hawkeye_reborn | 2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd

General

Target

2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe
Size

1.1MB
MD5

6d8acff823a127a4aa930222a8eed23f
SHA1

cc1a08d02a700c58d7b062b20e90cdaf902d538d
SHA256

2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd
SHA512

63cae851b7f1b0713b02ddd3019c09398455deec0c23330249b28854e2c06b13ee2de285c7ac3ffb6b164ec6b967eaad5ded0b2f2b6619e31923b21e74e78c83

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
kalyacourtshotel.com
Port:
587
Username:
[email protected]
Password:
123@bookings

Mutex

1ecdf2b5-cbf1-4b8d-ab2b-c4323d1e4ceb

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:123@bookings _EmailPort:587 _EmailSSL:true _EmailServer:kalyacourtshotel.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1ecdf2b5-cbf1-4b8d-ab2b-c4323d1e4ceb _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 6 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/1932-62-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1932-63-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1932-64-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1932-65-0x000000000048B2FE-mapping.dmp	m00nd3v_logger
behavioral1/memory/1932-67-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1932-69-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1868-82-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1868-83-0x000000000044472E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1868-86-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1868-87-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1868-89-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

resource	yara_rule
behavioral1/memory/1868-82-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1868-83-0x000000000044472E-mapping.dmp	Nirsoft
behavioral1/memory/1868-86-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1868-87-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1868-89-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 948 set thread context of 1932	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	28
PID 1932 set thread context of 1868	1932	RegAsm.exe	30

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\debug\WIA\JQzAAaQ.exe	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe
1868	vbc.exe
1868	vbc.exe
1868	vbc.exe
1868	vbc.exe
1868	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 1828	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	26
PID 948 wrote to memory of 1828	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	26
PID 948 wrote to memory of 1828	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	26
PID 948 wrote to memory of 1828	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	26
PID 948 wrote to memory of 1932	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	28
PID 948 wrote to memory of 1932	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	28
PID 948 wrote to memory of 1932	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	28
PID 948 wrote to memory of 1932	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	28
PID 948 wrote to memory of 1932	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	28
PID 948 wrote to memory of 1932	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	28
PID 948 wrote to memory of 1932	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	28
PID 948 wrote to memory of 1932	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	28
PID 948 wrote to memory of 1932	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	28
PID 948 wrote to memory of 1932	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	28
PID 948 wrote to memory of 1932	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	28
PID 948 wrote to memory of 1932	948	2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe	28
PID 1932 wrote to memory of 1868	1932	RegAsm.exe	30
PID 1932 wrote to memory of 1868	1932	RegAsm.exe	30
PID 1932 wrote to memory of 1868	1932	RegAsm.exe	30
PID 1932 wrote to memory of 1868	1932	RegAsm.exe	30
PID 1932 wrote to memory of 1868	1932	RegAsm.exe	30
PID 1932 wrote to memory of 1868	1932	RegAsm.exe	30
PID 1932 wrote to memory of 1868	1932	RegAsm.exe	30
PID 1932 wrote to memory of 1868	1932	RegAsm.exe	30
PID 1932 wrote to memory of 1868	1932	RegAsm.exe	30
PID 1932 wrote to memory of 1868	1932	RegAsm.exe	30

C:\Users\Admin\AppData\Local\Temp\2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe
"C:\Users\Admin\AppData\Local\Temp\2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JQzAAaQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4329.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBA6A.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4329.tmp

Filesize
1KB

MD5
9af5ee450630182c6b984c911485ef70

SHA1
2cab5ffed0cd2b4c9e8adf75ca2b2a8d811414cf

SHA256
2472738b40afaa36f0409896d61ad99504fabb97a2156a1e4682314761facbc0

SHA512
66f57ee678085c69501569784af93834ceb8f344422cf8e6b935de0ae52653dd187ee1aff3d69a3ee494876c0c75a34b434a84ad245990bf0f2ef82539e5858a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA6A.tmp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/948-72-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/948-55-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/948-56-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/948-54-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1868-87-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1868-76-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1868-86-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1868-82-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1868-80-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1868-78-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1868-89-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1868-73-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1868-74-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1932-60-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1932-71-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1932-69-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1932-67-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1932-64-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1932-63-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1932-88-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1932-62-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1932-59-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads