hawkeye_reborn | 4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec

General

Target

4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
Size

1014KB
MD5

23e473332d88b997592273f52100dd71
SHA1

632af0c3d2d79ce41172195bfe99c1e2aedbc1db
SHA256

4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec
SHA512

c6538d6a169d37b685e2ccb9f1deee365946735947b16576fb915b5988b1956da32298e641c8cf2c367813786c5e29730c83397ab0bcee9e7ba82a230e45eb5c

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/60-140-0x0000000000600000-0x0000000000690000-memory.dmp	m00nd3v_logger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 bot.whatismyipaddress.com

flow	ioc
39	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe

description	pid	process	target process
PID 4308 set thread context of 60	4308	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe

description	pid	process
Token: SeDebugPrivilege	4308	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
Token: SeDebugPrivilege	60	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe

description	pid	process	target process
PID 4308 wrote to memory of 60	4308	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
PID 4308 wrote to memory of 60	4308	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
PID 4308 wrote to memory of 60	4308	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
PID 4308 wrote to memory of 60	4308	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
PID 4308 wrote to memory of 60	4308	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
PID 4308 wrote to memory of 60	4308	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
PID 4308 wrote to memory of 60	4308	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
PID 4308 wrote to memory of 60	4308	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe	4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe

C:\Users\Admin\AppData\Local\Temp\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
"C:\Users\Admin\AppData\Local\Temp\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Local\Temp\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
  "C:\Users\Admin\AppData\Local\Temp\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:60

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe.log

Filesize
1KB

MD5
400f1cc1a0a0ce1cdabda365ab3368ce

SHA1
1ecf683f14271d84f3b6063493dce00ff5f42075

SHA256
c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

SHA512
14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

Download Submit
memory/60-138-0x0000000000000000-mapping.dmp

Download
memory/60-140-0x0000000000600000-0x0000000000690000-memory.dmp

Filesize
576KB

Download
memory/60-141-0x0000000004CD0000-0x0000000004D36000-memory.dmp

Filesize
408KB

Download
memory/4308-133-0x0000000000560000-0x0000000000664000-memory.dmp

Filesize
1.0MB

Download
memory/4308-134-0x00000000054F0000-0x0000000005A94000-memory.dmp

Filesize
5.6MB

Download
memory/4308-135-0x0000000005020000-0x00000000050B2000-memory.dmp

Filesize
584KB

Download
memory/4308-136-0x0000000005250000-0x000000000525A000-memory.dmp

Filesize
40KB

Download
memory/4308-137-0x0000000009200000-0x000000000929C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads