hawkeye_reborn | 3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174

General

Target

3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe
Size

772KB
MD5

ca9c2913e35c74a38b7f8ece1cb17785
SHA1

15e2e333efb22376e11e7983aa85b70a1875eb19
SHA256

3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174
SHA512

dd675a29e4436e294824aba0384985c874269e93a25ee0836edc5e17d294d48a47b81e9a0627a93d863f556aa627c2aa2672e7aeba6db5683c0df361005f224f

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.0.5

Credentials

Protocol: smtp
Host:
mail.123tracein.com
Port:
587
Username:
nzrepo1@123tracein.com
Password:
Vvt.5rffGwtH

Mutex

50d9bce9-6693-4df8-986d-11678ab9d9c5

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Vvt.5rffGwtH _EmailPort:587 _EmailSSL:true _EmailServer:mail.123tracein.com _EmailUsername:nzrepo1@123tracein.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:30 _MeltFile:false _Mutex:50d9bce9-6693-4df8-986d-11678ab9d9c5 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:true _Version:9.0.0.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.0.5, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/3984-140-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Executes dropped EXE 2 IoCs

Processes:

app.exeapp.exe

pid process

4844 app.exe
3984 app.exe

pid	process
4844	app.exe
3984	app.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe

Drops startup file 1 IoCs

Processes:

app.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.lnk app.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

41 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

app.exe

description pid process target process

PID 4844 set thread context of 3984 4844 app.exe app.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.lnk	app.exe

flow	ioc
41	bot.whatismyipaddress.com

description	pid	process	target process
PID 4844 set thread context of 3984	4844	app.exe	app.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exeapp.exeapp.exe

description	pid	process
Token: SeDebugPrivilege	4328	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe
Token: 33	4328	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe
Token: SeIncBasePriorityPrivilege	4328	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe
Token: SeDebugPrivilege	4844	app.exe
Token: 33	4844	app.exe
Token: SeIncBasePriorityPrivilege	4844	app.exe
Token: SeDebugPrivilege	3984	app.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.execmd.exeapp.exe

description	pid	process	target process
PID 4328 wrote to memory of 4600	4328	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe	cmd.exe
PID 4328 wrote to memory of 4600	4328	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe	cmd.exe
PID 4328 wrote to memory of 4600	4328	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe	cmd.exe
PID 4328 wrote to memory of 176	4328	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe	cmd.exe
PID 4328 wrote to memory of 176	4328	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe	cmd.exe
PID 4328 wrote to memory of 176	4328	3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe	cmd.exe
PID 176 wrote to memory of 4844	176	cmd.exe	app.exe
PID 176 wrote to memory of 4844	176	cmd.exe	app.exe
PID 176 wrote to memory of 4844	176	cmd.exe	app.exe
PID 4844 wrote to memory of 3984	4844	app.exe	app.exe
PID 4844 wrote to memory of 3984	4844	app.exe	app.exe
PID 4844 wrote to memory of 3984	4844	app.exe	app.exe
PID 4844 wrote to memory of 3984	4844	app.exe	app.exe
PID 4844 wrote to memory of 3984	4844	app.exe	app.exe
PID 4844 wrote to memory of 3984	4844	app.exe	app.exe
PID 4844 wrote to memory of 3984	4844	app.exe	app.exe
PID 4844 wrote to memory of 3984	4844	app.exe	app.exe

C:\Users\Admin\AppData\Local\Temp\3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe
"C:\Users\Admin\AppData\Local\Temp\3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
2⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:176

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\app.exe.log
Filesize
706B

MD5
0110f3d722cddd9753644c78a308ff57

SHA1
c461bb3812ae8a3c77d0ec99850b3a88eda2ccc7

SHA256
03c3a90b4c2615ddd7bc4b663ba3cce4969223c0a21c53624c6f792ffde91de4

SHA512
8a581416a1a9e355e6cda1d4f2a93df807421ec2706c717c5d5d2acd004af2c14ee77d94c48e6643320dd2cd2e1072b9cfd8ecf37c0e8fb38df7d9f0c40cdf63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
Filesize
772KB

MD5
ca9c2913e35c74a38b7f8ece1cb17785

SHA1
15e2e333efb22376e11e7983aa85b70a1875eb19

SHA256
3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174

SHA512
dd675a29e4436e294824aba0384985c874269e93a25ee0836edc5e17d294d48a47b81e9a0627a93d863f556aa627c2aa2672e7aeba6db5683c0df361005f224f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
Filesize
772KB

MD5
ca9c2913e35c74a38b7f8ece1cb17785

SHA1
15e2e333efb22376e11e7983aa85b70a1875eb19

SHA256
3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174

SHA512
dd675a29e4436e294824aba0384985c874269e93a25ee0836edc5e17d294d48a47b81e9a0627a93d863f556aa627c2aa2672e7aeba6db5683c0df361005f224f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
Filesize
772KB

MD5
ca9c2913e35c74a38b7f8ece1cb17785

SHA1
15e2e333efb22376e11e7983aa85b70a1875eb19

SHA256
3237150c0e5eafa032604dc03b7517e5ebb333287bfd1c4e9c507edaad37f174

SHA512
dd675a29e4436e294824aba0384985c874269e93a25ee0836edc5e17d294d48a47b81e9a0627a93d863f556aa627c2aa2672e7aeba6db5683c0df361005f224f

Download Submit
memory/176-134-0x0000000000000000-mapping.dmp

Download
memory/3984-139-0x0000000000000000-mapping.dmp

Download
memory/3984-140-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3984-143-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/4328-130-0x0000000000DC0000-0x0000000000E88000-memory.dmp

Filesize
800KB

Download
memory/4328-132-0x0000000008480000-0x0000000008A24000-memory.dmp

Filesize
5.6MB

Download
memory/4328-131-0x0000000007E30000-0x0000000007EC2000-memory.dmp

Filesize
584KB

Download
memory/4600-133-0x0000000000000000-mapping.dmp

Download
memory/4844-135-0x0000000000000000-mapping.dmp

Download
memory/4844-138-0x0000000009180000-0x000000000921C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads