hawkeye_reborn | bc8916502006c13655027769ce62225fbf4e9e4380ac4c2aaf7892d45e058d4a

General

Target

Documents98376532453.exe
Size

951KB
MD5

0bf39869b08ade7c8ed45ff5a26f70c4
SHA1

09ba2e264420ccd1cb0aae13501a7329c3493f54
SHA256

a9b7dbcbe943925db368bcc5c700d3f77dde99190780b94dc9f1439fe17a4bba
SHA512

4e17bfb64903b993f5aaa83ae844611566394a71596133d187ed2d38802b0c2d18781bbd6610f6628265ccc89fb1f4f69bae2a321048c38b104c1bab30259658
SSDEEP

24576:/lozTZfU0l3vcCbatx3vi9uPnl2NSBSynBG1ST:/lGzaT/iI4SBSynBV

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 6 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/2488-23-0x00000000053A0000-0x0000000005430000-memory.dmp	m00nd3v_logger
behavioral1/memory/2536-32-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2536-28-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2536-36-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2536-34-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2536-26-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1296-66-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/1296-67-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/1296-69-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2364-50-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2364-51-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2364-53-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2364-50-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2364-51-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2364-53-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1296-66-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/1296-67-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/1296-69-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

Processes:

Documents98376532453.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EyXKWK.url Documents98376532453.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EyXKWK.url	Documents98376532453.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Documents98376532453.exeRegAsm.exe

description	pid	process	target process
PID 2488 set thread context of 2536	2488	Documents98376532453.exe	RegAsm.exe
PID 2536 set thread context of 2364	2536	RegAsm.exe	vbc.exe
PID 2536 set thread context of 1296	2536	RegAsm.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Documents98376532453.exevbc.exeRegAsm.exe

pid process

2488 Documents98376532453.exe
2488 Documents98376532453.exe
2364 vbc.exe
2364 vbc.exe
2364 vbc.exe
2364 vbc.exe
2364 vbc.exe
2536 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Documents98376532453.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2488 Documents98376532453.exe
Token: SeDebugPrivilege 2536 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2536 RegAsm.exe

pid	process
2488	Documents98376532453.exe
2488	Documents98376532453.exe
2364	vbc.exe
2364	vbc.exe
2364	vbc.exe
2364	vbc.exe
2364	vbc.exe
2536	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2488	Documents98376532453.exe
Token: SeDebugPrivilege	2536	RegAsm.exe

pid	process
2536	RegAsm.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Documents98376532453.execsc.exeRegAsm.exe

description	pid	process	target process
PID 2488 wrote to memory of 2724	2488	Documents98376532453.exe	csc.exe
PID 2488 wrote to memory of 2724	2488	Documents98376532453.exe	csc.exe
PID 2488 wrote to memory of 2724	2488	Documents98376532453.exe	csc.exe
PID 2488 wrote to memory of 2724	2488	Documents98376532453.exe	csc.exe
PID 2724 wrote to memory of 2532	2724	csc.exe	cvtres.exe
PID 2724 wrote to memory of 2532	2724	csc.exe	cvtres.exe
PID 2724 wrote to memory of 2532	2724	csc.exe	cvtres.exe
PID 2724 wrote to memory of 2532	2724	csc.exe	cvtres.exe
PID 2488 wrote to memory of 2536	2488	Documents98376532453.exe	RegAsm.exe
PID 2488 wrote to memory of 2536	2488	Documents98376532453.exe	RegAsm.exe
PID 2488 wrote to memory of 2536	2488	Documents98376532453.exe	RegAsm.exe
PID 2488 wrote to memory of 2536	2488	Documents98376532453.exe	RegAsm.exe
PID 2488 wrote to memory of 2536	2488	Documents98376532453.exe	RegAsm.exe
PID 2488 wrote to memory of 2536	2488	Documents98376532453.exe	RegAsm.exe
PID 2488 wrote to memory of 2536	2488	Documents98376532453.exe	RegAsm.exe
PID 2488 wrote to memory of 2536	2488	Documents98376532453.exe	RegAsm.exe
PID 2488 wrote to memory of 2536	2488	Documents98376532453.exe	RegAsm.exe
PID 2488 wrote to memory of 2536	2488	Documents98376532453.exe	RegAsm.exe
PID 2488 wrote to memory of 2536	2488	Documents98376532453.exe	RegAsm.exe
PID 2488 wrote to memory of 2536	2488	Documents98376532453.exe	RegAsm.exe
PID 2536 wrote to memory of 2364	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2364	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2364	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2364	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2364	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2364	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2364	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2364	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2364	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2364	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 1296	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 1296	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 1296	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 1296	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 1296	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 1296	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 1296	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 1296	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 1296	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 1296	2536	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Documents98376532453.exe
"C:\Users\Admin\AppData\Local\Temp\Documents98376532453.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\owjvpf5s\owjvpf5s.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C38.tmp" "c:\Users\Admin\AppData\Local\Temp\owjvpf5s\CSC951A3B3E49264B8D96FBC879F73E4656.TMP"
    3⤵
    PID:2532
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp474D.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2364
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp38FC.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1C38.tmp

Filesize
1KB

MD5
95b290f377fbd15b57a0fb373edaf01e

SHA1
ccbbdc3e1b7982a536fdd5073d49b0b9bc6644f5

SHA256
79810ae8266c16501567c69130b75af783aca98b2040e82ca36a0cf9e5927b68

SHA512
1e69e91da9d99a6f4efbef03df33a9d05b54cce39111d7b9cd200674194e0fcb4075546df418db37331160bef3efdf6d4dfd5d91571976e39116769191f2de1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\owjvpf5s\owjvpf5s.dll

Filesize
25KB

MD5
b9b1e8e15955cd656a2183db67d65c5c

SHA1
6bf78e9f2ea511a26859ea3f9e4a9bd7b51f404d

SHA256
2e8fd4b03fdd78be7411e33107a7c00d976d78bb25f61340535ebd09bfcb9a79

SHA512
c54f6e3e0de85aacaa871b68a2cebebe7501887ed23f4499d793e4bca551800ab5137b439c5edc9c6ab41bad085b93d5a1ff68ba102b998d8db737169a60b67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\owjvpf5s\owjvpf5s.pdb

Filesize
83KB

MD5
528478490ace592dcf9ee8a5b197cefd

SHA1
232197d3c77519a7580b0775c90c9cb1408fba82

SHA256
58dcef84a295284f43753b07149510bdf1074a9ce2054828dd5a7c7882079f72

SHA512
f7ce0d2138f13ad1f23bb7f29a4f766b4e31be57528a770b995cc1ec3e0388f50a67e48cd57ce239a690c2073fee8fa8821c7feccbba4f21da01219cf79386d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp474D.tmp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\owjvpf5s\CSC951A3B3E49264B8D96FBC879F73E4656.TMP

Filesize
1KB

MD5
c4439214ce21963a245260edb33991c1

SHA1
1043679f5aeff8dc3679840102bf1568844127c3

SHA256
0a785eb018dc9485154871f1b68fc983e40f23fb78e32a9ae4e33f65be3f6eae

SHA512
f69cb80e8cc51f86e86f0162b9039d5ff3d89d7c54e319a57e9450a05bc2e6edabafbabcc7eb7b5bd9274205e193a2ccb6267a11d088a8136006f781e8192b3d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\owjvpf5s\owjvpf5s.0.cs

Filesize
63KB

MD5
db8db79a3b3807a4539ffdd44b3e030b

SHA1
6aa911e5e19e0286586186068efe2099ccea2d06

SHA256
84c25a6d9142065a80e4f4f01b6a5ee06eac1f2ef1f87806bf291e42099b1fc1

SHA512
1cb1f9ac55984b775fb79911493f34c71b7c0038dd32d468f17bc93b5d9a76f4185ff74b84fc5906311f4a9525390be03a7d5d3fe5f4c8eb06eb12c193e2b114

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\owjvpf5s\owjvpf5s.cmdline

Filesize
312B

MD5
4183804834bb4c8541503e369954d876

SHA1
c87144835cab7d295cfb1aa226a99376f527da27

SHA256
1770dde61e7f88347acbab5848923f092311e08a4291387da360401c0cf52441

SHA512
1aba5b6976e9b4ba5f02d78486b2fcf31803265ef0e0aff3fec65d23b855e1eaab0f789a2da7caf55430208c86668f6be62fb0dc85ad6ee09922267f8bc28793

Download Submit
memory/1296-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1296-69-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1296-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1296-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1296-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1296-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1296-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1296-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2364-53-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2364-43-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2364-39-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2364-41-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2364-51-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2364-50-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2364-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2364-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2364-45-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2488-19-0x0000000005300000-0x000000000539A000-memory.dmp

Filesize
616KB

Download
memory/2488-23-0x00000000053A0000-0x0000000005430000-memory.dmp

Filesize
576KB

Download
memory/2488-1-0x00000000011F0000-0x00000000012CC000-memory.dmp

Filesize
880KB

Download
memory/2488-37-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-6-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-17-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2488-0-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/2488-20-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2536-36-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2536-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2536-32-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2536-25-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2536-24-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2536-28-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2536-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2536-34-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads