hawkeye_reborn | 56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203

General

Target

56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe
Size

784KB
MD5

54464655fb5ff2c0ef68221ae9d33d03
SHA1

60033388221f7af6b147b800452de5bc4ebd27db
SHA256

56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203
SHA512

108ad5c0b7f8e2f6edce46d1661a1646a38e014c40964d7e2b9c465129a686b15e3ca51bff85f3f067d37b38f610e313e30ca3d569fa502545e727937f1ca220

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
kalyacourtshotel.com
Port:
587
Username:
bookings@kalyacourtshotel.com
Password:
123@bookings

Mutex

1ecdf2b5-cbf1-4b8d-ab2b-c4323d1e4ceb

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:123@bookings _EmailPort:587 _EmailSSL:true _EmailServer:kalyacourtshotel.com _EmailUsername:bookings@kalyacourtshotel.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1ecdf2b5-cbf1-4b8d-ab2b-c4323d1e4ceb _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 6 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/848-62-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/848-63-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/848-64-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/848-65-0x000000000048B2FE-mapping.dmp	m00nd3v_logger
behavioral1/memory/848-68-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/848-70-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1468-83-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1468-84-0x000000000044472E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1468-87-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1468-88-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1468-90-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1468-83-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1468-84-0x000000000044472E-mapping.dmp	Nirsoft
behavioral1/memory/1468-87-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1468-88-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1468-90-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

Processes:

56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exeRegAsm.exe

description	pid	process	target process
PID 1624 set thread context of 848	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	RegAsm.exe
PID 848 set thread context of 1468	848	RegAsm.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe

description	ioc	process
File opened for modification	C:\Windows\debug\WIA\eGfjPrL.exe	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

988 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exevbc.exe

pid process

1624 56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe
1468 vbc.exe
1468 vbc.exe
1468 vbc.exe
1468 vbc.exe
1468 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe

description pid process

Token: SeDebugPrivilege 1624 56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe

pid	process
988	schtasks.exe

pid	process
1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe
1468	vbc.exe
1468	vbc.exe
1468	vbc.exe
1468	vbc.exe
1468	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exeRegAsm.exe

description	pid	process	target process
PID 1624 wrote to memory of 988	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	schtasks.exe
PID 1624 wrote to memory of 988	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	schtasks.exe
PID 1624 wrote to memory of 988	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	schtasks.exe
PID 1624 wrote to memory of 988	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	schtasks.exe
PID 1624 wrote to memory of 848	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	RegAsm.exe
PID 1624 wrote to memory of 848	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	RegAsm.exe
PID 1624 wrote to memory of 848	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	RegAsm.exe
PID 1624 wrote to memory of 848	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	RegAsm.exe
PID 1624 wrote to memory of 848	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	RegAsm.exe
PID 1624 wrote to memory of 848	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	RegAsm.exe
PID 1624 wrote to memory of 848	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	RegAsm.exe
PID 1624 wrote to memory of 848	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	RegAsm.exe
PID 1624 wrote to memory of 848	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	RegAsm.exe
PID 1624 wrote to memory of 848	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	RegAsm.exe
PID 1624 wrote to memory of 848	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	RegAsm.exe
PID 1624 wrote to memory of 848	1624	56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe	RegAsm.exe
PID 848 wrote to memory of 1468	848	RegAsm.exe	vbc.exe
PID 848 wrote to memory of 1468	848	RegAsm.exe	vbc.exe
PID 848 wrote to memory of 1468	848	RegAsm.exe	vbc.exe
PID 848 wrote to memory of 1468	848	RegAsm.exe	vbc.exe
PID 848 wrote to memory of 1468	848	RegAsm.exe	vbc.exe
PID 848 wrote to memory of 1468	848	RegAsm.exe	vbc.exe
PID 848 wrote to memory of 1468	848	RegAsm.exe	vbc.exe
PID 848 wrote to memory of 1468	848	RegAsm.exe	vbc.exe
PID 848 wrote to memory of 1468	848	RegAsm.exe	vbc.exe
PID 848 wrote to memory of 1468	848	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe
"C:\Users\Admin\AppData\Local\Temp\56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eGfjPrL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC939.tmp"
2⤵
- Creates scheduled task(s)
PID:988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFD63.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1468

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC939.tmp
Filesize
1KB

MD5
4117aedf8bbde5de32386b0d4643d726

SHA1
04a72a9dd54ad06a2bf55f56dc0b3f10cb0e9c61

SHA256
f3a12bd2392f5b443e4090dd4690917e3ee78333fd12c706b1d222e0e1e85b5c

SHA512
8ad2a820be477e311b2a54d79656be60e84c83d0c48b8b706dbece97ca7b1b18a255126e9afee8793d22728d8bcf9f2acc518d9b38db28547f72c64eca706e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFD63.tmp
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/848-72-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/848-59-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/848-73-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/848-89-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/848-60-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/848-62-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/848-63-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/848-64-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/848-65-0x000000000048B2FE-mapping.dmp

Download
memory/848-68-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/848-70-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/988-57-0x0000000000000000-mapping.dmp

Download
memory/1468-83-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1468-88-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1468-90-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1468-75-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1468-77-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1468-79-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1468-81-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1468-74-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1468-84-0x000000000044472E-mapping.dmp

Download
memory/1468-87-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1624-56-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/1624-67-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/1624-55-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/1624-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads