hawkeye_reborn | 3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a

General

Target

3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe
Size

893KB
MD5

45bcaf1873553f6047d714fcec3362f1
SHA1

e898892a0af8a34d666543f5169dd34d6dbba6e9
SHA256

3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a
SHA512

e686717f37d87ce87473079969c6cf2f8a608eb68adc8516f18a03fa18e0e4077905deb9cd8b0555c108c387bdd4322fbf1dcc2d79d465f65600eb92bb5fa345

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/4036-135-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1512-146-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/1512-148-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/1512-149-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/208-139-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/208-141-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/208-142-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/208-143-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/208-139-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/208-141-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/208-142-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/208-143-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1512-146-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/1512-148-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/1512-149-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exeRegAsm.exe

description	pid	process	target process
PID 3256 set thread context of 4036	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 4036 set thread context of 208	4036	RegAsm.exe	vbc.exe
PID 4036 set thread context of 1512	4036	RegAsm.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4832 schtasks.exe

pid	process
4832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exevbc.exeRegAsm.exe

pid	process
3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe
3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe
208	vbc.exe
208	vbc.exe
208	vbc.exe
208	vbc.exe
208	vbc.exe
208	vbc.exe
208	vbc.exe
208	vbc.exe
208	vbc.exe
208	vbc.exe
208	vbc.exe
208	vbc.exe
4036	RegAsm.exe
4036	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe
Token: SeDebugPrivilege	4036	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

4036 RegAsm.exe

pid	process
4036	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exeRegAsm.exe

description	pid	process	target process
PID 3256 wrote to memory of 4200	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	schtasks.exe
PID 3256 wrote to memory of 4200	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	schtasks.exe
PID 3256 wrote to memory of 4200	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	schtasks.exe
PID 3256 wrote to memory of 4832	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	schtasks.exe
PID 3256 wrote to memory of 4832	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	schtasks.exe
PID 3256 wrote to memory of 4832	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	schtasks.exe
PID 3256 wrote to memory of 4036	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 3256 wrote to memory of 4036	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 3256 wrote to memory of 4036	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 3256 wrote to memory of 4036	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 3256 wrote to memory of 4036	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 3256 wrote to memory of 4036	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 3256 wrote to memory of 4036	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 3256 wrote to memory of 4036	3256	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 4036 wrote to memory of 208	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 208	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 208	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 208	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 208	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 208	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 208	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 208	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 208	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 1512	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 1512	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 1512	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 1512	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 1512	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 1512	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 1512	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 1512	4036	RegAsm.exe	vbc.exe
PID 4036 wrote to memory of 1512	4036	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe
"C:\Users\Admin\AppData\Local\Temp\3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query
2⤵
PID:4200

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /sc MINUTE /tn pCwmWG /MO 1 /tr "C:\Users\Admin\AppData\Roaming\anyname\anyname.exe\
2⤵
- Creates scheduled task(s)
PID:4832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpAC8C.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBD36.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAC8C.tmp
Filesize
4KB

MD5
e64c42bc217d551e4168a94182323359

SHA1
76937b2d460a61e91393dc198b277c4171b11fd8

SHA256
9bf4040d8495d226d2fa94cc117181a753d36197a944e73c9f02186bc3d93454

SHA512
c1ff859dcd080e7c77a594c81b9e3068ac899db2b7ccb2c3672e988f5a616b292bc7feaabcd4d4966c41fa28584a5458be60cd7edc661d2d4f9de0520b5f52c9

Download Submit
memory/208-143-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/208-139-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/208-141-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/208-142-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/208-138-0x0000000000000000-mapping.dmp

Download
memory/1512-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1512-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1512-146-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1512-145-0x0000000000000000-mapping.dmp

Download
memory/3256-130-0x0000000000780000-0x000000000084C000-memory.dmp

Filesize
816KB

Download
memory/3256-133-0x0000000005360000-0x00000000053FC000-memory.dmp

Filesize
624KB

Download
memory/4036-136-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4036-135-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4036-137-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4036-134-0x0000000000000000-mapping.dmp

Download
memory/4200-131-0x0000000000000000-mapping.dmp

Download
memory/4832-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads