hawkeye_reborn | bc8916502006c13655027769ce62225fbf4e9e4380ac4c2aaf7892d45e058d4a

General

Target

Documents98376532453.exe
Size

951KB
MD5

0bf39869b08ade7c8ed45ff5a26f70c4
SHA1

09ba2e264420ccd1cb0aae13501a7329c3493f54
SHA256

a9b7dbcbe943925db368bcc5c700d3f77dde99190780b94dc9f1439fe17a4bba
SHA512

4e17bfb64903b993f5aaa83ae844611566394a71596133d187ed2d38802b0c2d18781bbd6610f6628265ccc89fb1f4f69bae2a321048c38b104c1bab30259658
SSDEEP

24576:/lozTZfU0l3vcCbatx3vi9uPnl2NSBSynBG1ST:/lGzaT/iI4SBSynBV

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/632-24-0x0000000005D10000-0x0000000005DA0000-memory.dmp	m00nd3v_logger
behavioral2/memory/5064-26-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4024-44-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4024-45-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4024-47-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3872-33-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3872-35-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3872-36-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3872-42-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3872-33-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3872-35-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3872-36-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3872-42-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4024-44-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4024-45-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4024-47-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

Processes:

Documents98376532453.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EyXKWK.url Documents98376532453.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EyXKWK.url	Documents98376532453.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Documents98376532453.exeRegAsm.exe

description	pid	process	target process
PID 632 set thread context of 5064	632	Documents98376532453.exe	RegAsm.exe
PID 5064 set thread context of 3872	5064	RegAsm.exe	vbc.exe
PID 5064 set thread context of 4024	5064	RegAsm.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Documents98376532453.exevbc.exeRegAsm.exe

pid	process
632	Documents98376532453.exe
632	Documents98376532453.exe
3872	vbc.exe
3872	vbc.exe
3872	vbc.exe
3872	vbc.exe
3872	vbc.exe
3872	vbc.exe
3872	vbc.exe
3872	vbc.exe
3872	vbc.exe
3872	vbc.exe
3872	vbc.exe
3872	vbc.exe
5064	RegAsm.exe
5064	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Documents98376532453.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 632 Documents98376532453.exe
Token: SeDebugPrivilege 5064 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

5064 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	632	Documents98376532453.exe
Token: SeDebugPrivilege	5064	RegAsm.exe

pid	process
5064	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Documents98376532453.execsc.exeRegAsm.exe

description	pid	process	target process
PID 632 wrote to memory of 232	632	Documents98376532453.exe	csc.exe
PID 632 wrote to memory of 232	632	Documents98376532453.exe	csc.exe
PID 632 wrote to memory of 232	632	Documents98376532453.exe	csc.exe
PID 232 wrote to memory of 2828	232	csc.exe	cvtres.exe
PID 232 wrote to memory of 2828	232	csc.exe	cvtres.exe
PID 232 wrote to memory of 2828	232	csc.exe	cvtres.exe
PID 632 wrote to memory of 5064	632	Documents98376532453.exe	RegAsm.exe
PID 632 wrote to memory of 5064	632	Documents98376532453.exe	RegAsm.exe
PID 632 wrote to memory of 5064	632	Documents98376532453.exe	RegAsm.exe
PID 632 wrote to memory of 5064	632	Documents98376532453.exe	RegAsm.exe
PID 632 wrote to memory of 5064	632	Documents98376532453.exe	RegAsm.exe
PID 632 wrote to memory of 5064	632	Documents98376532453.exe	RegAsm.exe
PID 632 wrote to memory of 5064	632	Documents98376532453.exe	RegAsm.exe
PID 632 wrote to memory of 5064	632	Documents98376532453.exe	RegAsm.exe
PID 5064 wrote to memory of 3872	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 3872	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 3872	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 3872	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 3872	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 3872	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 3872	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 3872	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 3872	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 4024	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 4024	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 4024	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 4024	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 4024	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 4024	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 4024	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 4024	5064	RegAsm.exe	vbc.exe
PID 5064 wrote to memory of 4024	5064	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Documents98376532453.exe
"C:\Users\Admin\AppData\Local\Temp\Documents98376532453.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nuan43bw\nuan43bw.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48A2.tmp" "c:\Users\Admin\AppData\Local\Temp\nuan43bw\CSCC62E2E38C81445759F9913FDAFFB620.TMP"
3⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp732C.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7734.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES48A2.tmp
Filesize
1KB

MD5
6d3c0e6c49e4dc05a79f1593715fa371

SHA1
283edd1fc01243fc8ccdccd28abc8bfe81676a9a

SHA256
a0659ef5422a61e5aea07628a51b80723c0def2d5fe74b5064d979c7552cc29f

SHA512
e7e48f11be60860c686c229ad1db804b9333172e1a41722115827ca83afda08e76fc5e8f3f588d59579863765e73957d7e06dee935e6939d766f223cbe180667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuan43bw\nuan43bw.dll
Filesize
25KB

MD5
4e31f85d937c3566d6bd8c4e28867712

SHA1
aee805dd8c7ab881cadc4c74b2e171463a7210b8

SHA256
c081704da842994a8acf90c2d795b6cd8f97efdacdcfb31fa2d27ab1bbb9d647

SHA512
751437527ca8acafba1940f77eeaa3464d93b0222393740047edf4e8dcd48764aa1167fe9bed34295945100b808f7c66f3d21a33c9f1c98e10120c3ec3d7143f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuan43bw\nuan43bw.pdb
Filesize
83KB

MD5
399da3ad29b88fad17960a768165d8b0

SHA1
e61d33bb6c93b7782c3aa91b6c95d4b96074173a

SHA256
397c3f0ab6f673097ff865b894a9d71ac3e602436e4d4ca70839efb4ac0ab8a6

SHA512
a078567e16f0b0a0f61cc88ee91e906dcd46b892d333b319228ef0dbc18c00c264c661f1a772eefbb9d6cc7be981ed809d5d0509dc49b6c96a36d9d7954326bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp732C.tmp
Filesize
4KB

MD5
0c71400795defb1ddf2816dcb2440470

SHA1
a9f25ddc014a44b58a890ac42ea47d98a3f754a3

SHA256
eef6222f63aae44aec7addd2cdf1d348af92b32e0be1d4c857c48d9a941d9dac

SHA512
4d5fd766afe850d8282b85ca0ff3ef36e225e754254f43e1e3e0147675d40f901096199e666310e7f70b6cfbe9f33f3dbe4a063fbd4df7267190bad5121efabf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nuan43bw\CSCC62E2E38C81445759F9913FDAFFB620.TMP
Filesize
1KB

MD5
cba5f02f530c6ccb2904ffccc038ecf0

SHA1
fb0fe96056501d54fa487691c020de542b40c3f7

SHA256
6b39dbe9e4bf81f9051a16ecbb5c53aa87d495a79e453731d3b16422ba05ea5a

SHA512
3e81a142be29cc94a99baa0b5f6dddef5ceb45ab6a1b123eed9783e7f149eb71430721ae28a57fe37bbc29b232e86b5a9dc18db8a1685448f547d71aae726fb9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nuan43bw\nuan43bw.0.cs
Filesize
63KB

MD5
db8db79a3b3807a4539ffdd44b3e030b

SHA1
6aa911e5e19e0286586186068efe2099ccea2d06

SHA256
84c25a6d9142065a80e4f4f01b6a5ee06eac1f2ef1f87806bf291e42099b1fc1

SHA512
1cb1f9ac55984b775fb79911493f34c71b7c0038dd32d468f17bc93b5d9a76f4185ff74b84fc5906311f4a9525390be03a7d5d3fe5f4c8eb06eb12c193e2b114

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nuan43bw\nuan43bw.cmdline
Filesize
312B

MD5
f090ac4d9caadb57c3b7968979c34a09

SHA1
332fa4ff6a4d1736e1bd3d5caadf4a969ba5477b

SHA256
afca6df2f7e747717cf07323dda15c6bf8887daeea88faedf94c24316e571d6f

SHA512
69f7de4dbb721f14a9180203b7478189f5602f700515f862050d612c4747b792b236e919e0b4c9399aee59cb7525419d0db56bfc158345aedf51dd5320490f8e

Download Submit
memory/632-25-0x0000000005E40000-0x0000000005EDC000-memory.dmp

Filesize
624KB

Download
memory/632-29-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/632-19-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/632-5-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/632-20-0x0000000005C60000-0x0000000005CFA000-memory.dmp

Filesize
616KB

Download
memory/632-21-0x0000000003120000-0x000000000312C000-memory.dmp

Filesize
48KB

Download
memory/632-24-0x0000000005D10000-0x0000000005DA0000-memory.dmp

Filesize
576KB

Download
memory/632-0-0x000000007482E000-0x000000007482F000-memory.dmp

Filesize
4KB

Download
memory/632-1-0x0000000000C20000-0x0000000000CFC000-memory.dmp

Filesize
880KB

Download
memory/632-17-0x00000000015F0000-0x00000000015FC000-memory.dmp

Filesize
48KB

Download
memory/3872-42-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3872-41-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/3872-36-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3872-33-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3872-35-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4024-44-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4024-45-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4024-47-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5064-31-0x0000000070CB0000-0x0000000071261000-memory.dmp

Filesize
5.7MB

Download
memory/5064-28-0x0000000070CB2000-0x0000000070CB3000-memory.dmp

Filesize
4KB

Download
memory/5064-30-0x0000000070CB0000-0x0000000071261000-memory.dmp

Filesize
5.7MB

Download
memory/5064-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5064-48-0x0000000070CB2000-0x0000000070CB3000-memory.dmp

Filesize
4KB

Download
memory/5064-49-0x0000000070CB0000-0x0000000071261000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads