hawkeye_reborn | 4945a1a4f65271de23a99eaad0b4a08b472b2dcb60a60a5b06f26afad49da181

General

Target

H.bin.exe
Size

881KB
MD5

3fe7d81139bd40361330a07f47bb99e1
SHA1

391bc516fe8e1feae96fb3c7c31bcccec4fa20e6
SHA256

4945a1a4f65271de23a99eaad0b4a08b472b2dcb60a60a5b06f26afad49da181
SHA512

f22e4e2fa6be336cd26fb46f9b7d9cc656670f6c8abf5283e1cd35e718a95a53145937adc70036fc7cf850234c9090b05a190bafd9ae2ad20d9bf8441103f63e

Score

10^/10

keylogger trojan stealer spyware hawkeye_reborn

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

H.bin.exe

pid process

3968 H.bin.exe
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Reads browser user data or profiles (possible credential harvesting) 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3968	H.bin.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

H.bin.exeH.bin.exe

description	pid	process	target process
PID 3896 wrote to memory of 3968	3896	H.bin.exe	H.bin.exe
PID 3896 wrote to memory of 3968	3896	H.bin.exe	H.bin.exe
PID 3896 wrote to memory of 3968	3896	H.bin.exe	H.bin.exe
PID 3896 wrote to memory of 3968	3896	H.bin.exe	H.bin.exe
PID 3896 wrote to memory of 3968	3896	H.bin.exe	H.bin.exe
PID 3896 wrote to memory of 3968	3896	H.bin.exe	H.bin.exe
PID 3896 wrote to memory of 3968	3896	H.bin.exe	H.bin.exe
PID 3896 wrote to memory of 3968	3896	H.bin.exe	H.bin.exe
PID 3968 wrote to memory of 3760	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 3760	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 3760	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 3760	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 3760	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 3760	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 3760	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 3760	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 3760	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 2224	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 2224	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 2224	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 2224	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 2224	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 2224	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 2224	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 2224	3968	H.bin.exe	vbc.exe
PID 3968 wrote to memory of 2224	3968	H.bin.exe	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

H.bin.exeH.bin.exe

description	pid	process	target process
PID 3896 set thread context of 3968	3896	H.bin.exe	H.bin.exe
PID 3968 set thread context of 3760	3968	H.bin.exe	vbc.exe
PID 3968 set thread context of 2224	3968	H.bin.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vbc.exe

pid process

3760 vbc.exe
3760 vbc.exe
3760 vbc.exe
3760 vbc.exe

pid	process
3760	vbc.exe
3760	vbc.exe
3760	vbc.exe
3760	vbc.exe

C:\Users\Admin\AppData\Local\Temp\H.bin.exe
"C:\Users\Admin\AppData\Local\Temp\H.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3896

C:\Users\Admin\AppData\Local\Temp\H.bin.exe
"{path}"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC18A.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCE7C.tmp"
3⤵
PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC18A.tmp

Download Submit
memory/2224-4-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2224-5-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3760-1-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3760-2-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3968-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing