hawkeye_reborn | fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6

General

Target

fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe
Size

2.0MB
MD5

83aebff419895e406911862d5ee7a029
SHA1

2d5545557538754a98258dc4cbf6af55fb065808
SHA256

fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6
SHA512

ff3817928467ebad1821fad2d319d22a374863a0c3bbb70a5e2babf9256968fb427f9f7455f85dd506d3ac260eaa2ce177cdd64f998fabc40dbb57e6b8a7a1fa

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: ftp
Host:
ftp.sventiskai.lt
Port:
21
Username:
admin@sventiskai.lt
Password:
bathram0123

Mutex

5c11938b-5cda-4e44-b703-c5960eef7ac8

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:bathram0123 _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.sventiskai.lt _FTPUsername:admin@sventiskai.lt _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:43800 _MeltFile:false _Mutex:5c11938b-5cda-4e44-b703-c5960eef7ac8 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/1500-134-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4652-145-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4652-147-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4652-148-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4564-138-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4564-140-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4564-141-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4564-142-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4564-138-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4564-140-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4564-141-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4564-142-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4652-145-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4652-147-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4652-148-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 bot.whatismyipaddress.com

flow	ioc
30	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exeRegAsm.exe

description	pid	process	target process
PID 4704 set thread context of 1500	4704	fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe	RegAsm.exe
PID 1500 set thread context of 4564	1500	RegAsm.exe	vbc.exe
PID 1500 set thread context of 4652	1500	RegAsm.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exevbc.exe

pid	process
4704	fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe
4704	fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe
4564	vbc.exe
4564	vbc.exe
4564	vbc.exe
4564	vbc.exe
4564	vbc.exe
4564	vbc.exe
4564	vbc.exe
4564	vbc.exe
4564	vbc.exe
4564	vbc.exe
4564	vbc.exe
4564	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe

description pid process

Token: SeDebugPrivilege 4704 fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe

description	pid	process
Token: SeDebugPrivilege	4704	fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exeRegAsm.exe

description	pid	process	target process
PID 4704 wrote to memory of 1500	4704	fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe	RegAsm.exe
PID 4704 wrote to memory of 1500	4704	fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe	RegAsm.exe
PID 4704 wrote to memory of 1500	4704	fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe	RegAsm.exe
PID 4704 wrote to memory of 1500	4704	fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe	RegAsm.exe
PID 4704 wrote to memory of 1500	4704	fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe	RegAsm.exe
PID 4704 wrote to memory of 1500	4704	fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe	RegAsm.exe
PID 4704 wrote to memory of 1500	4704	fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe	RegAsm.exe
PID 4704 wrote to memory of 1500	4704	fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe	RegAsm.exe
PID 1500 wrote to memory of 4564	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4564	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4564	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4564	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4564	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4564	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4564	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4564	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4564	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4652	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4652	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4652	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4652	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4652	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4652	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4652	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4652	1500	RegAsm.exe	vbc.exe
PID 1500 wrote to memory of 4652	1500	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe
"C:\Users\Admin\AppData\Local\Temp\fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF801.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFC28.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:4652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF801.tmp
Filesize
4KB

MD5
a64ef19cb7924d0ef7b27699e0237041

SHA1
b6392aa8451f0721fcadff793808f8630182e66e

SHA256
66635dcdbf3439d7e09ac3f043c0ff6792f1ec281070fea4618d9b5fb287cb56

SHA512
66f6ae0b27227cfaf57a28e8f592a899375f763d0dc1e4f0199444b52e026f04243761bb20af127a7815a5c59db3c9fe1c1ff2a3ef069b8eccff3eef68da284b

Download Submit
memory/1500-134-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1500-136-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1500-133-0x0000000000000000-mapping.dmp

Download
memory/1500-135-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-137-0x0000000000000000-mapping.dmp

Download
memory/4564-140-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4564-138-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4564-141-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4564-142-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4652-144-0x0000000000000000-mapping.dmp

Download
memory/4652-145-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4652-147-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4652-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4704-132-0x00000000057B0000-0x000000000584C000-memory.dmp

Filesize
624KB

Download
memory/4704-130-0x0000000000A10000-0x0000000000C12000-memory.dmp

Filesize
2.0MB

Download
memory/4704-131-0x0000000005A00000-0x0000000005F2C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads