hawkeye_reborn | 935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6

General

Target

935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe
Size

1.3MB
MD5

8d7d98b20d9f22ac14496573012fffcd
SHA1

2a21f6a3a8c2d4b23b0e8031cfd874cb88f24fb6
SHA256

935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6
SHA512

6dfad14b5aed9e78daaa50fdb5db44c09f95d5bb69bdff7ed2f21967577baf2c2b3bbbdf27f6489740184f0d6863d50138befe4e0f38ad668a1cbd96ce5d6367

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
$NA.j!!5!u:2m

Mutex

b8cbadcd-ebcd-4fec-9141-ac8d1fd28f4f

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:$NA.j!!5!u:2m _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:b8cbadcd-ebcd-4fec-9141-ac8d1fd28f4f _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/3952-137-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/416-149-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/416-151-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/416-152-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4428-142-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4428-144-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4428-145-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4428-146-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4428-142-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4428-144-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4428-145-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4428-146-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/416-149-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/416-151-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/416-152-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exeRegAsm.exe

description	pid	process	target process
PID 60 set thread context of 3952	60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe	RegAsm.exe
PID 3952 set thread context of 4428	3952	RegAsm.exe	vbc.exe
PID 3952 set thread context of 416	3952	RegAsm.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3708 schtasks.exe

pid	process
3708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exevbc.exe

pid	process
60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe
60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe
4428	vbc.exe
4428	vbc.exe
4428	vbc.exe
4428	vbc.exe
4428	vbc.exe
4428	vbc.exe
4428	vbc.exe
4428	vbc.exe
4428	vbc.exe
4428	vbc.exe
4428	vbc.exe
4428	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe

description pid process

Token: SeDebugPrivilege 60 935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe

description	pid	process
Token: SeDebugPrivilege	60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exeRegAsm.exe

description	pid	process	target process
PID 60 wrote to memory of 3708	60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe	schtasks.exe
PID 60 wrote to memory of 3708	60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe	schtasks.exe
PID 60 wrote to memory of 3708	60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe	schtasks.exe
PID 60 wrote to memory of 3952	60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe	RegAsm.exe
PID 60 wrote to memory of 3952	60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe	RegAsm.exe
PID 60 wrote to memory of 3952	60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe	RegAsm.exe
PID 60 wrote to memory of 3952	60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe	RegAsm.exe
PID 60 wrote to memory of 3952	60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe	RegAsm.exe
PID 60 wrote to memory of 3952	60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe	RegAsm.exe
PID 60 wrote to memory of 3952	60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe	RegAsm.exe
PID 60 wrote to memory of 3952	60	935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe	RegAsm.exe
PID 3952 wrote to memory of 4428	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 4428	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 4428	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 4428	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 4428	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 4428	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 4428	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 4428	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 4428	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 416	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 416	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 416	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 416	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 416	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 416	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 416	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 416	3952	RegAsm.exe	vbc.exe
PID 3952 wrote to memory of 416	3952	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe
"C:\Users\Admin\AppData\Local\Temp\935d4cf497a710348f45d4b42fb9278648368a6e24073c7e0e451de07880dad6.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yvdlakHzTGlY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8ED.tmp"
2⤵
- Creates scheduled task(s)
PID:3708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpEF0E.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF75C.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA8ED.tmp
Filesize
1KB

MD5
e4404d627e75abc6bd22f969b4df05ec

SHA1
5151bbc839991c585e522651717d9561c656b940

SHA256
da67d31000b58cf8bb8474079e45089c0442c7e24cbd9667a947cd1c4373878b

SHA512
ada645dcb2761ee3429a73db6285b62e058a5b2ceacab45941e080b0424a06987719dfada249c32af43d469965c6aac395c7fd101af4beeffb3fdf5586b6d125

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF0E.tmp
Filesize
4KB

MD5
508d12363b937319e4dbfc174a10ecba

SHA1
edb7ae72b83074621bc83e12d79e6ec91b28952e

SHA256
2e4b211b03ba5a4b727a3bdeb55afc31be43ca8605fe7189fb755befa4f4e061

SHA512
384f33d45223f2428c80e465ecae7e15a0dc348d2421d4ede7e01e77358e8e6eadcb8002227b9577c2ee1071199267c21a5e35554fc773d4d9f583bff0265e15

Download Submit
memory/60-133-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/60-139-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/60-132-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/416-152-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/416-151-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/416-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/416-148-0x0000000000000000-mapping.dmp

Download
memory/3708-134-0x0000000000000000-mapping.dmp

Download
memory/3952-140-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/3952-138-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/3952-137-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3952-136-0x0000000000000000-mapping.dmp

Download
memory/4428-144-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4428-145-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4428-146-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4428-142-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4428-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads