hawkeye_reborn | 39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9

General

Target

39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe
Size

518KB
MD5

d8b7335d7669b24ddb9b239953f0d7a7
SHA1

f119bea19f892adc161a0ebb15ffbcc8150cc3c5
SHA256

39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9
SHA512

96c2ef1da4c5c1f55c17cadd46959a0ec8c0d9ddc947ac2c5c85fb9a3910d76436079ce2ed739c4f27f5d54cd8d1776670aeea305061fc43a046c92ebfbe515e

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/2844-142-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jVoSSi.url	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3356 set thread context of 2844	3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe
3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 912	3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	82
PID 3356 wrote to memory of 912	3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	82
PID 3356 wrote to memory of 912	3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	82
PID 912 wrote to memory of 1572	912	csc.exe	84
PID 912 wrote to memory of 1572	912	csc.exe	84
PID 912 wrote to memory of 1572	912	csc.exe	84
PID 3356 wrote to memory of 2844	3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	85
PID 3356 wrote to memory of 2844	3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	85
PID 3356 wrote to memory of 2844	3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	85
PID 3356 wrote to memory of 2844	3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	85
PID 3356 wrote to memory of 2844	3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	85
PID 3356 wrote to memory of 2844	3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	85
PID 3356 wrote to memory of 2844	3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	85
PID 3356 wrote to memory of 2844	3356	39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe	85

C:\Users\Admin\AppData\Local\Temp\39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe
"C:\Users\Admin\AppData\Local\Temp\39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\azzseab1\azzseab1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9ED5.tmp" "c:\Users\Admin\AppData\Local\Temp\azzseab1\CSC38FEC8C489BA4CBDB8CB786575E242.TMP"
    3⤵
    PID:1572
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:2844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9ED5.tmp

Filesize
1KB

MD5
7bf01063928091638e784739b7a3b2e2

SHA1
5f86baddbb1196c841be9392799d41525195333e

SHA256
5e1baedc97a1dfefc693506a44e871aa35acf5ab2dd938d261454dfbdd27307e

SHA512
2a47e4856ce05d5b2d0547c50d89af2aef8115b52ac8671730445075a3d9fe50ea5f2726ff81bf46374211c3576d3b5c147544a2d7dcfc3cf982f5397d95b5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\azzseab1\azzseab1.dll

Filesize
6KB

MD5
f3e36cf672f719ef4a8b7f29d5a94ffd

SHA1
c5464e59a16a805e6bc8226bccf6e39937838842

SHA256
19204611ecbdfe20c86c9b3f06206171b73c2d522230d34fed9ed0b3de805477

SHA512
5e4ccd23eb897d87854d003b1b1235c4bcf02850e91f533dc2d9c5497cd6d0616c8a04de36e35d1b56e5e2e212fa1f16c41c3b8f5bd3936323748564983e7356

Download Submit
C:\Users\Admin\AppData\Local\Temp\azzseab1\azzseab1.pdb

Filesize
17KB

MD5
585af9f5cc7dcaf340900fb38e508e2b

SHA1
b70039e4907bcf8f740cd13cb91d075eb817e1c7

SHA256
20242fa5467621e6b165c04700db5be05f40ea2d9edd0acf33e26f384b506f00

SHA512
76459096294b4023ac4e652a8e8364b844e86202b59f298e9ba2df56c21a1408a03634be6e4a3db288beb66d150886339152bbd25730c07acdd962d116783f11

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\azzseab1\CSC38FEC8C489BA4CBDB8CB786575E242.TMP

Filesize
1KB

MD5
87dc78e4bc29c4fd253f4d2695cbfc28

SHA1
0b40150a28892181cfa7bdd6b527b8e5c4aaeac6

SHA256
2ac5ac8d670998026beae3caac6474a267cc382df9ae5ae0e07cabd52d818e6a

SHA512
9151210af48a6c76ffadc98a06e277a5fe7cc187eae3e60fee1c75929052ee0a2da8bed8c7451cff63a757cd1a2a6c12a6329e375aa62a59858ee1f0aa77ee14

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\azzseab1\azzseab1.0.cs

Filesize
3KB

MD5
b6823d54afabf958afeefb18571df6e2

SHA1
9565aaf3eb244d657951d7a4f6bcdecf2b5bd2b4

SHA256
215489b46857eb0ffa39c0bc87f61944b6fb14d4fecc628db6e57d9e0eb27a10

SHA512
9b111ff86b7e36cc52750aad546e6c2c71e8ac90ae327880dc8666a749370312d1d2be34da3d24c5161a569c6452754248e3b8fbfecb2a25b9063237ac08c318

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\azzseab1\azzseab1.cmdline

Filesize
312B

MD5
c51c00c8b3ff2c683a34ff9f5b77c91c

SHA1
edc49429d9a986a9a9de351a0b29d110ff104d85

SHA256
72bd46be579f036975604ba647becf02318a3c5e33dff80b8553dfe392ed8871

SHA512
4e446dd197ce5c4bb4e8a21cee3674be36c59032f807f442d7c35270c96c2a120d15feac9525541b5a55d6f378cfa6e3f7677116f36f5ea851e3b3ddc29da9e6

Download Submit
memory/2844-142-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2844-143-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/2844-144-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/2844-145-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/3356-130-0x0000000000D00000-0x0000000000D88000-memory.dmp

Filesize
544KB

Download
memory/3356-139-0x0000000005780000-0x0000000005812000-memory.dmp

Filesize
584KB

Download
memory/3356-140-0x0000000005F40000-0x0000000005FDC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing