hawkeye_reborn | a66accde52c8f24dbd3d705a4babfee4015f547dc6f7a608cb6d37dd2930fccd

General

Target

20BHcKSmefo7MFF.exe
Size

396KB
MD5

f5714089e0fcf628ca4f885b24c5021a
SHA1

0405de4d982a3717948efab5e450c1d5d3cb4858
SHA256

a66accde52c8f24dbd3d705a4babfee4015f547dc6f7a608cb6d37dd2930fccd
SHA512

34e61ab8b440f897a6a39f21ae220ffa03ee3c4d4b2b2bbca9a1fdde8f51ba271f7b8c136434986644d5fb4749f0d2ab932379064d56b0d25786f2ad463ae660

Score

10^/10

keylogger trojan stealer spyware hawkeye_reborn

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

20BHcKSmefo7MFF.exeMSBuild.exe

description	pid	process	target process
PID 1016 wrote to memory of 964	1016	20BHcKSmefo7MFF.exe	schtasks.exe
PID 1016 wrote to memory of 964	1016	20BHcKSmefo7MFF.exe	schtasks.exe
PID 1016 wrote to memory of 964	1016	20BHcKSmefo7MFF.exe	schtasks.exe
PID 1016 wrote to memory of 964	1016	20BHcKSmefo7MFF.exe	schtasks.exe
PID 1016 wrote to memory of 800	1016	20BHcKSmefo7MFF.exe	MSBuild.exe
PID 1016 wrote to memory of 800	1016	20BHcKSmefo7MFF.exe	MSBuild.exe
PID 1016 wrote to memory of 800	1016	20BHcKSmefo7MFF.exe	MSBuild.exe
PID 1016 wrote to memory of 800	1016	20BHcKSmefo7MFF.exe	MSBuild.exe
PID 1016 wrote to memory of 800	1016	20BHcKSmefo7MFF.exe	MSBuild.exe
PID 1016 wrote to memory of 800	1016	20BHcKSmefo7MFF.exe	MSBuild.exe
PID 1016 wrote to memory of 800	1016	20BHcKSmefo7MFF.exe	MSBuild.exe
PID 1016 wrote to memory of 800	1016	20BHcKSmefo7MFF.exe	MSBuild.exe
PID 1016 wrote to memory of 800	1016	20BHcKSmefo7MFF.exe	MSBuild.exe
PID 800 wrote to memory of 1576	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1576	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1576	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1576	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1576	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1576	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1576	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1576	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1576	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1576	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1932	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1932	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1932	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1932	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1932	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1932	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1932	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1932	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1932	800	MSBuild.exe	vbc.exe
PID 800 wrote to memory of 1932	800	MSBuild.exe	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

20BHcKSmefo7MFF.exeMSBuild.exe

description	pid	process	target process
PID 1016 set thread context of 800	1016	20BHcKSmefo7MFF.exe	MSBuild.exe
PID 800 set thread context of 1576	800	MSBuild.exe	vbc.exe
PID 800 set thread context of 1932	800	MSBuild.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

964 schtasks.exe
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
964	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\20BHcKSmefo7MFF.exe
"C:\Users\Admin\AppData\Local\Temp\20BHcKSmefo7MFF.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1016

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CFwuuC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE639.tmp"
2⤵
- Creates scheduled task(s)
PID:964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF3FE.tmp"
3⤵
PID:1576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE62A.tmp"
3⤵
PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE639.tmp

Download Submit
memory/800-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/800-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/800-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1016-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1576-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1576-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads