hawkeye_reborn | 95dce20d910cf373ff2b72697282c344313dd3bf7ffd09c4ece59cd9f58c8972

General

Target

SCAN001.exe
Size

903KB
MD5

8a5867be14ac55f133f64e6234f2d2f7
SHA1

b3aaafea6913d1ae69c9102310d51bf8257c0d25
SHA256

95dce20d910cf373ff2b72697282c344313dd3bf7ffd09c4ece59cd9f58c8972
SHA512

7aefa44f9fbd4d7c80529bea8b5b6c2c7b43cd4bdcda41f54e1cb84bb1ec15a6811ba8650c1cb5025793e46d3fe142f697d449c9b5840f00b311c828341a0270

Score

10^/10

keylogger trojan stealer spyware hawkeye_reborn

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

SCAN001.exeRegSvcs.exe

description	pid	process	target process
PID 1872 wrote to memory of 1908	1872	SCAN001.exe	RegSvcs.exe
PID 1872 wrote to memory of 1908	1872	SCAN001.exe	RegSvcs.exe
PID 1872 wrote to memory of 1908	1872	SCAN001.exe	RegSvcs.exe
PID 1872 wrote to memory of 1908	1872	SCAN001.exe	RegSvcs.exe
PID 1872 wrote to memory of 1908	1872	SCAN001.exe	RegSvcs.exe
PID 1872 wrote to memory of 1908	1872	SCAN001.exe	RegSvcs.exe
PID 1872 wrote to memory of 1908	1872	SCAN001.exe	RegSvcs.exe
PID 1872 wrote to memory of 1908	1872	SCAN001.exe	RegSvcs.exe
PID 1872 wrote to memory of 1908	1872	SCAN001.exe	RegSvcs.exe
PID 1872 wrote to memory of 1908	1872	SCAN001.exe	RegSvcs.exe
PID 1872 wrote to memory of 1908	1872	SCAN001.exe	RegSvcs.exe
PID 1872 wrote to memory of 1908	1872	SCAN001.exe	RegSvcs.exe
PID 1908 wrote to memory of 2044	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 2044	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 2044	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 2044	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 2044	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 2044	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 2044	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 2044	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 2044	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 2044	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 1540	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 1540	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 1540	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 1540	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 1540	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 1540	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 1540	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 1540	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 1540	1908	RegSvcs.exe	vbc.exe
PID 1908 wrote to memory of 1540	1908	RegSvcs.exe	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SCAN001.exeRegSvcs.exe

description	pid	process	target process
PID 1872 set thread context of 1908	1872	SCAN001.exe	RegSvcs.exe
PID 1908 set thread context of 2044	1908	RegSvcs.exe	vbc.exe
PID 1908 set thread context of 1540	1908	RegSvcs.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

2044 vbc.exe
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

pid	process
2044	vbc.exe

C:\Users\Admin\AppData\Local\Temp\SCAN001.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN001.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2E.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF2E7.tmp"
3⤵
PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2E.tmp

Download Submit
memory/1540-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1540-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1908-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1908-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1908-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2044-4-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2044-5-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing