hawkeye_reborn | 439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b

General

Target

439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe
Size

696KB
MD5

02b6f972933bcaa6742a73e870d47b22
SHA1

6bf026a686444a6e6baf7739d82f6fe63f13f423
SHA256

439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b
SHA512

d85c20da4c658be1132d9999edb3de52bba6645581780a25b10101ea5ca71c518eae2ba7b656dbdedb63fbe88b069521300b227b69c8b33416f667b3a1faacb3

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/2220-142-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

Processes:

439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kxTJOU.url	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 bot.whatismyipaddress.com

flow	ioc
10	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe

description	pid	process	target process
PID 4352 set thread context of 2220	4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe

pid	process
4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe
4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe

description pid process

Token: SeDebugPrivilege 4352 439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe

description	pid	process
Token: SeDebugPrivilege	4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.execsc.exe

description	pid	process	target process
PID 4352 wrote to memory of 4904	4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	csc.exe
PID 4352 wrote to memory of 4904	4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	csc.exe
PID 4352 wrote to memory of 4904	4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	csc.exe
PID 4904 wrote to memory of 4500	4904	csc.exe	cvtres.exe
PID 4904 wrote to memory of 4500	4904	csc.exe	cvtres.exe
PID 4904 wrote to memory of 4500	4904	csc.exe	cvtres.exe
PID 4352 wrote to memory of 2220	4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	RegAsm.exe
PID 4352 wrote to memory of 2220	4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	RegAsm.exe
PID 4352 wrote to memory of 2220	4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	RegAsm.exe
PID 4352 wrote to memory of 2220	4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	RegAsm.exe
PID 4352 wrote to memory of 2220	4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	RegAsm.exe
PID 4352 wrote to memory of 2220	4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	RegAsm.exe
PID 4352 wrote to memory of 2220	4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	RegAsm.exe
PID 4352 wrote to memory of 2220	4352	439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe
"C:\Users\Admin\AppData\Local\Temp\439f3a91c4c4386bf875004a5fa65c3f4ce45544419a0401f0a8b40ff4af845b.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xqh3nkzo\xqh3nkzo.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA33A.tmp" "c:\Users\Admin\AppData\Local\Temp\xqh3nkzo\CSC5774AEF7F7074D4B9CF561F8285A8B97.TMP"
3⤵
PID:4500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:2220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA33A.tmp
Filesize
1KB

MD5
4c9eec71c6dc6246fbcba80853557cec

SHA1
31f943b503d2761406d30063ef920a4cd35e406b

SHA256
006641023e0ac03b6cc60121f548d626145679b8a42405ffb03f3ce8a9a8a460

SHA512
62f2f26a59347780d7a84e8b45e62b619c461ce0a7aafcf1d182946b0f1405a7a4c42ccfee142e61f66f4ff6affec5c1a2d0df68c81654704bdeb5672b678475

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqh3nkzo\xqh3nkzo.dll
Filesize
15KB

MD5
9a6ec8c60cdc2c517ba90a6900be4dc2

SHA1
7ba0936d52d04b4c1d9bf75c26c5d9682e46f86c

SHA256
25e750625602e7e977c2c14a978612d906db59b0b346553673d3530470a7e1b7

SHA512
66a1778288bff4fc7e2d0e680a3f2a98dd14fc75cb9284ae418fee498e15c25450a4ea30bf72f4baf7f9faf10de7ce61c8e20ee7c934476153bfe07d2102740b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqh3nkzo\xqh3nkzo.pdb
Filesize
49KB

MD5
9f7ddfe7aa493a9cdd2d680187c47dfa

SHA1
7396ec100619598a3ea95ade1ec942cea06cad84

SHA256
370c61de3c5cfd81a08fa50e0909eae11f26d44e08739c11bdabf32ce1540421

SHA512
0a2b36331933ba912f9882663dc2b6e4695bd2581dc962cbd4481908bdda8f874e7b9e32b69be0d6e59467ee54aff1f59329ea5f63e642a258b2c1130e42d8ca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xqh3nkzo\CSC5774AEF7F7074D4B9CF561F8285A8B97.TMP
Filesize
1KB

MD5
3baefd21369109a1933132d7657bd7e9

SHA1
8da1de206b48ca0110a2a35502622dffbaba6a50

SHA256
5d4ac8084df60d07cc3fa700d050949fe4f0480afd8a0697594424fe0ecef50c

SHA512
bbaf0c5b391924d242f695295c9fc17d564e36bc0c82eafb68c1610e340e0a419f99a50f2696a6ed0fb0403e7d3102dc45b496b16c37e8fc328a5c6d4ed5b3cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xqh3nkzo\xqh3nkzo.0.cs
Filesize
28KB

MD5
af7cf1371af556bc0a5e33dab1c7f041

SHA1
8a74df85d8d3b0fbc7eef041bfaf271209c085aa

SHA256
3e2985ce770c18d8d5d8849098e6f65ea3248e778a6aac4057793806c97675a6

SHA512
51ae3579cb5953f28933ff4c403f0bf0b0f93f5aa555d4b7f3b1ef50ddd44abe44d08c06dfb7c774d7ae8a311ad18a00bcdfe699306c634cb27b57cacefa70e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xqh3nkzo\xqh3nkzo.cmdline
Filesize
312B

MD5
5be772c5a3d240cbdd1a26eecfd041f4

SHA1
a469bb1ab42d3e2d681d585e00bb83fe880185eb

SHA256
40360e033509d03dc6e738824be9f18b44ba6da694cb069cb569c3b19983e77b

SHA512
381d66b302b235c2d3949ccad663e6d1fca165fa04ce6ab2261a7e5f886397962d67c7709eef81bacc6972ecc1a939daca6be30f76aec13a2693f3eb6042c71d

Download Submit
memory/2220-142-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2220-141-0x0000000000000000-mapping.dmp

Download
memory/2220-143-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/2220-144-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/2220-145-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/4352-139-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/4352-140-0x0000000005510000-0x00000000055AC000-memory.dmp

Filesize
624KB

Download
memory/4352-130-0x0000000000280000-0x0000000000334000-memory.dmp

Filesize
720KB

Download
memory/4500-134-0x0000000000000000-mapping.dmp

Download
memory/4904-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads