hawkeye_reborn | 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0

General

Target

993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe
Size

804KB
MD5

01f4bb3ef1c9a71debeb6e3cf96a95a7
SHA1

b7a2e81eded3ef70284ae35a68cbb89b0326e2d2
SHA256

993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0
SHA512

c1c6246e6b6bce4212be4be30236dd7a0fa231e1184dd3a7a7fee3c6e8bed99ed49f6b2e2b361e7149a580e63b0620ec40dc171a6f46dc1c602943e8dbb95274

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
webmail.noahtrader.com
Port:
587
Username:
[email protected]
Password:
igboigbo@2019

Mutex

41e558b2-4ec6-488f-9f67-6d0b27598856

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:igboigbo@2019 _EmailPort:587 _EmailSSL:false _EmailServer:webmail.noahtrader.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:41e558b2-4ec6-488f-9f67-6d0b27598856 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/4988-133-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4820-145-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4820-147-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4820-148-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4820-149-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3676-138-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3676-140-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3676-141-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3676-142-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

resource	yara_rule
behavioral2/memory/3676-138-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3676-140-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3676-141-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3676-142-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4820-145-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4820-147-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4820-148-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4820-149-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4928 set thread context of 4988	4928	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	90
PID 4988 set thread context of 3676	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	91
PID 4988 set thread context of 4820	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	92

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
3676	vbc.exe
4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe
4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4988	4928	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	90
PID 4928 wrote to memory of 4988	4928	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	90
PID 4928 wrote to memory of 4988	4928	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	90
PID 4928 wrote to memory of 4988	4928	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	90
PID 4928 wrote to memory of 4988	4928	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	90
PID 4928 wrote to memory of 4988	4928	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	90
PID 4928 wrote to memory of 4988	4928	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	90
PID 4928 wrote to memory of 4988	4928	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	90
PID 4988 wrote to memory of 3676	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	91
PID 4988 wrote to memory of 3676	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	91
PID 4988 wrote to memory of 3676	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	91
PID 4988 wrote to memory of 3676	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	91
PID 4988 wrote to memory of 3676	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	91
PID 4988 wrote to memory of 3676	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	91
PID 4988 wrote to memory of 3676	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	91
PID 4988 wrote to memory of 3676	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	91
PID 4988 wrote to memory of 3676	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	91
PID 4988 wrote to memory of 4820	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	92
PID 4988 wrote to memory of 4820	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	92
PID 4988 wrote to memory of 4820	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	92
PID 4988 wrote to memory of 4820	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	92
PID 4988 wrote to memory of 4820	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	92
PID 4988 wrote to memory of 4820	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	92
PID 4988 wrote to memory of 4820	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	92
PID 4988 wrote to memory of 4820	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	92
PID 4988 wrote to memory of 4820	4988	993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe	92

C:\Users\Admin\AppData\Local\Temp\993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe
"C:\Users\Admin\AppData\Local\Temp\993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe
  "C:\Users\Admin\AppData\Local\Temp\993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3676
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBBDF.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:4820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp

Filesize
4KB

MD5
e64c42bc217d551e4168a94182323359

SHA1
76937b2d460a61e91393dc198b277c4171b11fd8

SHA256
9bf4040d8495d226d2fa94cc117181a753d36197a944e73c9f02186bc3d93454

SHA512
c1ff859dcd080e7c77a594c81b9e3068ac899db2b7ccb2c3672e988f5a616b292bc7feaabcd4d4966c41fa28584a5458be60cd7edc661d2d4f9de0520b5f52c9

Download Submit
memory/3676-138-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3676-142-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3676-140-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3676-141-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4820-145-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4820-147-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4820-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4820-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4928-130-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-135-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-131-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/4988-136-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/4988-134-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/4988-133-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing