81e9a0627a93d863f556aa627c2aa2672e7aeba6db5683c0df361005f224f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe

Filesize
772KB

MD5
ca9c2913e35c74a38b7f8ece1cb17785

SHA1
15e2e333efb22376e11e7983aa85b70a1875eb19

SHA256
3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174

SHA512
dd675a29e4436e294824aba0384985c874269e93a25ee0836edc5e17d294d48a47b81e9a0627a93d863f556aa627c2aa2672e7aeba6db5683c0df361005f224f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe

Filesize
772KB

MD5
ca9c2913e35c74a38b7f8ece1cb17785

SHA1
15e2e333efb22376e11e7983aa85b70a1875eb19

SHA256
3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174

SHA512
dd675a29e4436e294824aba0384985c874269e93a25ee0836edc5e17d294d48a47b81e9a0627a93d863f556aa627c2aa2672e7aeba6db5683c0df361005f224f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe

Filesize
772KB

MD5
ca9c2913e35c74a38b7f8ece1cb17785

SHA1
15e2e333efb22376e11e7983aa85b70a1875eb19

SHA256
3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174

SHA512
dd675a29e4436e294824aba0384985c874269e93a25ee0836edc5e17d294d48a47b81e9a0627a93d863f556aa627c2aa2672e7aeba6db5683c0df361005f224f

Download Submit
memory/908-59-0x0000000000000000-mapping.dmp

Download
memory/980-70-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/980-75-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/980-79-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/980-78-0x0000000000CB0000-0x0000000000D26000-memory.dmp

Filesize
472KB

Download
memory/980-66-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/980-67-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/980-69-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/980-77-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/980-71-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/980-72-0x000000000048B20E-mapping.dmp

Download
memory/1220-62-0x0000000000000000-mapping.dmp

Download
memory/1220-64-0x0000000000FA0000-0x0000000001068000-memory.dmp

Filesize
800KB

Download
memory/1292-54-0x0000000001370000-0x0000000001438000-memory.dmp

Filesize
800KB

Download
memory/1292-55-0x0000000004920000-0x00000000049CA000-memory.dmp

Filesize
680KB

Download
memory/1292-56-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/1292-57-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/1464-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads