hawkeye_reborn | e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31

General

Target

e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe
Size

826KB
MD5

d21fa0f5b9240caa4352b2b7e1b79ad0
SHA1

774b0294155b0aecb34f72353436b25cdf3e7912
SHA256

e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31
SHA512

0a59fedb5a94b1cf8874f3ab9e58225b352b259868f07679b53972fe5912bb50483a06dac18e9e868f7079e2c12a820648ebd995c7f7d6595847907260d90fee

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
mail.faraveili.com
Port:
25
Username:
[email protected]
Password:
lord22

Mutex

a57e5243-4d3f-45c0-b0f1-2785a9260e2b

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:lord22 _EmailPort:25 _EmailSSL:false _EmailServer:mail.faraveili.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:a57e5243-4d3f-45c0-b0f1-2785a9260e2b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/2784-139-0x0000000000000000-mapping.dmp	m00nd3v_logger
behavioral2/memory/2784-140-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Executes dropped EXE 2 IoCs

pid	Process
4384	app.exe
2784	app.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\app.exe -boot"	app.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4384 set thread context of 2784	4384	app.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
916	2784	WerFault.exe	94

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe
Token: 33	4812	e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe
Token: SeIncBasePriorityPrivilege	4812	e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe
Token: SeDebugPrivilege	4384	app.exe
Token: 33	4384	app.exe
Token: SeIncBasePriorityPrivilege	4384	app.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2784	app.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4500	4812	e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe	89
PID 4812 wrote to memory of 4500	4812	e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe	89
PID 4812 wrote to memory of 4500	4812	e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe	89
PID 4812 wrote to memory of 5064	4812	e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe	91
PID 4812 wrote to memory of 5064	4812	e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe	91
PID 4812 wrote to memory of 5064	4812	e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe	91
PID 5064 wrote to memory of 4384	5064	cmd.exe	93
PID 5064 wrote to memory of 4384	5064	cmd.exe	93
PID 5064 wrote to memory of 4384	5064	cmd.exe	93
PID 4384 wrote to memory of 2784	4384	app.exe	94
PID 4384 wrote to memory of 2784	4384	app.exe	94
PID 4384 wrote to memory of 2784	4384	app.exe	94
PID 4384 wrote to memory of 2784	4384	app.exe	94
PID 4384 wrote to memory of 2784	4384	app.exe	94
PID 4384 wrote to memory of 2784	4384	app.exe	94
PID 4384 wrote to memory of 2784	4384	app.exe	94
PID 4384 wrote to memory of 2784	4384	app.exe	94

C:\Users\Admin\AppData\Local\Temp\e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe
"C:\Users\Admin\AppData\Local\Temp\e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
  2⤵
  PID:4500
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of UnmapMainImage
      PID:2784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 12
        5⤵
        Program crash
        
        PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2784 -ip 2784
1⤵
PID:716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe

Filesize
826KB

MD5
d21fa0f5b9240caa4352b2b7e1b79ad0

SHA1
774b0294155b0aecb34f72353436b25cdf3e7912

SHA256
e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31

SHA512
0a59fedb5a94b1cf8874f3ab9e58225b352b259868f07679b53972fe5912bb50483a06dac18e9e868f7079e2c12a820648ebd995c7f7d6595847907260d90fee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe

Filesize
826KB

MD5
d21fa0f5b9240caa4352b2b7e1b79ad0

SHA1
774b0294155b0aecb34f72353436b25cdf3e7912

SHA256
e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31

SHA512
0a59fedb5a94b1cf8874f3ab9e58225b352b259868f07679b53972fe5912bb50483a06dac18e9e868f7079e2c12a820648ebd995c7f7d6595847907260d90fee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe

Filesize
826KB

MD5
d21fa0f5b9240caa4352b2b7e1b79ad0

SHA1
774b0294155b0aecb34f72353436b25cdf3e7912

SHA256
e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31

SHA512
0a59fedb5a94b1cf8874f3ab9e58225b352b259868f07679b53972fe5912bb50483a06dac18e9e868f7079e2c12a820648ebd995c7f7d6595847907260d90fee

Download Submit
memory/2784-140-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4384-138-0x0000000006140000-0x00000000061DC000-memory.dmp

Filesize
624KB

Download
memory/4812-130-0x0000000000B80000-0x0000000000C54000-memory.dmp

Filesize
848KB

Download
memory/4812-131-0x0000000005F00000-0x00000000064A4000-memory.dmp

Filesize
5.6MB

Download
memory/4812-132-0x0000000005A80000-0x0000000005B12000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing