hawkeye_reborn | a95ad9e61847bec0e9faac52ac95e069cf6cf9583733cc10cf547060e096eb24

General

Target

malware.exe
Size

743KB
MD5

d0b3518e06e76afbf847b77eb0394aee
SHA1

56d0931f5ca3dfb0f3848a512297adbf7d758a87
SHA256

a95ad9e61847bec0e9faac52ac95e069cf6cf9583733cc10cf547060e096eb24
SHA512

0654014c576f29947c6773be6b0c359a1487d6ad7a9eab0cea3cc9df49d1fda1715d143d937347839aec815220783206af175ee1385c9838046798241f1c8bfd

Score

10^/10

spyware evasion trojan persistence keylogger stealer hawkeye_reborn

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.0

Credentials

Protocol: smtp
Host:
mail.novaa-ship.com
Port:
587
Username:
[email protected]
Password:
Azz%LcQK%sb!

Mutex

d21bafc9-f1e1-4be7-9df9-d1d467ddd0d0

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Azz%LcQK%sb! _EmailPort:587 _EmailSSL:true _EmailServer:mail.novaa-ship.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:20 _MeltFile:false _Mutex:d21bafc9-f1e1-4be7-9df9-d1d467ddd0d0 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:true _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null

Signatures

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

malware.exeUopcep.exeregasm.exe

description	pid	process	target process
PID 1400 wrote to memory of 820	1400	malware.exe	Uopcep.exe
PID 1400 wrote to memory of 820	1400	malware.exe	Uopcep.exe
PID 1400 wrote to memory of 820	1400	malware.exe	Uopcep.exe
PID 1400 wrote to memory of 820	1400	malware.exe	Uopcep.exe
PID 820 wrote to memory of 1956	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1956	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1956	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1956	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1956	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1956	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1956	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1936	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1936	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1936	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1936	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1936	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1936	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1956	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1936	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1936	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1956	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1956	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1956	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1936	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1936	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1956	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1936	820	Uopcep.exe	regasm.exe
PID 820 wrote to memory of 1936	820	Uopcep.exe	regasm.exe
PID 1936 wrote to memory of 1420	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1420	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1420	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1420	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1420	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1420	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1420	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1420	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1420	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1420	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1600	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1600	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1600	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1600	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1600	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1600	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1600	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1600	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1600	1936	regasm.exe	vbc.exe
PID 1936 wrote to memory of 1600	1936	regasm.exe	vbc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Uopcep.exeregasm.exe

description	pid	process	target process
PID 820 set thread context of 1956	820	Uopcep.exe	regasm.exe
PID 820 set thread context of 1936	820	Uopcep.exe	regasm.exe
PID 1936 set thread context of 1420	1936	regasm.exe	vbc.exe
PID 1936 set thread context of 1600	1936	regasm.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Uopcep.exeregasm.exevbc.exe

pid process

820 Uopcep.exe
820 Uopcep.exe
820 Uopcep.exe
820 Uopcep.exe
1956 regasm.exe
1956 regasm.exe
1420 vbc.exe
1420 vbc.exe

pid	process
820	Uopcep.exe
820	Uopcep.exe
820	Uopcep.exe
820	Uopcep.exe
1956	regasm.exe
1956	regasm.exe
1420	vbc.exe
1420	vbc.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Uopcep.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Uopcep.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Uopcep.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Uopcep.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Uopcep.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kherg = "C:\\Users\\Admin\\AppData\\Roaming\\Awwovi\\kherg.url"	Uopcep.exe

Executes dropped EXE 1 IoCs

Processes:

Uopcep.exe

pid process

820 Uopcep.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 bot.whatismyipaddress.com
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

malware.exeUopcep.exe

pid process

1400 malware.exe
1400 malware.exe
820 Uopcep.exe
820 Uopcep.exe
Loads dropped DLL 1 IoCs

Processes:

malware.exe

pid process

1400 malware.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Uopcep.exeregasm.exeregasm.exe

description pid process

Token: SeDebugPrivilege 820 Uopcep.exe
Token: SeDebugPrivilege 1956 regasm.exe
Token: SeDebugPrivilege 1936 regasm.exe

pid	process
820	Uopcep.exe

flow	ioc
11	bot.whatismyipaddress.com

pid	process
1400	malware.exe
1400	malware.exe
820	Uopcep.exe
820	Uopcep.exe

pid	process
1400	malware.exe

description	pid	process
Token: SeDebugPrivilege	820	Uopcep.exe
Token: SeDebugPrivilege	1956	regasm.exe
Token: SeDebugPrivilege	1936	regasm.exe

js 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1400-5-0x000000007414F02E-0x000000007456DFC6-disk.dmp	js

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

C:\Users\Admin\AppData\Local\Temp\malware.exe
"C:\Users\Admin\AppData\Local\Temp\malware.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
PID:1400

C:\Users\Admin\AppData\Roaming\Awwovi\Uopcep.exe
"C:\Users\Admin\AppData\Roaming\Awwovi\Uopcep.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Adds Run entry to start application
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8C89.tmp"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7EA6.tmp"
4⤵
PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Scripting

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C89.tmp

Download Submit
C:\Users\Admin\AppData\Roaming\Awwovi\Uopcep.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Awwovi\Uopcep.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Awwovi\kherg.url

Download Submit
\Users\Admin\AppData\Roaming\Awwovi\Uopcep.exe

Download Submit
memory/820-15-0x000000007414F02E-0x00000000743AE2E6-disk.dmp

Filesize
2.4MB

Download
memory/1400-5-0x000000007414F02E-0x000000007456DFC6-disk.dmp

Filesize
4.1MB

Download
memory/1400-2-0x0000000000000106-0x0000000000000106-disk.dmp

Download
memory/1420-32-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1420-33-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1600-35-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1600-36-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1936-20-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1936-25-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1936-21-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1936-19-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1956-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1956-23-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1956-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads