hawkeye_reborn | bbf613ce1f6850b2b62c6f55082ab7b9bcc7f92db0a8ec8f0b495e29cb4988ae

General

Target

07675566556 PURCHASE ORDERpdf.exe
Size

876KB
MD5

b274988968c4256575dd4c4403838324
SHA1

a62d5ceb57ddec5dcffe768c6f48ff1dae66db67
SHA256

bbf613ce1f6850b2b62c6f55082ab7b9bcc7f92db0a8ec8f0b495e29cb4988ae
SHA512

abc5906d8e1e69ff1b33c61db06c4802e370efc8c15db8742092148fbb57aa8df3bd70e6b54fcf6b9a232642318510a4b352ce9810fbd7a1904b6f806d379978

Score

10^/10

spyware keylogger trojan stealer hawkeye_reborn

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.gracexmhk.info
Port:
21
Username:
[email protected]
Password:
Success2020

Extracted

Family

hawkeye_reborn

Version

10.0.0.1

Credentials

Protocol: ftp
Host:
ftp.gracexmhk.info
Port:
21
Username:
[email protected]
Password:
Success2020

Mutex

860e38e2-ebad-459f-9a9b-df55993f73fe

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:Success2020 _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.gracexmhk.info _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:860e38e2-ebad-459f-9a9b-df55993f73fe _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.0.0.1 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.1, Culture=neutral, PublicKeyToken=null

Signatures

Suspicious use of SetThreadContext 3 IoCs

Processes:

07675566556 PURCHASE ORDERpdf.exe07675566556 PURCHASE ORDERpdf.exe

description	pid	process	target process
PID 288 set thread context of 1060	288	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1060 set thread context of 1880	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 set thread context of 1732	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

1880 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 bot.whatismyipaddress.com
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

532 schtasks.exe
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

pid	process
1880	vbc.exe

flow	ioc
2	bot.whatismyipaddress.com

pid	process
532	schtasks.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

07675566556 PURCHASE ORDERpdf.exe07675566556 PURCHASE ORDERpdf.exe

description	pid	process	target process
PID 288 wrote to memory of 532	288	07675566556 PURCHASE ORDERpdf.exe	schtasks.exe
PID 288 wrote to memory of 532	288	07675566556 PURCHASE ORDERpdf.exe	schtasks.exe
PID 288 wrote to memory of 532	288	07675566556 PURCHASE ORDERpdf.exe	schtasks.exe
PID 288 wrote to memory of 532	288	07675566556 PURCHASE ORDERpdf.exe	schtasks.exe
PID 288 wrote to memory of 1060	288	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 288 wrote to memory of 1060	288	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 288 wrote to memory of 1060	288	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 288 wrote to memory of 1060	288	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 288 wrote to memory of 1060	288	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 288 wrote to memory of 1060	288	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 288 wrote to memory of 1060	288	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 288 wrote to memory of 1060	288	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 288 wrote to memory of 1060	288	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1060 wrote to memory of 1880	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1880	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1880	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1880	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1880	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1880	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1880	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1880	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1880	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1880	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1732	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1732	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1732	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1732	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1732	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1732	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1732	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1732	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1732	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe
PID 1060 wrote to memory of 1732	1060	07675566556 PURCHASE ORDERpdf.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\07675566556 PURCHASE ORDERpdf.exe
"C:\Users\Admin\AppData\Local\Temp\07675566556 PURCHASE ORDERpdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eLajqaT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC551.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:532
- C:\Users\Admin\AppData\Local\Temp\07675566556 PURCHASE ORDERpdf.exe
  "{path}"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFC67.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1880
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpEE45.tmp"
    3⤵
    PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC551.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC67.tmp

Download Submit
memory/1060-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1060-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1060-3-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1732-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1732-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1880-4-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1880-5-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads