hawkeye_reborn | 39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9

General

Target

39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe
Size

518KB
MD5

d8b7335d7669b24ddb9b239953f0d7a7
SHA1

f119bea19f892adc161a0ebb15ffbcc8150cc3c5
SHA256

39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9
SHA512

96c2ef1da4c5c1f55c17cadd46959a0ec8c0d9ddc947ac2c5c85fb9a3910d76436079ce2ed739c4f27f5d54cd8d1776670aeea305061fc43a046c92ebfbe515e

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 7 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/760-67-0x0000000005050000-0x00000000050E0000-memory.dmp	m00nd3v_logger
behavioral1/memory/1736-72-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1736-71-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1736-73-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1736-74-0x000000000048B1CE-mapping.dmp	m00nd3v_logger
behavioral1/memory/1736-76-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1736-78-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jVoSSi.url	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 760 set thread context of 1736	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe
760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 2008	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	27
PID 760 wrote to memory of 2008	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	27
PID 760 wrote to memory of 2008	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	27
PID 760 wrote to memory of 2008	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	27
PID 2008 wrote to memory of 1956	2008	csc.exe	29
PID 2008 wrote to memory of 1956	2008	csc.exe	29
PID 2008 wrote to memory of 1956	2008	csc.exe	29
PID 2008 wrote to memory of 1956	2008	csc.exe	29
PID 760 wrote to memory of 1736	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	30
PID 760 wrote to memory of 1736	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	30
PID 760 wrote to memory of 1736	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	30
PID 760 wrote to memory of 1736	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	30
PID 760 wrote to memory of 1736	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	30
PID 760 wrote to memory of 1736	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	30
PID 760 wrote to memory of 1736	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	30
PID 760 wrote to memory of 1736	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	30
PID 760 wrote to memory of 1736	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	30
PID 760 wrote to memory of 1736	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	30
PID 760 wrote to memory of 1736	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	30
PID 760 wrote to memory of 1736	760	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	30

C:\Users\Admin\AppData\Local\Temp\39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe
"C:\Users\Admin\AppData\Local\Temp\39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2oc0stdr\2oc0stdr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17C6.tmp" "c:\Users\Admin\AppData\Local\Temp\2oc0stdr\CSCEF5E9F29A1CB4C74942FF8FFB7A03A3.TMP"
    3⤵
    PID:1956
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2oc0stdr\2oc0stdr.dll

Filesize
6KB

MD5
05d196b0b2ca4653707dc431a3d70e10

SHA1
daaed99924871e876414cdfc695408b36ced90fc

SHA256
a9eeb65c273b393edcb18b84ce0fbe143fc41dc17e0918790e1eb840a5fcf976

SHA512
3e18120be26ad203a4c1dca628ad0f66e6fc2950504b86b991eb4e83f380bed97f78599baf9c2e6bb2674375082fcc1f241f37c6497d22efb63ba2c58ff3ef1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2oc0stdr\2oc0stdr.pdb

Filesize
17KB

MD5
a891ec9cace363976996d31f7dc62170

SHA1
b164d8cf994dfbaeec2f0fb9d97e0ab2cd90154f

SHA256
dda91d2d9fa316d66575eab149e54f4b6751ae31757756b0e9cdaed1103c1050

SHA512
340a15ed806ea735939056cad125c8935104a3a63bc4ff2515cf2861f666554ce026f7c78a7c4e4eea0dbaba3b9248559b8b380bada5b06a85556059e73e1246

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES17C6.tmp

Filesize
1KB

MD5
0851ca87118e4b693fcc5d2c2d26b745

SHA1
793bb7387d2d4e790564e18d1c92c83042bc551d

SHA256
9e603d7d76ffd4991cac7310203d634de5e6cc05df2727508bcc99183dd36a1b

SHA512
3c07ed3818ba88f449e387df18b84e7b70ff874ea104f49cb26d37bd84687ce10d17635fea586aa96d0893823133f844a1fea3483004df565b30eb1e58f98f25

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2oc0stdr\2oc0stdr.0.cs

Filesize
3KB

MD5
b6823d54afabf958afeefb18571df6e2

SHA1
9565aaf3eb244d657951d7a4f6bcdecf2b5bd2b4

SHA256
215489b46857eb0ffa39c0bc87f61944b6fb14d4fecc628db6e57d9e0eb27a10

SHA512
9b111ff86b7e36cc52750aad546e6c2c71e8ac90ae327880dc8666a749370312d1d2be34da3d24c5161a569c6452754248e3b8fbfecb2a25b9063237ac08c318

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2oc0stdr\2oc0stdr.cmdline

Filesize
312B

MD5
bc53ef340265ca237fe3675a4f88ac99

SHA1
613b6b06391de74e9e6d98a2a50d2016245f2f8b

SHA256
618e065426623dffcd150727562efb8a2678756d6b75b573c32f11b0d1577dde

SHA512
bac89b5d143e210eca65d4629a7618f072fd1924cb0e1fcc6bb25707d63cb524ab3f63681b1a9d586d1168eea679f1bdee753e25d7a0c095b5a18c2051f5d6d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2oc0stdr\CSCEF5E9F29A1CB4C74942FF8FFB7A03A3.TMP

Filesize
1KB

MD5
462088c878b8172c727afa9278a6af16

SHA1
bc444d355d3f648b093b7c9d1b4136051a0dc5e3

SHA256
263620a9274c6dd6b0ade19c2c73454f0a15db1ecc3a320d185e90ecff09ae47

SHA512
ceea598848750b990ce68703c267399a40b459649489f233cc462b003026bef14c456ab695db2f97e550e9f06fdd0e3392d4953ff1908e19e01cb8bc4d2c29ad

Download Submit
memory/760-66-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/760-54-0x0000000000A90000-0x0000000000B18000-memory.dmp

Filesize
544KB

Download
memory/760-67-0x0000000005050000-0x00000000050E0000-memory.dmp

Filesize
576KB

Download
memory/760-63-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/760-64-0x0000000004DA0000-0x0000000004E3A000-memory.dmp

Filesize
616KB

Download
memory/760-65-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/1736-69-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1736-68-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1736-72-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1736-71-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1736-73-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1736-76-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1736-78-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1736-80-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-81-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-82-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing