hawkeye_reborn | bf46f077e141459e3dd7c2e481031329a1cb9180995fc43734e137feb5c623fe

General

Target

URAntWWIDAKGWvH.exe
Size

938KB
MD5

a6878e0f706ce30c91d3536cf7a868f9
SHA1

ed2f0c27809876a2e297552fc270ea5d58c92be5
SHA256

262f885facb446834a04e4af5746633127d68e9e68ce157052bad0b7404a4c16
SHA512

c90b904ca16673b0efc633428d929cd7db87b8b16777b7dcd9a0af7dbb38afb074592288761f8a8ee6dbadd5b5bf28e3c9b5fb2bb017164d3d56a489bbc14879

Score

10^/10

hawkeye_reborn m00nd3v_logger collection keylogger rezer0 spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

Protocol: ftp
Host:
ftp.aramrak.eu
Port:
21
Username:
[email protected]
Password:
admin2020#

Mutex

9d0dde5f-d32b-42e1-88e9-8b122ebe267b

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:admin2020# _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.aramrak.eu _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:9d0dde5f-d32b-42e1-88e9-8b122ebe267b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 4 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1772-63-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1772-64-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1772-65-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1772-66-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/840-59-0x0000000007EB0000-0x0000000007F48000-memory.dmp	rezer0

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

URAntWWIDAKGWvH.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	URAntWWIDAKGWvH.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	URAntWWIDAKGWvH.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	URAntWWIDAKGWvH.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

URAntWWIDAKGWvH.exe

description pid process target process

PID 840 set thread context of 1772 840 URAntWWIDAKGWvH.exe URAntWWIDAKGWvH.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1752 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

URAntWWIDAKGWvH.exe

pid process

840 URAntWWIDAKGWvH.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

URAntWWIDAKGWvH.exeURAntWWIDAKGWvH.exe

description pid process

Token: SeDebugPrivilege 840 URAntWWIDAKGWvH.exe
Token: SeDebugPrivilege 1772 URAntWWIDAKGWvH.exe

flow	ioc
4	bot.whatismyipaddress.com

description	pid	process	target process
PID 840 set thread context of 1772	840	URAntWWIDAKGWvH.exe	URAntWWIDAKGWvH.exe

pid	process
1752	schtasks.exe

pid	process
840	URAntWWIDAKGWvH.exe

description	pid	process
Token: SeDebugPrivilege	840	URAntWWIDAKGWvH.exe
Token: SeDebugPrivilege	1772	URAntWWIDAKGWvH.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

URAntWWIDAKGWvH.exe

description	pid	process	target process
PID 840 wrote to memory of 1752	840	URAntWWIDAKGWvH.exe	schtasks.exe
PID 840 wrote to memory of 1752	840	URAntWWIDAKGWvH.exe	schtasks.exe
PID 840 wrote to memory of 1752	840	URAntWWIDAKGWvH.exe	schtasks.exe
PID 840 wrote to memory of 1752	840	URAntWWIDAKGWvH.exe	schtasks.exe
PID 840 wrote to memory of 1772	840	URAntWWIDAKGWvH.exe	URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772	840	URAntWWIDAKGWvH.exe	URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772	840	URAntWWIDAKGWvH.exe	URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772	840	URAntWWIDAKGWvH.exe	URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772	840	URAntWWIDAKGWvH.exe	URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772	840	URAntWWIDAKGWvH.exe	URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772	840	URAntWWIDAKGWvH.exe	URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772	840	URAntWWIDAKGWvH.exe	URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772	840	URAntWWIDAKGWvH.exe	URAntWWIDAKGWvH.exe

outlook_office_path 1 IoCs

Processes:

URAntWWIDAKGWvH.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	URAntWWIDAKGWvH.exe

outlook_win_path 1 IoCs

Processes:

URAntWWIDAKGWvH.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	URAntWWIDAKGWvH.exe

C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
"C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGCsZVSPdCGAaI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBA0.tmp"
2⤵
- Creates scheduled task(s)
PID:1752

C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBBA0.tmp

MD5
b7ac982f0c7e55ba4f2d38e02ddc7485

SHA1
86c8813c31f1385161a4b04db962e8489880d314

SHA256
01b93d3d89dafc9b2ebf889d4011b304f93e8f6f1d74b3435c688402163ae2bc

SHA512
a0729cd06f1a19ad4f54258bb23132b2834e818a46036121632c484d1e32edaa7e63915b7c127a7ccb7bd0c7b8290b91a69e9bf3bb543f7e5d5af6ae2f1f6006

Download Submit
memory/840-55-0x0000000001100000-0x00000000011F0000-memory.dmp

Filesize
960KB

Download
memory/840-56-0x0000000076371000-0x0000000076373000-memory.dmp

Filesize
8KB

Download
memory/840-57-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/840-58-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/840-59-0x0000000007EB0000-0x0000000007F48000-memory.dmp

Filesize
608KB

Download
memory/1772-61-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1772-62-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1772-63-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1772-64-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1772-65-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1772-66-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1772-67-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/1772-69-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/1772-70-0x0000000004D05000-0x0000000004D16000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads