hawkeye_reborn | aa5d080e0ab3b424762ccd490220dadaba4463515cf5f130c6fe4abf0d09c815

General

Target

garbage malware.exe
Size

649KB
MD5

7e8c50bb6ad871888f60ba46cbddf45c
SHA1

afe07371d9aaabd8cdc306a48d4e1130d618db27
SHA256

aa5d080e0ab3b424762ccd490220dadaba4463515cf5f130c6fe4abf0d09c815
SHA512

1e72743fefe79238c7a71dfac221bbe4ccc6f264741c71a66288115a7e2ceef77903a7d4576785532172945f0f99a5687dfa263e3c293e964291ef76a8233a9a
SSDEEP

12288:2Y/26qvXwqXixrymROIzM3FR31t1/v8zldTMfZLPA963UjYWYZ3LdbJXfsfX:n/A7ixrzRq37D1/EldKPKjjYWYhd16

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
mail.seaposvcs.com
Port:
587
Username:
[email protected]
Password:
o#EXCLP[T8#f+eBLWz

Mutex

e6980329-7cdc-40ed-9d60-b77292813771

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:o#EXCLP[T8#f+eBLWz _EmailPort:587 _EmailSSL:true _EmailServer:mail.seaposvcs.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:30 _MeltFile:false _Mutex:e6980329-7cdc-40ed-9d60-b77292813771 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\AY0j6Pw9nxAviK2S\\OdnAtH34M8gy.exe\",explorer.exe"	garbage malware.exe

M00nD3v Logger payload 5 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/2600-16-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2600-14-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2600-12-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2600-9-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2600-8-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2276-36-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2276-34-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2276-37-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2276-40-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 4 IoCs

resource	yara_rule
behavioral1/memory/2276-36-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2276-34-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2276-37-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2276-40-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 2600	2416	garbage malware.exe	28
PID 2600 set thread context of 2276	2600	garbage malware.exe	30

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2416	garbage malware.exe
2276	vbc.exe
2276	vbc.exe
2276	vbc.exe
2276	vbc.exe
2276	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	garbage malware.exe
Token: SeDebugPrivilege	2416	garbage malware.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2600	2416	garbage malware.exe	28
PID 2416 wrote to memory of 2600	2416	garbage malware.exe	28
PID 2416 wrote to memory of 2600	2416	garbage malware.exe	28
PID 2416 wrote to memory of 2600	2416	garbage malware.exe	28
PID 2416 wrote to memory of 2600	2416	garbage malware.exe	28
PID 2416 wrote to memory of 2600	2416	garbage malware.exe	28
PID 2416 wrote to memory of 2600	2416	garbage malware.exe	28
PID 2416 wrote to memory of 2600	2416	garbage malware.exe	28
PID 2416 wrote to memory of 2600	2416	garbage malware.exe	28
PID 2600 wrote to memory of 2276	2600	garbage malware.exe	30
PID 2600 wrote to memory of 2276	2600	garbage malware.exe	30
PID 2600 wrote to memory of 2276	2600	garbage malware.exe	30
PID 2600 wrote to memory of 2276	2600	garbage malware.exe	30
PID 2600 wrote to memory of 2276	2600	garbage malware.exe	30
PID 2600 wrote to memory of 2276	2600	garbage malware.exe	30
PID 2600 wrote to memory of 2276	2600	garbage malware.exe	30
PID 2600 wrote to memory of 2276	2600	garbage malware.exe	30
PID 2600 wrote to memory of 2276	2600	garbage malware.exe	30
PID 2600 wrote to memory of 2276	2600	garbage malware.exe	30

C:\Users\Admin\AppData\Local\Temp\garbage malware.exe
"C:\Users\Admin\AppData\Local\Temp\garbage malware.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\garbage malware.exe
  "C:\Users\Admin\AppData\Local\Temp\garbage malware.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp584D.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp584D.tmp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Desktop\RegisterTrace.xsl

Filesize
223KB

MD5
1552f2bccabd824f530d803573767464

SHA1
494ab99ac4280d6a709d08460da6586258ae55e1

SHA256
193bf7e29c5d70b1c631a7bbf5c2f4fdb4ca0b5476b13eeb4d31683358ee3104

SHA512
840da0a8385d2807fe0ae928b364d990250d4e9e8c2349e4e52b4e926b25a210e24e15bbe6d6ab65e6c7a634419ad2a1ca00556d02956268157833f6d185f901

Download Submit
C:\Users\Admin\Desktop\RenameDeny.mpe

Filesize
169KB

MD5
1a30fbcbd03afab4889e813522149e72

SHA1
9c21cde1267f7e416f7fc70725ef3beb641ae216

SHA256
b399ffb1cc427da3c3ee67d718cb2f03073025199496cb01d78e315c11d762de

SHA512
a0be8160602716c6560757e235712436b11d2e3c1a47d089552535fe0ceaae1fac1135cfac951340919918eec0e2a50e0f557a9a437795006aec02e8067debf9

Download Submit
C:\Users\Admin\Desktop\RenameRevoke.3gpp

Filesize
413KB

MD5
3d234ce479470ed73e4e55bbf45ca82b

SHA1
efd5f6e474dd3424d9637919d29f799914b66b77

SHA256
6e3746ac5f438d2f38c31e16936f2b7f2250bfec61be71b5a437b26d73daba6b

SHA512
a08b99eaf62e8462f30067942a0b7077e73b630ba2b6ad39c50f70c3eed8a6c73ab0698aa72f6804ef13ed3c82309c28d599ba9c3f4e23668ca4d68d6094158f

Download Submit
C:\Users\Admin\Desktop\ResetRestore.png

Filesize
399KB

MD5
57c83aa1d772fd93c7bf8dbfe0ec37fc

SHA1
31936909b060e301d0e301df49ad831448cfa7b1

SHA256
be999ec6c178fc9ba5c6c685826fb1a5b5888be40d13b3c2a3f596124a982021

SHA512
5f2fbd602e0a2b1812432168ec4cdc63ae920324c2a1780116f2bd935ea512ee078f4c252313eae445b8b5a4a457b3f512b4aa300890455eb38fa906ae24f8f8

Download Submit
C:\Users\Admin\Desktop\StepSuspend.otf

Filesize
182KB

MD5
0e150db5ea7bca887a040e71306acc05

SHA1
b178b02b4bf710230d48e648a43e5457976343b1

SHA256
f60701dfd79f14d91253db6fa60d56ece3dbba237e3e794e9f04d2d2d59070e2

SHA512
a85517c006dd5e945905dfac499539e1a83772f4d2685978895c1a7c6702dea30602da5d5e696ace5ec00ee467a87bc2a019e02512336db4cf4283b61043d653

Download Submit
C:\Users\Admin\Desktop\SwitchUnprotect.htm

Filesize
372KB

MD5
420e6bf670eae895a3f43f1070e1eb76

SHA1
6b32582ac7ff598a461966104581ee9bd35dcc2d

SHA256
24f1f5ad5c5a74cc34571bf043edf0810266233f88396cc465e550fbd519ea11

SHA512
b54cac0c5a2a21fc78501c6aac072861e3fcdec237c60a37cc35316cdfe0bdc9146b72253593617e9095c798e77a9b3f5e75613201673b996ba1eafb86e55abe

Download Submit
C:\Users\Admin\Desktop\UseBlock.vb

Filesize
304KB

MD5
30e0ae793fd7434e35face231fddbc33

SHA1
9e15a50612ac9aeb2a6614aef5675a353b3ffc57

SHA256
42a8a0f95b33fba4963faa3910de0ae6ae23f99d25ce5d5812d2525f9d7a02e8

SHA512
ac6dfa11d35f61c26a424ddaf51b09c258210067bf8c37317bf649488efa535f35c94dc6efe246e909c222a287b0ec31bf4cd8e6b06184e3187d69c30227bef6

Download Submit
memory/2276-34-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-40-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-37-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-28-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-36-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-30-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2416-42-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2416-1-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2416-2-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2416-0-0x0000000074421000-0x0000000074422000-memory.dmp

Filesize
4KB

Download
memory/2600-43-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-8-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2600-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2600-7-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2600-9-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2600-18-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2600-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2600-16-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2600-5-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2600-20-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-19-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads