hawkeye_reborn | 3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c

General

Target

3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe
Size

2.0MB
MD5

14dda2333c3be90b4c3f2c293e457f2f
SHA1

f70df421922df32f05c97e9607770c28b9451d39
SHA256

3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c
SHA512

d0e8936c776f2db3bc8448f95d8796d71dc3fe38179b40662ec42bd02a65e74f4dfc3991e17841b11d1396418030d560ffce172110884da54422884e82199947

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
smtp.potterames.top
Port:
587
Username:
meandcom@potterames.top
Password:
!~VzcqlwX}30

Mutex

8c9df064-622d-466d-8aff-2fe0cb1f96d5

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:!~VzcqlwX}30 _EmailPort:587 _EmailSSL:false _EmailServer:smtp.potterames.top _EmailUsername:meandcom@potterames.top _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:8c9df064-622d-466d-8aff-2fe0cb1f96d5 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 4 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/1160-57-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1160-62-0x000000000048B2FE-mapping.dmp	m00nd3v_logger
behavioral1/memory/1160-63-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1160-64-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1216-76-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1216-77-0x000000000044472E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1216-80-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1216-82-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1216-76-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1216-77-0x000000000044472E-mapping.dmp	Nirsoft
behavioral1/memory/1216-80-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1216-82-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

Processes:

3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cacls.url	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

Processes:

3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exeRegAsm.exe

description	pid	process	target process
PID 956 set thread context of 1160	956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe	RegAsm.exe
PID 1160 set thread context of 1216	1160	RegAsm.exe	vbc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe

pid	process
956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe
956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe
956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe

pid	process
956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe
956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe
956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exeRegAsm.exe

description	pid	process	target process
PID 956 wrote to memory of 1160	956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe	RegAsm.exe
PID 956 wrote to memory of 1160	956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe	RegAsm.exe
PID 956 wrote to memory of 1160	956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe	RegAsm.exe
PID 956 wrote to memory of 1160	956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe	RegAsm.exe
PID 956 wrote to memory of 1160	956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe	RegAsm.exe
PID 956 wrote to memory of 1160	956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe	RegAsm.exe
PID 956 wrote to memory of 1160	956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe	RegAsm.exe
PID 956 wrote to memory of 1160	956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe	RegAsm.exe
PID 956 wrote to memory of 1160	956	3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe	RegAsm.exe
PID 1160 wrote to memory of 1216	1160	RegAsm.exe	vbc.exe
PID 1160 wrote to memory of 1216	1160	RegAsm.exe	vbc.exe
PID 1160 wrote to memory of 1216	1160	RegAsm.exe	vbc.exe
PID 1160 wrote to memory of 1216	1160	RegAsm.exe	vbc.exe
PID 1160 wrote to memory of 1216	1160	RegAsm.exe	vbc.exe
PID 1160 wrote to memory of 1216	1160	RegAsm.exe	vbc.exe
PID 1160 wrote to memory of 1216	1160	RegAsm.exe	vbc.exe
PID 1160 wrote to memory of 1216	1160	RegAsm.exe	vbc.exe
PID 1160 wrote to memory of 1216	1160	RegAsm.exe	vbc.exe
PID 1160 wrote to memory of 1216	1160	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe
"C:\Users\Admin\AppData\Local\Temp\3b80fe1f81746eaaa3767f2cfaf18f829865912290279d68d7ac27400f60642c.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9168.tmp"
3⤵
PID:1216

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1160-55-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1160-57-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1160-62-0x000000000048B2FE-mapping.dmp

Download
memory/1160-63-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1160-64-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1160-66-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/1160-81-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/1216-68-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1216-70-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1216-72-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1216-74-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1216-76-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1216-77-0x000000000044472E-mapping.dmp

Download
memory/1216-80-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1216-67-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1216-82-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads