hawkeye_reborn | 06877846c6e43d02cb0ff3899b0a7cb450c09285c66fe7e63a08d00f4b3580bb

General

Target

009865.PDF.exe
Size

779KB
MD5

ae683582bc9e495df07b906e3b94873b
SHA1

03105c593dfe693398fbfd27e788bf4ce840977f
SHA256

06877846c6e43d02cb0ff3899b0a7cb450c09285c66fe7e63a08d00f4b3580bb
SHA512

8d761ff051be1614f9f2fb052cdc5094e2c625f9b694b8451110b4cc6d10bd1bdf4e82c770779d7915a8f3573cb3cbf42fb6b8de56595c6b35f03457873edcc0

Score

10^/10

spyware keylogger trojan stealer hawkeye_reborn

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.0.0

Credentials

Protocol: smtp
Host:
mail.3enaluminyum.com.tr
Port:
587
Username:
[email protected]
Password:
3eN13579?

Mutex

1278e7d4-dcd9-4a7a-8780-d6f5636aa3de

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:3eN13579? _EmailPort:587 _EmailSSL:true _EmailServer:mail.3enaluminyum.com.tr _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1278e7d4-dcd9-4a7a-8780-d6f5636aa3de _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null

Signatures

Suspicious use of SetThreadContext 2 IoCs

Processes:

009865.PDF.exe009865.PDF.exe

description	pid	process	target process
PID 1304 set thread context of 852	1304	009865.PDF.exe	009865.PDF.exe
PID 852 set thread context of 800	852	009865.PDF.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe009865.PDF.exe

pid process

800 vbc.exe
852 009865.PDF.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

009865.PDF.exe

pid process

852 009865.PDF.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

009865.PDF.exe

description pid process

Token: SeDebugPrivilege 852 009865.PDF.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

pid	process
800	vbc.exe
852	009865.PDF.exe

pid	process
852	009865.PDF.exe

description	pid	process
Token: SeDebugPrivilege	852	009865.PDF.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

009865.PDF.exe009865.PDF.exe

description	pid	process	target process
PID 1304 wrote to memory of 852	1304	009865.PDF.exe	009865.PDF.exe
PID 1304 wrote to memory of 852	1304	009865.PDF.exe	009865.PDF.exe
PID 1304 wrote to memory of 852	1304	009865.PDF.exe	009865.PDF.exe
PID 1304 wrote to memory of 852	1304	009865.PDF.exe	009865.PDF.exe
PID 1304 wrote to memory of 852	1304	009865.PDF.exe	009865.PDF.exe
PID 1304 wrote to memory of 852	1304	009865.PDF.exe	009865.PDF.exe
PID 1304 wrote to memory of 852	1304	009865.PDF.exe	009865.PDF.exe
PID 1304 wrote to memory of 852	1304	009865.PDF.exe	009865.PDF.exe
PID 1304 wrote to memory of 852	1304	009865.PDF.exe	009865.PDF.exe
PID 852 wrote to memory of 800	852	009865.PDF.exe	vbc.exe
PID 852 wrote to memory of 800	852	009865.PDF.exe	vbc.exe
PID 852 wrote to memory of 800	852	009865.PDF.exe	vbc.exe
PID 852 wrote to memory of 800	852	009865.PDF.exe	vbc.exe
PID 852 wrote to memory of 800	852	009865.PDF.exe	vbc.exe
PID 852 wrote to memory of 800	852	009865.PDF.exe	vbc.exe
PID 852 wrote to memory of 800	852	009865.PDF.exe	vbc.exe
PID 852 wrote to memory of 800	852	009865.PDF.exe	vbc.exe
PID 852 wrote to memory of 800	852	009865.PDF.exe	vbc.exe
PID 852 wrote to memory of 800	852	009865.PDF.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\009865.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\009865.PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\009865.PDF.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp13DD.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp13DD.tmp

Download Submit
memory/800-4-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/800-5-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/852-0-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/852-1-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/852-2-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing