hawkeye_reborn | 51fef8e428e33333c31c9026232baa98efdc3a586c55c808859065a964b56c5d

General

Target

PAYMENT-PDF.exe
Size

518KB
MD5

d8b7335d7669b24ddb9b239953f0d7a7
SHA1

f119bea19f892adc161a0ebb15ffbcc8150cc3c5
SHA256

39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9
SHA512

96c2ef1da4c5c1f55c17cadd46959a0ec8c0d9ddc947ac2c5c85fb9a3910d76436079ce2ed739c4f27f5d54cd8d1776670aeea305061fc43a046c92ebfbe515e

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 7 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/1628-67-0x00000000050C0000-0x0000000005150000-memory.dmp	m00nd3v_logger
behavioral1/memory/1008-71-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1008-73-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1008-72-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1008-74-0x000000000048B1CE-mapping.dmp	m00nd3v_logger
behavioral1/memory/1008-78-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1008-76-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

Processes:

PAYMENT-PDF.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jVoSSi.url PAYMENT-PDF.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

PAYMENT-PDF.exe

description pid process target process

PID 1628 set thread context of 1008 1628 PAYMENT-PDF.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

PAYMENT-PDF.exe

pid process

1628 PAYMENT-PDF.exe
1628 PAYMENT-PDF.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PAYMENT-PDF.exe

description pid process

Token: SeDebugPrivilege 1628 PAYMENT-PDF.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jVoSSi.url	PAYMENT-PDF.exe

flow	ioc
4	bot.whatismyipaddress.com

description	pid	process	target process
PID 1628 set thread context of 1008	1628	PAYMENT-PDF.exe	RegAsm.exe

pid	process
1628	PAYMENT-PDF.exe
1628	PAYMENT-PDF.exe

description	pid	process
Token: SeDebugPrivilege	1628	PAYMENT-PDF.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

PAYMENT-PDF.execsc.exe

description	pid	process	target process
PID 1628 wrote to memory of 1248	1628	PAYMENT-PDF.exe	csc.exe
PID 1628 wrote to memory of 1248	1628	PAYMENT-PDF.exe	csc.exe
PID 1628 wrote to memory of 1248	1628	PAYMENT-PDF.exe	csc.exe
PID 1628 wrote to memory of 1248	1628	PAYMENT-PDF.exe	csc.exe
PID 1248 wrote to memory of 1004	1248	csc.exe	cvtres.exe
PID 1248 wrote to memory of 1004	1248	csc.exe	cvtres.exe
PID 1248 wrote to memory of 1004	1248	csc.exe	cvtres.exe
PID 1248 wrote to memory of 1004	1248	csc.exe	cvtres.exe
PID 1628 wrote to memory of 1008	1628	PAYMENT-PDF.exe	RegAsm.exe
PID 1628 wrote to memory of 1008	1628	PAYMENT-PDF.exe	RegAsm.exe
PID 1628 wrote to memory of 1008	1628	PAYMENT-PDF.exe	RegAsm.exe
PID 1628 wrote to memory of 1008	1628	PAYMENT-PDF.exe	RegAsm.exe
PID 1628 wrote to memory of 1008	1628	PAYMENT-PDF.exe	RegAsm.exe
PID 1628 wrote to memory of 1008	1628	PAYMENT-PDF.exe	RegAsm.exe
PID 1628 wrote to memory of 1008	1628	PAYMENT-PDF.exe	RegAsm.exe
PID 1628 wrote to memory of 1008	1628	PAYMENT-PDF.exe	RegAsm.exe
PID 1628 wrote to memory of 1008	1628	PAYMENT-PDF.exe	RegAsm.exe
PID 1628 wrote to memory of 1008	1628	PAYMENT-PDF.exe	RegAsm.exe
PID 1628 wrote to memory of 1008	1628	PAYMENT-PDF.exe	RegAsm.exe
PID 1628 wrote to memory of 1008	1628	PAYMENT-PDF.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m41m4gli\m41m4gli.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84F9.tmp" "c:\Users\Admin\AppData\Local\Temp\m41m4gli\CSCA876AFE34D9649F5A6C13D5AA0647022.TMP"
    3⤵
    PID:1004
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES84F9.tmp

Filesize
1KB

MD5
ab67cbc69ccaaac0dab14ded9d0981f2

SHA1
77141a2a644648d72fc030b0f0e506c40e98bfee

SHA256
ff46e34979fc62a0337cdcdb8f1b708e5a720c0ca92d97ebddb3f8ec32fecd2a

SHA512
e83ec202ec803f63e07543bc00a0b83a52d6297330a5fae9952ed07f664ca2f34b1d34e847a61cd99be4079467f23a85a9eee968e054498b1c3fd3f1d5a5e7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\m41m4gli\m41m4gli.dll

Filesize
6KB

MD5
1f72617dbe538e85666706123ee61525

SHA1
309e21eef6817a1d8ab118d833b8742d25a998d7

SHA256
5265009a2f571188fd8b9767846a644e5b05b9374de9784a2be4a2ea78a98837

SHA512
2e996699110ef1eb383200d025d009fc73e24fc355ebe5e48b5927f0bc74a4eca958e2681de5b9a4cf00160bffe96cfc4550f61c1cf2dff8ed86ece9e2c68905

Download Submit
C:\Users\Admin\AppData\Local\Temp\m41m4gli\m41m4gli.pdb

Filesize
17KB

MD5
7e3f0fbacdcff8c12e5e3fd0eb6a45dd

SHA1
ea278a215b471664d6b3d6e0664827c01c1ace5b

SHA256
784b08a568c95520d79242501b705627106c5797b025e5bc45a88f2e276f543d

SHA512
21631535041f81eea51440becd64402e04886f9447f5615a4e537cf3d8b668cd9154a67e795c628668e6aefbea8f2f1b8d36ae2eca97a1c73819b222bd5c14f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m41m4gli\CSCA876AFE34D9649F5A6C13D5AA0647022.TMP

Filesize
1KB

MD5
c76ed21683e9f7b8813dca525aa296d0

SHA1
b5885f7ca63fac60e9d88b75484c555bdd82c92b

SHA256
69d5994aad16777b27c294c476914f8eb6309300d47da9aeba05603f24dee96b

SHA512
8ce26b1da43c5671190ecb78c83f278ea417266e3d2133de2771d549e9b00e27931d1b073ab78bbef2c80ecba7bc29a544da7ada8b854f69be3a50cc135856a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m41m4gli\m41m4gli.0.cs

Filesize
3KB

MD5
b6823d54afabf958afeefb18571df6e2

SHA1
9565aaf3eb244d657951d7a4f6bcdecf2b5bd2b4

SHA256
215489b46857eb0ffa39c0bc87f61944b6fb14d4fecc628db6e57d9e0eb27a10

SHA512
9b111ff86b7e36cc52750aad546e6c2c71e8ac90ae327880dc8666a749370312d1d2be34da3d24c5161a569c6452754248e3b8fbfecb2a25b9063237ac08c318

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m41m4gli\m41m4gli.cmdline

Filesize
312B

MD5
c35ee1f5969ecc6347619082d1bebf17

SHA1
2f7967539bc0ec20fe8ba68009f0e9053bfb3aef

SHA256
98b5f485da5239e8ac0428dd0a55875b22cf9ef22b77ad379bb534fad2efc0a7

SHA512
611c826818bcd7261bd43acb6777419faac47fbb02c8230a6111f7a1591e7553c9cb88c2ff888efff521165f58e19f226e7653eeeee00b427720d1d30b16c626

Download Submit
memory/1004-58-0x0000000000000000-mapping.dmp

Download
memory/1008-72-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1008-78-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1008-82-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-81-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-80-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-76-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1008-74-0x000000000048B1CE-mapping.dmp

Download
memory/1008-68-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1008-69-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1008-71-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1008-73-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1248-55-0x0000000000000000-mapping.dmp

Download
memory/1628-54-0x0000000000BE0000-0x0000000000C68000-memory.dmp

Filesize
544KB

Download
memory/1628-67-0x00000000050C0000-0x0000000005150000-memory.dmp

Filesize
576KB

Download
memory/1628-66-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1628-65-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/1628-64-0x0000000004FC0000-0x000000000505A000-memory.dmp

Filesize
616KB

Download
memory/1628-63-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing