Malware Analysis Report

2025-01-18 02:38

Sample ID 220205-rprxbacdgn
Target 72e559bf1066cdbca5974a3155e7262b7b536e2f654aa18d7530354a407f8bc5
SHA256 72e559bf1066cdbca5974a3155e7262b7b536e2f654aa18d7530354a407f8bc5
Tags
hawkeye_reborn evasion keylogger rezer0 spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72e559bf1066cdbca5974a3155e7262b7b536e2f654aa18d7530354a407f8bc5

Threat Level: Known bad

The file 72e559bf1066cdbca5974a3155e7262b7b536e2f654aa18d7530354a407f8bc5 was found to be: Known bad.

Malicious Activity Summary

hawkeye_reborn evasion keylogger rezer0 spyware stealer trojan

HawkEye Reborn

Modifies Windows Defender Real-time Protection settings

Looks for VirtualBox Guest Additions in registry

ReZer0 packer

NirSoft MailPassView

Nirsoft

NirSoft WebBrowserPassView

Looks for VMWare Tools registry key

Checks BIOS information in registry

Windows security modification

Maps connected drives based on registry

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-05 14:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-05 14:22

Reported

2022-02-05 14:25

Platform

win7-en-20211208

Max time kernel

132s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

Modifies Windows Defender Real-time Protection settings

evasion trojan

Looks for VirtualBox Guest Additions in registry

evasion

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Looks for VMWare Tools registry key

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1312 set thread context of 1420 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1312 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Windows\SysWOW64\schtasks.exe
PID 1312 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Windows\SysWOW64\schtasks.exe
PID 1312 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Windows\SysWOW64\schtasks.exe
PID 1312 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Windows\SysWOW64\schtasks.exe
PID 1312 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe
PID 1312 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe
PID 1312 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe
PID 1312 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe
PID 1312 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe
PID 1312 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe
PID 1312 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe
PID 1312 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe
PID 1312 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sTpIzWFY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF028.tmp"

C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bot.whatismyipaddress.com udp

Files

memory/1312-54-0x0000000000CB0000-0x0000000000D66000-memory.dmp

memory/1312-55-0x0000000075D51000-0x0000000075D53000-memory.dmp

memory/1312-56-0x0000000000C30000-0x0000000000C31000-memory.dmp

memory/1312-57-0x00000000004F0000-0x00000000004FA000-memory.dmp

memory/1312-58-0x0000000005C10000-0x0000000005CA8000-memory.dmp

memory/1640-63-0x0000000001DA1000-0x0000000001DA2000-memory.dmp

memory/1640-62-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

memory/1640-64-0x0000000001DA2000-0x0000000001DA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF028.tmp

MD5 9a3c01cc73f5b776b2a6ebec1ad30253
SHA1 fd7cf23cf99f43f2b40e6d036d90cdcda132a625
SHA256 389957274be81b1b006282967c1aaa78bbb0408bf071d2cd51e0b483f2f1b6ef
SHA512 df8ee318f065c58df6872771fa34e18b408cf0c6323a65edaeee9150b90f0d2fe15ca0aa6f734d121e06adbf81e2d789384e64be94802bf0623ac75d13c8c3b7

memory/1420-66-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1420-67-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1420-68-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1420-69-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1420-70-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1420-71-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1420-72-0x0000000004620000-0x0000000004696000-memory.dmp

memory/1420-73-0x00000000046F0000-0x00000000046F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-05 14:22

Reported

2022-02-05 14:25

Platform

win10v2004-en-20220113

Max time kernel

17s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp

Files

memory/4680-130-0x0000000000670000-0x0000000000726000-memory.dmp

memory/4680-131-0x00000000055F0000-0x0000000005B94000-memory.dmp

memory/4680-132-0x00000000050E0000-0x0000000005172000-memory.dmp