hawkeye_reborn | 4945a1a4f65271de23a99eaad0b4a08b472b2dcb60a60a5b06f26afad49da181

General

Target

H.bin.exe
Size

881KB
MD5

3fe7d81139bd40361330a07f47bb99e1
SHA1

391bc516fe8e1feae96fb3c7c31bcccec4fa20e6
SHA256

4945a1a4f65271de23a99eaad0b4a08b472b2dcb60a60a5b06f26afad49da181
SHA512

f22e4e2fa6be336cd26fb46f9b7d9cc656670f6c8abf5283e1cd35e718a95a53145937adc70036fc7cf850234c9090b05a190bafd9ae2ad20d9bf8441103f63e

Score

10^/10

keylogger trojan stealer spyware hawkeye_reborn

Malware Config

Signatures

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

H.bin.exeH.bin.exe

description	pid	process	target process
PID 1844 wrote to memory of 1880	1844	H.bin.exe	H.bin.exe
PID 1844 wrote to memory of 1880	1844	H.bin.exe	H.bin.exe
PID 1844 wrote to memory of 1880	1844	H.bin.exe	H.bin.exe
PID 1844 wrote to memory of 1880	1844	H.bin.exe	H.bin.exe
PID 1844 wrote to memory of 1880	1844	H.bin.exe	H.bin.exe
PID 1844 wrote to memory of 1880	1844	H.bin.exe	H.bin.exe
PID 1844 wrote to memory of 1880	1844	H.bin.exe	H.bin.exe
PID 1844 wrote to memory of 1880	1844	H.bin.exe	H.bin.exe
PID 1844 wrote to memory of 1880	1844	H.bin.exe	H.bin.exe
PID 1880 wrote to memory of 2012	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 2012	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 2012	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 2012	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 2012	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 2012	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 2012	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 2012	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 2012	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 2012	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 1384	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 1384	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 1384	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 1384	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 1384	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 1384	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 1384	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 1384	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 1384	1880	H.bin.exe	vbc.exe
PID 1880 wrote to memory of 1384	1880	H.bin.exe	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

H.bin.exeH.bin.exe

description	pid	process	target process
PID 1844 set thread context of 1880	1844	H.bin.exe	H.bin.exe
PID 1880 set thread context of 2012	1880	H.bin.exe	vbc.exe
PID 1880 set thread context of 1384	1880	H.bin.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

2012 vbc.exe
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Reads browser user data or profiles (possible credential harvesting) 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2012	vbc.exe

C:\Users\Admin\AppData\Local\Temp\H.bin.exe
"C:\Users\Admin\AppData\Local\Temp\H.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1844

C:\Users\Admin\AppData\Local\Temp\H.bin.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE4B3.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD807.tmp"
3⤵
PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE4B3.tmp

Download Submit
memory/1384-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1384-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1880-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1880-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1880-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2012-4-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2012-5-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing