hawkeye_reborn | 202711cb7c027ea341302d92dee09c713871e52b86df1325c837d355a9ab2190

General

Target

vesseldetails.exe
Size

668KB
MD5

58dabb3cafcad9f11c864a29d93f19da
SHA1

b900e523e7fdb0ad4df912189346653948df1754
SHA256

99098b282b5a2190cdb362bd92f8ce2b42dc70121c91680b318fe5aa2443c815
SHA512

3d8041149985538c39ff151ec2b7827ffb3fc2a1c60abfb409ca8beb7a1f767aea3d1f293e55645a540a64033ee3b05ddf7ddada0dd9c188be3722774f7276e8
SSDEEP

12288:uDwTYTGwLkRGnQcawp33vZDP8RLzurKYIH1mrAHncQA+6D9:WSwLkRAQcawtMLzuuH12AHcQA+

Score

10^/10

hawkeye_reborn m00nd3v_logger discovery infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.5

Credentials

Protocol: smtp
Host:
mail.oms.com.sg
Port:
587
Username:
[email protected]
Password:
oms3388$$

Mutex

beb03e55-7618-45f1-9df1-fcc9af459623

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:oms3388$$ _EmailPort:587 _EmailSSL:true _EmailServer:mail.oms.com.sg _EmailUsername:[email protected] _EmptyClipboard:true _EmptyKeyStroke:true _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:2 _LoopPasswordStealer:true _MeltFile:false _Mutex:beb03e55-7618-45f1-9df1-fcc9af459623 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.5, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 5 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/2808-13-0x0000000000400000-0x000000000049C000-memory.dmp	m00nd3v_logger
behavioral1/memory/2808-11-0x0000000000400000-0x000000000049C000-memory.dmp	m00nd3v_logger
behavioral1/memory/2808-8-0x0000000000400000-0x000000000049C000-memory.dmp	m00nd3v_logger
behavioral1/memory/2808-7-0x0000000000400000-0x000000000049C000-memory.dmp	m00nd3v_logger
behavioral1/memory/2808-15-0x0000000000400000-0x000000000049C000-memory.dmp	m00nd3v_logger

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2164 set thread context of 2808	2164	vesseldetails.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vesseldetails.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vesseldetails.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2808	vesseldetails.exe
2808	vesseldetails.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	vesseldetails.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2808	vesseldetails.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2808	2164	vesseldetails.exe	30
PID 2164 wrote to memory of 2808	2164	vesseldetails.exe	30
PID 2164 wrote to memory of 2808	2164	vesseldetails.exe	30
PID 2164 wrote to memory of 2808	2164	vesseldetails.exe	30
PID 2164 wrote to memory of 2808	2164	vesseldetails.exe	30
PID 2164 wrote to memory of 2808	2164	vesseldetails.exe	30
PID 2164 wrote to memory of 2808	2164	vesseldetails.exe	30
PID 2164 wrote to memory of 2808	2164	vesseldetails.exe	30
PID 2164 wrote to memory of 2808	2164	vesseldetails.exe	30

C:\Users\Admin\AppData\Local\Temp\vesseldetails.exe
"C:\Users\Admin\AppData\Local\Temp\vesseldetails.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\vesseldetails.exe
  "{path}"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2164-0-0x0000000074AD1000-0x0000000074AD2000-memory.dmp

Filesize
4KB

Download
memory/2164-1-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-2-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-3-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-4-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-18-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-17-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-11-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2808-13-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2808-16-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2808-8-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2808-7-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2808-15-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2808-5-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2808-6-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2808-20-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing