hawkeye_reborn | 567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a

General

Target

567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
Size

1.1MB
MD5

bc50a53d9a77b3eb7df4a2f1ce3b8acd
SHA1

8f482f408a9d4ea1bb52c18210cc3213e56af21f
SHA256

567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a
SHA512

59388652a5546680fb0c9f3ca41254fb1d71aefbbed1548114077eee797ace783321316965120216108f80d0f07fd536bf55af4f9f62c0a639460ee3d2c0cbe1

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 5 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/1700-64-0x000000000048B1CE-mapping.dmp	m00nd3v_logger
behavioral1/memory/1700-65-0x0000000000080000-0x0000000000110000-memory.dmp	m00nd3v_logger
behavioral1/memory/1700-66-0x0000000000080000-0x0000000000110000-memory.dmp	m00nd3v_logger
behavioral1/memory/1700-70-0x0000000000080000-0x0000000000110000-memory.dmp	m00nd3v_logger
behavioral1/memory/1700-73-0x0000000000080000-0x0000000000110000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1700-74-0x0000000000F00000-0x0000000000F76000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1700-74-0x0000000000F00000-0x0000000000F76000-memory.dmp	WebBrowserPassView
behavioral1/memory/1664-87-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1664-88-0x000000000044472E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1664-91-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1664-93-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1664-94-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1700-74-0x0000000000F00000-0x0000000000F76000-memory.dmp	Nirsoft
behavioral1/memory/1664-87-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1664-88-0x000000000044472E-mapping.dmp	Nirsoft
behavioral1/memory/1664-91-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1664-93-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1664-94-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

BuildAT.exe

pid process

932 BuildAT.exe
Loads dropped DLL 1 IoCs

Processes:

567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe

pid process

1108 567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 checkip.dyndns.org

pid	process
932	BuildAT.exe

pid	process
1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe

flow	ioc
3	checkip.dyndns.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe

description	pid	process	target process
PID 1108 set thread context of 1700	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
PID 1700 set thread context of 1664	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1376 taskkill.exe

pid	process
1376	taskkill.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exevbc.exe

pid	process
1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
1664	vbc.exe
1664	vbc.exe
1664	vbc.exe
1664	vbc.exe
1664	vbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exeBuildAT.exe567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe

description	pid	process
Token: SeDebugPrivilege	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
Token: SeDebugPrivilege	932	BuildAT.exe
Token: SeDebugPrivilege	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe

description	pid	process	target process
PID 1108 wrote to memory of 932	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	BuildAT.exe
PID 1108 wrote to memory of 932	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	BuildAT.exe
PID 1108 wrote to memory of 932	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	BuildAT.exe
PID 1108 wrote to memory of 932	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	BuildAT.exe
PID 1108 wrote to memory of 1700	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
PID 1108 wrote to memory of 1700	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
PID 1108 wrote to memory of 1700	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
PID 1108 wrote to memory of 1700	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
PID 1108 wrote to memory of 1700	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
PID 1108 wrote to memory of 1700	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
PID 1108 wrote to memory of 1700	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
PID 1108 wrote to memory of 1700	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
PID 1108 wrote to memory of 1700	1108	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
PID 1700 wrote to memory of 1912	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	cmd.exe
PID 1700 wrote to memory of 1912	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	cmd.exe
PID 1700 wrote to memory of 1912	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	cmd.exe
PID 1700 wrote to memory of 1912	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	cmd.exe
PID 1700 wrote to memory of 1984	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	cmd.exe
PID 1700 wrote to memory of 1984	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	cmd.exe
PID 1700 wrote to memory of 1984	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	cmd.exe
PID 1700 wrote to memory of 1984	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	cmd.exe
PID 1700 wrote to memory of 1664	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	vbc.exe
PID 1700 wrote to memory of 1664	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	vbc.exe
PID 1700 wrote to memory of 1664	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	vbc.exe
PID 1700 wrote to memory of 1664	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	vbc.exe
PID 1700 wrote to memory of 1664	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	vbc.exe
PID 1700 wrote to memory of 1664	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	vbc.exe
PID 1700 wrote to memory of 1664	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	vbc.exe
PID 1700 wrote to memory of 1664	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	vbc.exe
PID 1700 wrote to memory of 1664	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	vbc.exe
PID 1700 wrote to memory of 1664	1700	567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
"C:\Users\Admin\AppData\Local\Temp\567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Roaming\BuildAT.exe
"C:\Users\Admin\AppData\Roaming\BuildAT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Users\Admin\AppData\Local\Temp\567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe
"C:\Users\Admin\AppData\Local\Temp\567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM wscript.exe
3⤵
PID:1912

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM wscript.exe
4⤵
- Kills process with taskkill
PID:1376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM cmd.exe
3⤵
PID:1984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF20D.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF20D.tmp
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\BuildAT.exe
Filesize
203KB

MD5
95fd03119642748d5fc74f0b2846c956

SHA1
e9053f6db4e0886b2c5cc353c135e441c248245e

SHA256
07aad7d157bc3cfe3ca4fa90816ba0689b365d1d6dff65df2a20dd5ea8b7fe36

SHA512
7af3a975e9e6a3dcadf050684236a5f9b17f6ad184d30927d1517cc4caeb074acb41821b98ff570e2c7a5d81b85b24c58335009cbd5d218029efc1f1d7e88e2d

Download Submit
C:\Users\Admin\AppData\Roaming\BuildAT.exe
Filesize
203KB

MD5
95fd03119642748d5fc74f0b2846c956

SHA1
e9053f6db4e0886b2c5cc353c135e441c248245e

SHA256
07aad7d157bc3cfe3ca4fa90816ba0689b365d1d6dff65df2a20dd5ea8b7fe36

SHA512
7af3a975e9e6a3dcadf050684236a5f9b17f6ad184d30927d1517cc4caeb074acb41821b98ff570e2c7a5d81b85b24c58335009cbd5d218029efc1f1d7e88e2d

Download Submit
\Users\Admin\AppData\Roaming\BuildAT.exe
Filesize
203KB

MD5
95fd03119642748d5fc74f0b2846c956

SHA1
e9053f6db4e0886b2c5cc353c135e441c248245e

SHA256
07aad7d157bc3cfe3ca4fa90816ba0689b365d1d6dff65df2a20dd5ea8b7fe36

SHA512
7af3a975e9e6a3dcadf050684236a5f9b17f6ad184d30927d1517cc4caeb074acb41821b98ff570e2c7a5d81b85b24c58335009cbd5d218029efc1f1d7e88e2d

Download Submit
memory/932-58-0x0000000000000000-mapping.dmp

Download
memory/932-61-0x0000000000CD0000-0x0000000000D0A000-memory.dmp

Filesize
232KB

Download
memory/1108-54-0x0000000001350000-0x000000000146C000-memory.dmp

Filesize
1.1MB

Download
memory/1108-55-0x0000000000460000-0x0000000000482000-memory.dmp

Filesize
136KB

Download
memory/1108-56-0x00000000762A1000-0x00000000762A3000-memory.dmp

Filesize
8KB

Download
memory/1664-87-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1664-88-0x000000000044472E-mapping.dmp

Download
memory/1664-94-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1664-93-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1664-91-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1664-85-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1664-83-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1664-78-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1664-79-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1664-81-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1700-65-0x0000000000080000-0x0000000000110000-memory.dmp

Filesize
576KB

Download
memory/1700-66-0x0000000000080000-0x0000000000110000-memory.dmp

Filesize
576KB

Download
memory/1700-74-0x0000000000F00000-0x0000000000F76000-memory.dmp

Filesize
472KB

Download
memory/1700-92-0x00000000005F5000-0x0000000000606000-memory.dmp

Filesize
68KB

Download
memory/1700-73-0x0000000000080000-0x0000000000110000-memory.dmp

Filesize
576KB

Download
memory/1700-70-0x0000000000080000-0x0000000000110000-memory.dmp

Filesize
576KB

Download
memory/1700-64-0x000000000048B1CE-mapping.dmp

Download
memory/1912-76-0x0000000000000000-mapping.dmp

Download
memory/1984-77-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads