hawkeye_reborn | 51fef8e428e33333c31c9026232baa98efdc3a586c55c808859065a964b56c5d

General

Target

PAYMENT-PDF.exe
Size

518KB
MD5

d8b7335d7669b24ddb9b239953f0d7a7
SHA1

f119bea19f892adc161a0ebb15ffbcc8150cc3c5
SHA256

39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9
SHA512

96c2ef1da4c5c1f55c17cadd46959a0ec8c0d9ddc947ac2c5c85fb9a3910d76436079ce2ed739c4f27f5d54cd8d1776670aeea305061fc43a046c92ebfbe515e

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/4016-142-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

Processes:

PAYMENT-PDF.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jVoSSi.url PAYMENT-PDF.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

PAYMENT-PDF.exe

description pid process target process

PID 4020 set thread context of 4016 4020 PAYMENT-PDF.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

PAYMENT-PDF.exe

pid process

4020 PAYMENT-PDF.exe
4020 PAYMENT-PDF.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PAYMENT-PDF.exe

description pid process

Token: SeDebugPrivilege 4020 PAYMENT-PDF.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jVoSSi.url	PAYMENT-PDF.exe

flow	ioc
5	bot.whatismyipaddress.com

description	pid	process	target process
PID 4020 set thread context of 4016	4020	PAYMENT-PDF.exe	RegAsm.exe

pid	process
4020	PAYMENT-PDF.exe
4020	PAYMENT-PDF.exe

description	pid	process
Token: SeDebugPrivilege	4020	PAYMENT-PDF.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

PAYMENT-PDF.execsc.exe

description	pid	process	target process
PID 4020 wrote to memory of 3828	4020	PAYMENT-PDF.exe	csc.exe
PID 4020 wrote to memory of 3828	4020	PAYMENT-PDF.exe	csc.exe
PID 4020 wrote to memory of 3828	4020	PAYMENT-PDF.exe	csc.exe
PID 3828 wrote to memory of 3116	3828	csc.exe	cvtres.exe
PID 3828 wrote to memory of 3116	3828	csc.exe	cvtres.exe
PID 3828 wrote to memory of 3116	3828	csc.exe	cvtres.exe
PID 4020 wrote to memory of 4016	4020	PAYMENT-PDF.exe	RegAsm.exe
PID 4020 wrote to memory of 4016	4020	PAYMENT-PDF.exe	RegAsm.exe
PID 4020 wrote to memory of 4016	4020	PAYMENT-PDF.exe	RegAsm.exe
PID 4020 wrote to memory of 4016	4020	PAYMENT-PDF.exe	RegAsm.exe
PID 4020 wrote to memory of 4016	4020	PAYMENT-PDF.exe	RegAsm.exe
PID 4020 wrote to memory of 4016	4020	PAYMENT-PDF.exe	RegAsm.exe
PID 4020 wrote to memory of 4016	4020	PAYMENT-PDF.exe	RegAsm.exe
PID 4020 wrote to memory of 4016	4020	PAYMENT-PDF.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pzmb0lyo\pzmb0lyo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF3B.tmp" "c:\Users\Admin\AppData\Local\Temp\pzmb0lyo\CSC5EAF8375EFA540ACA3AD4B19BF5A9E6.TMP"
    3⤵
    PID:3116
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:4016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCF3B.tmp

Filesize
1KB

MD5
246b000fc8323c33a104a613a5399d8a

SHA1
ee85ecb400e0e8d46fc7da012db06b3b9eb2e85b

SHA256
298178ed70685c427ba41888b533f78e9bd5a76a8b0eae0b9ec857fef1455618

SHA512
7c4cabf278761fbac7e63120fa0daf9bca7a6d0fd93723ad5f2474fa898e57b3637a1f6e17988b38f9688f9b31fede31662bc260b3fc2614c3b26107aadb4b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzmb0lyo\pzmb0lyo.dll

Filesize
6KB

MD5
0921fb8960d576b3ce3c68daeba8fbb4

SHA1
a0f6cb46c7a129fcdecfecd7402cbe4540d25ab4

SHA256
32fd870661c2ea8cd42e064c0efa595845b448a6e26b18ffed43499107d2d341

SHA512
e3b4b90aa0ae85a3c55604decb70ecee397e20ea2f8237df03ff898d3f74566587d804a5719c589dd0d8c0d06cea0e27f0496ebf22e3df4865137f817b437757

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzmb0lyo\pzmb0lyo.pdb

Filesize
17KB

MD5
7169c2f1e92927fa2a389cc12c631446

SHA1
b9ac020fbb1567a480e225392a13cfabbfd866d7

SHA256
50911478a82a430dc7adc8a1e214007bcfcecb865cbe47f8dc2d3d15d0d6e0c1

SHA512
43341ed39113220e43254ac2890196af15b79fcb2e1d87d8886e58b874e625ed3a3bef4bbdcc4839dc9a50f5cf655ea3853677522bc2df29e6ba2c90e819c982

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pzmb0lyo\CSC5EAF8375EFA540ACA3AD4B19BF5A9E6.TMP

Filesize
1KB

MD5
f9af8bbf7af657e28f034487d1e36c3d

SHA1
f4dfe8ff5e2d8fb75dafc3c7201564381bf62e28

SHA256
dffa696d78ee9a2fb4a941222bb2480deaeb19a7ee04e9da661edd5ecee4f1db

SHA512
6b0dc6e337fb48ce9792e926e870278f1fc9e36162d6b9fda40075c0bce4f8c708f7a8e543f9340d877861e770a83eca0e7343f6787dc0d54fb1d6ba82a375f6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pzmb0lyo\pzmb0lyo.0.cs

Filesize
3KB

MD5
b6823d54afabf958afeefb18571df6e2

SHA1
9565aaf3eb244d657951d7a4f6bcdecf2b5bd2b4

SHA256
215489b46857eb0ffa39c0bc87f61944b6fb14d4fecc628db6e57d9e0eb27a10

SHA512
9b111ff86b7e36cc52750aad546e6c2c71e8ac90ae327880dc8666a749370312d1d2be34da3d24c5161a569c6452754248e3b8fbfecb2a25b9063237ac08c318

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pzmb0lyo\pzmb0lyo.cmdline

Filesize
312B

MD5
aeb38e72d918d4caf48a00ec00372299

SHA1
d05185b72cebb6a4620d04728bb3e9f0507e28e7

SHA256
18aaecd24af15b24a2757caccb84b7775acb74568555fad96f2b83c04c4e3f09

SHA512
66ce1356ea22438e1d57b75612a5790d2d2c41315ed559bb1358cf4bca8a9d83608194c9ee468510d0c99ba8cf651f8b14dd2a6ac7cf9b4452e01d20283a218f

Download Submit
memory/3116-134-0x0000000000000000-mapping.dmp

Download
memory/3828-131-0x0000000000000000-mapping.dmp

Download
memory/4016-141-0x0000000000000000-mapping.dmp

Download
memory/4016-142-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4016-143-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/4016-144-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/4016-145-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/4020-130-0x0000000000760000-0x00000000007E8000-memory.dmp

Filesize
544KB

Download
memory/4020-139-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/4020-140-0x0000000005920000-0x00000000059BC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing