hawkeye_reborn | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

01/03/2025, 18:58

250301-xmhhrayp15 10

01/03/2025, 18:55

250301-xkqrcaypx7 10

Analysis

max time kernel
144s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hyundai steel-pipe- job 8010(1).exe
Size

721KB
MD5

0999a03694a1c97a43ac0de89cbf355e
SHA1

0c8fdd4c3b40c4827662baa0c89b5b50d8f0cf1d
SHA256

8a9bcb387cd155170986cd1938beb317ee1ee511bcb6175a6d292bd976cca15b
SHA512

6515a13d561d2adb08fd53dba80ecd7ee264b66080848e0c845f63313eb9a828c6be8014d6db47f8ac910e24848dd74c57aae00a92ebe9b4efd97676e0365fe9
SSDEEP

12288:wdnX6tet6u5CB6m6FQgsPQCjyEtbK7DSQDnwjAR7EOP9uSlcC3ro:QXUim6m6FyPJzcQjNSuYro

Score

10^/10

hawkeye_reborn m00nd3v_logger collection discovery infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
castor123@

Mutex

245f77ec-c812-48df-870b-886d22992db6

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:castor123@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:245f77ec-c812-48df-870b-886d22992db6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
Hawkeye_reborn family
hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger
M00nd3v_logger family
m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral13/memory/3632-4-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hyundai steel-pipe- job 8010(1).exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hyundai steel-pipe- job 8010(1).exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hyundai steel-pipe- job 8010(1).exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3620 set thread context of 3632	3620	hyundai steel-pipe- job 8010(1).exe	81

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hyundai steel-pipe- job 8010(1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hyundai steel-pipe- job 8010(1).exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3620	hyundai steel-pipe- job 8010(1).exe
3632	hyundai steel-pipe- job 8010(1).exe
3632	hyundai steel-pipe- job 8010(1).exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3620	hyundai steel-pipe- job 8010(1).exe
Token: SeDebugPrivilege	3632	hyundai steel-pipe- job 8010(1).exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3632	hyundai steel-pipe- job 8010(1).exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 3632	3620	hyundai steel-pipe- job 8010(1).exe	81
PID 3620 wrote to memory of 3632	3620	hyundai steel-pipe- job 8010(1).exe	81
PID 3620 wrote to memory of 3632	3620	hyundai steel-pipe- job 8010(1).exe	81
PID 3620 wrote to memory of 3632	3620	hyundai steel-pipe- job 8010(1).exe	81
PID 3620 wrote to memory of 3632	3620	hyundai steel-pipe- job 8010(1).exe	81
PID 3620 wrote to memory of 3632	3620	hyundai steel-pipe- job 8010(1).exe	81
PID 3620 wrote to memory of 3632	3620	hyundai steel-pipe- job 8010(1).exe	81
PID 3620 wrote to memory of 3632	3620	hyundai steel-pipe- job 8010(1).exe	81

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hyundai steel-pipe- job 8010(1).exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hyundai steel-pipe- job 8010(1).exe

C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe
"C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe
  "{path}"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hyundai steel-pipe- job 8010(1).exe.log

Filesize
667B

MD5
fad44290d2f569240416a287677a6b34

SHA1
0799266664e37852987cc24398f9a70c7e56742b

SHA256
e955c99499359471526e95c22a084d1578997c39ecab988badf6798cfbd995b0

SHA512
ee4136ac147d41646368eeb16390598c1da2b9e3bb8331b43062a72e4ad1d05eec56dcc727f9b5b447756c3edc855b08ef0c241073a5f88e749714f2beb98bc3

Download Submit
memory/3620-0-0x0000000074BE2000-0x0000000074BE3000-memory.dmp

Filesize
4KB

Download
memory/3620-1-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3620-2-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3620-3-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3620-7-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3632-8-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3632-4-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3632-10-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3632-9-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3632-11-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3632-13-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3632-14-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download