hawkeye_reborn | 439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b

Analysis

max time kernel
47s
max time network
51s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-07-2022 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe
Size

696KB
MD5

02b6f972933bcaa6742a73e870d47b22
SHA1

6bf026a686444a6e6baf7739d82f6fe63f13f423
SHA256

439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b
SHA512

d85c20da4c658be1132d9999edb3de52bba6645581780a25b10101ea5ca71c518eae2ba7b656dbdedb63fbe88b069521300b227b69c8b33416f667b3a1faacb3

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 7 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/1512-67-0x0000000001330000-0x00000000013C0000-memory.dmp	m00nd3v_logger
behavioral1/memory/1084-71-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1084-73-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1084-72-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1084-74-0x000000000048B1CE-mapping.dmp	m00nd3v_logger
behavioral1/memory/1084-76-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1084-78-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kxTJOU.url	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1512 set thread context of 1084	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	32

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe
1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe
1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 704	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	28
PID 1512 wrote to memory of 704	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	28
PID 1512 wrote to memory of 704	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	28
PID 1512 wrote to memory of 704	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	28
PID 704 wrote to memory of 996	704	csc.exe	30
PID 704 wrote to memory of 996	704	csc.exe	30
PID 704 wrote to memory of 996	704	csc.exe	30
PID 704 wrote to memory of 996	704	csc.exe	30
PID 1512 wrote to memory of 1096	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	31
PID 1512 wrote to memory of 1096	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	31
PID 1512 wrote to memory of 1096	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	31
PID 1512 wrote to memory of 1096	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	31
PID 1512 wrote to memory of 1096	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	31
PID 1512 wrote to memory of 1096	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	31
PID 1512 wrote to memory of 1096	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	31
PID 1512 wrote to memory of 1084	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	32
PID 1512 wrote to memory of 1084	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	32
PID 1512 wrote to memory of 1084	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	32
PID 1512 wrote to memory of 1084	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	32
PID 1512 wrote to memory of 1084	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	32
PID 1512 wrote to memory of 1084	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	32
PID 1512 wrote to memory of 1084	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	32
PID 1512 wrote to memory of 1084	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	32
PID 1512 wrote to memory of 1084	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	32
PID 1512 wrote to memory of 1084	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	32
PID 1512 wrote to memory of 1084	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	32
PID 1512 wrote to memory of 1084	1512	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	32

C:\Users\Admin\AppData\Local\Temp\439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe
"C:\Users\Admin\AppData\Local\Temp\439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5iqoypx1\5iqoypx1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE042.tmp" "c:\Users\Admin\AppData\Local\Temp\5iqoypx1\CSC8AA51423DBE439E92106260BF0B948.TMP"
    3⤵
    PID:996
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5iqoypx1\5iqoypx1.dll

Filesize
15KB

MD5
a313e9d7be7c67373fbf76645e6aa8a2

SHA1
2b978d8ef5d0ceba4b8cc617df49e093c717b35b

SHA256
99df59fdc28d56a99d2d49b3c20196ce653454f5a09ac3e3014c1f08df5c7710

SHA512
18c534d407ab00f88e25c5abb99920cf69d7142b79886e71643d6bc658ce27a707d2c9f0c8654d7b92491c2bbf12f41396364024bb6613aff3bc1d507b553840

Download Submit
C:\Users\Admin\AppData\Local\Temp\5iqoypx1\5iqoypx1.pdb

Filesize
49KB

MD5
4fd4e060586eb5010cffa12fbae8a963

SHA1
45da484081d11b5e2e94f702df065d85afdfa531

SHA256
e579bd39d4fa95f8dcb2888b28a0eedf826d32e394c9fb0af3efe4ce0247b360

SHA512
76367e350e23df803553e1ac5a8e147a44df59c7b8d77b8f816eb3886baa2c3ad252e8b73df2e18fe2fd6ab2557e5feb130fd06bb3fc2cbbde4d31557d456855

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE042.tmp

Filesize
1KB

MD5
fe08422071629889192048e3743b0fd1

SHA1
95dde5eefa397bdc978db3343dc0e89bc530979f

SHA256
c295e161cd74f21b3d41bbb4f667d2e6f4240702fb28b86a383b3f89fcccbdae

SHA512
8a2ddb3b157c6c11fa75224042e717a6298d4502b8ba9a135cbf2148e23860da6e13645ea361aaac8ac87dd8c3889680e786b9467e6ae6bfae1cced308b08656

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5iqoypx1\5iqoypx1.0.cs

Filesize
28KB

MD5
af7cf1371af556bc0a5e33dab1c7f041

SHA1
8a74df85d8d3b0fbc7eef041bfaf271209c085aa

SHA256
3e2985ce770c18d8d5d8849098e6f65ea3248e778a6aac4057793806c97675a6

SHA512
51ae3579cb5953f28933ff4c403f0bf0b0f93f5aa555d4b7f3b1ef50ddd44abe44d08c06dfb7c774d7ae8a311ad18a00bcdfe699306c634cb27b57cacefa70e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5iqoypx1\5iqoypx1.cmdline

Filesize
312B

MD5
334ff06bf556dcf1e3cb3a027fd11550

SHA1
c076bf15b5e038d9982c8162e71d71c8249fa615

SHA256
8765ccdf9671bb33cb1ae4c85cfe9489d6e41df4b03347254f48ba6e9021d629

SHA512
7622348744ca2a1683ed22339e7b00d4bb987d0a866aa742d7f9e09d0ae71bac8ed6c94f85ec41da1e0ce18f33eb8de671425725e5938924780cedaf44221fe0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5iqoypx1\CSC8AA51423DBE439E92106260BF0B948.TMP

Filesize
1KB

MD5
7cf31c4bae7f37e7b10475d05d41ac84

SHA1
7a0f697e815cc08d359773609039ff61e88547ed

SHA256
b70a921701044e06cff2e4a0b11e96ac03a88ed168ad018274a21f8f275330c7

SHA512
ff485f337a6c7c163d143c848ed72ee11bedad1413e62c369ff46acb10e5c927c0609690de9c3484b0a5773363e273e76a15a9b9adcd9c3575d387272cf3c2d9

Download Submit
memory/1084-72-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1084-78-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1084-82-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/1084-81-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/1084-80-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/1084-76-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1084-68-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1084-69-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1084-71-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1084-73-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1512-54-0x00000000013C0000-0x0000000001474000-memory.dmp

Filesize
720KB

Download
memory/1512-67-0x0000000001330000-0x00000000013C0000-memory.dmp

Filesize
576KB

Download
memory/1512-63-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/1512-65-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/1512-66-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download
memory/1512-64-0x0000000005270000-0x000000000530A000-memory.dmp

Filesize
616KB

Download