hawkeye_reborn | 51fef8e428e33333c31c9026232baa98efdc3a586c55c808859065a964b56c5d

General

Target

PAYMENT-PDF.exe
Size

518KB
MD5

d8b7335d7669b24ddb9b239953f0d7a7
SHA1

f119bea19f892adc161a0ebb15ffbcc8150cc3c5
SHA256

39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9
SHA512

96c2ef1da4c5c1f55c17cadd46959a0ec8c0d9ddc947ac2c5c85fb9a3910d76436079ce2ed739c4f27f5d54cd8d1776670aeea305061fc43a046c92ebfbe515e
SSDEEP

12288:mEtjkdhUeFE6ySHS+aoISuYZ0kaJWIkkQNvnr5de:mDZE6hSDoISnqkAvQNvnr5g

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/972-24-0x0000000005C90000-0x0000000005D20000-memory.dmp	m00nd3v_logger
behavioral2/memory/1844-26-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jVoSSi.url	PAYMENT-PDF.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 972 set thread context of 1844	972	PAYMENT-PDF.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
972	PAYMENT-PDF.exe
972	PAYMENT-PDF.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	PAYMENT-PDF.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 1768	972	PAYMENT-PDF.exe	84
PID 972 wrote to memory of 1768	972	PAYMENT-PDF.exe	84
PID 972 wrote to memory of 1768	972	PAYMENT-PDF.exe	84
PID 1768 wrote to memory of 4708	1768	csc.exe	86
PID 1768 wrote to memory of 4708	1768	csc.exe	86
PID 1768 wrote to memory of 4708	1768	csc.exe	86
PID 972 wrote to memory of 1844	972	PAYMENT-PDF.exe	89
PID 972 wrote to memory of 1844	972	PAYMENT-PDF.exe	89
PID 972 wrote to memory of 1844	972	PAYMENT-PDF.exe	89
PID 972 wrote to memory of 1844	972	PAYMENT-PDF.exe	89
PID 972 wrote to memory of 1844	972	PAYMENT-PDF.exe	89
PID 972 wrote to memory of 1844	972	PAYMENT-PDF.exe	89
PID 972 wrote to memory of 1844	972	PAYMENT-PDF.exe	89
PID 972 wrote to memory of 1844	972	PAYMENT-PDF.exe	89

C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\so5vny0f\so5vny0f.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES783D.tmp" "c:\Users\Admin\AppData\Local\Temp\so5vny0f\CSCA39F3DEDC2624C27B2821A59056DDAF.TMP"
    3⤵
    PID:4708
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES783D.tmp

Filesize
1KB

MD5
c44be8cc1525ccc9b629e5b5343ee770

SHA1
fd75df47280133ecbb87057daffbc853ff99b7a1

SHA256
ef3ff72205469d3ae89f099cd5251b4609be7314b1de4703e41898e0dce4f234

SHA512
713ba06f2219000596a796b13e4fe74a0f08378e640be55b82412a4c1d7ebed3dc0dd310bc018c2271bb2c7ae4a14c132d83076c8777f7354524fd4c1ae2a8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\so5vny0f\so5vny0f.dll

Filesize
6KB

MD5
57d6b58560ed5d3aba65beae416b7985

SHA1
e1c438c0b03f2f968295839bf4ed49b6173d6953

SHA256
e3a972c779365c2cd608ba8c86822bcd8e54f5d900433f40338eb4f537cf6339

SHA512
b4bc67a0dc8480cf867e08f12f06cd17d77b90df866cd87218884875e3b6af986370646d45eee9211ba49927679be8bf8daeaee5b8a20f24ab4e2e166d8f6bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\so5vny0f\so5vny0f.pdb

Filesize
17KB

MD5
4fefe7a779d0b6862335a132d60df7ef

SHA1
2971a5022ade351ae28fd0b5cdfba9f178e63797

SHA256
3685380108d98aa2a680250a88321ecac902271787672c3e0bf55385930060a5

SHA512
de1093fca6fb2e4d68096e3ceeed7359681487e4140c6c2fe0e3b0edf415aed024009cc8e2093808d0df563a83cdbd142b4a028825787ba627d573d26ed0c5a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\so5vny0f\CSCA39F3DEDC2624C27B2821A59056DDAF.TMP

Filesize
1KB

MD5
14fcd5d30b3bc0f2c3268b6aecb38b45

SHA1
89d3ff5a0eb5b24518fbd5980e5eb8e0de15aebd

SHA256
ee228444514012488d361136385efca5535441767e3d64bb02ce9cbbed84f29b

SHA512
1c6a8855ffdbe3e30e4abf7f5fdac142cfae3bbf2ccd1efbf2a2ace7053f20264126a29cf7234a8d98e4114ae2c69a136e16f558108c75fe68b15cca04ad2758

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\so5vny0f\so5vny0f.0.cs

Filesize
3KB

MD5
b6823d54afabf958afeefb18571df6e2

SHA1
9565aaf3eb244d657951d7a4f6bcdecf2b5bd2b4

SHA256
215489b46857eb0ffa39c0bc87f61944b6fb14d4fecc628db6e57d9e0eb27a10

SHA512
9b111ff86b7e36cc52750aad546e6c2c71e8ac90ae327880dc8666a749370312d1d2be34da3d24c5161a569c6452754248e3b8fbfecb2a25b9063237ac08c318

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\so5vny0f\so5vny0f.cmdline

Filesize
312B

MD5
b137c558e14062b9f8168de8bdac3f9e

SHA1
9ac5c57a77454234c976cfaa0619cf1c97bcb536

SHA256
906ee3bc3c58deaaafa4f4d9368cbfef4f8f1d8a1cffe5973a783715474a7367

SHA512
679e4367986264b5808d25009bb1cd27fded415a2fc79e6afa4cab731c01bb734d8313fd824680a685bc5dc2e05edb9b069f50e85e7f8038c5e23d337001df24

Download Submit
memory/972-19-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/972-24-0x0000000005C90000-0x0000000005D20000-memory.dmp

Filesize
576KB

Download
memory/972-1-0x0000000000BB0000-0x0000000000C38000-memory.dmp

Filesize
544KB

Download
memory/972-17-0x0000000002FA0000-0x0000000002FA8000-memory.dmp

Filesize
32KB

Download
memory/972-0-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/972-20-0x0000000005BF0000-0x0000000005C8A000-memory.dmp

Filesize
616KB

Download
memory/972-21-0x0000000005850000-0x000000000585C000-memory.dmp

Filesize
48KB

Download
memory/972-5-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/972-25-0x0000000005DC0000-0x0000000005E5C000-memory.dmp

Filesize
624KB

Download
memory/972-28-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/1844-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1844-29-0x0000000074852000-0x0000000074853000-memory.dmp

Filesize
4KB

Download
memory/1844-31-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1844-30-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1844-34-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing