hawkeye_reborn | 1b082be3eedd59d8f7acc8ad6b117975f5fa357843394de38b8915d16fc23e73

General

Target

Receipt_01000002097_04292020.exe
Size

656KB
MD5

b0663cf3327d48337e5766a947d21417
SHA1

f74d145cf40f6ebc6fe0c5ad6082c3ea86942c98
SHA256

f17b34a25b38f624ce1dc8c5f36cefbf3a989b77714f4c566c085c56f03c8fbb
SHA512

bab2ff206d991f2b8a9f9e4f5d07c1f95fe3aed2eda2bf807d05db3e18ddcb76fef3cc4c0e4a02641848145edba89d81e972f69caeee3b8a7867c2847ea98e83

Score

10^/10

hawkeye_reborn m00nd3v_logger collection keylogger rezer0 spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

Protocol: ftp
Host:
ftp.airbiast.com
Port:
21
Username:
[email protected]
Password:
playboy123#

Mutex

40f2c4d7-d616-43ae-974d-93b4bdc7e04d

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:playboy123# _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.airbiast.com _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:43800 _MeltFile:false _Mutex:40f2c4d7-d616-43ae-974d-93b4bdc7e04d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 4 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1136-63-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1136-64-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1136-65-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1136-66-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1584-59-0x0000000007FD0000-0x0000000008068000-memory.dmp	rezer0

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Receipt_01000002097_04292020.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Receipt_01000002097_04292020.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Receipt_01000002097_04292020.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Receipt_01000002097_04292020.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Receipt_01000002097_04292020.exe

description pid process target process

PID 1584 set thread context of 1136 1584 Receipt_01000002097_04292020.exe Receipt_01000002097_04292020.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1976 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Receipt_01000002097_04292020.exe

pid process

1584 Receipt_01000002097_04292020.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Receipt_01000002097_04292020.exeReceipt_01000002097_04292020.exe

description pid process

Token: SeDebugPrivilege 1584 Receipt_01000002097_04292020.exe
Token: SeDebugPrivilege 1136 Receipt_01000002097_04292020.exe

flow	ioc
4	bot.whatismyipaddress.com

description	pid	process	target process
PID 1584 set thread context of 1136	1584	Receipt_01000002097_04292020.exe	Receipt_01000002097_04292020.exe

pid	process
1976	schtasks.exe

pid	process
1584	Receipt_01000002097_04292020.exe

description	pid	process
Token: SeDebugPrivilege	1584	Receipt_01000002097_04292020.exe
Token: SeDebugPrivilege	1136	Receipt_01000002097_04292020.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Receipt_01000002097_04292020.exe

description	pid	process	target process
PID 1584 wrote to memory of 1976	1584	Receipt_01000002097_04292020.exe	schtasks.exe
PID 1584 wrote to memory of 1976	1584	Receipt_01000002097_04292020.exe	schtasks.exe
PID 1584 wrote to memory of 1976	1584	Receipt_01000002097_04292020.exe	schtasks.exe
PID 1584 wrote to memory of 1976	1584	Receipt_01000002097_04292020.exe	schtasks.exe
PID 1584 wrote to memory of 1136	1584	Receipt_01000002097_04292020.exe	Receipt_01000002097_04292020.exe
PID 1584 wrote to memory of 1136	1584	Receipt_01000002097_04292020.exe	Receipt_01000002097_04292020.exe
PID 1584 wrote to memory of 1136	1584	Receipt_01000002097_04292020.exe	Receipt_01000002097_04292020.exe
PID 1584 wrote to memory of 1136	1584	Receipt_01000002097_04292020.exe	Receipt_01000002097_04292020.exe
PID 1584 wrote to memory of 1136	1584	Receipt_01000002097_04292020.exe	Receipt_01000002097_04292020.exe
PID 1584 wrote to memory of 1136	1584	Receipt_01000002097_04292020.exe	Receipt_01000002097_04292020.exe
PID 1584 wrote to memory of 1136	1584	Receipt_01000002097_04292020.exe	Receipt_01000002097_04292020.exe
PID 1584 wrote to memory of 1136	1584	Receipt_01000002097_04292020.exe	Receipt_01000002097_04292020.exe
PID 1584 wrote to memory of 1136	1584	Receipt_01000002097_04292020.exe	Receipt_01000002097_04292020.exe

outlook_office_path 1 IoCs

Processes:

Receipt_01000002097_04292020.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Receipt_01000002097_04292020.exe

outlook_win_path 1 IoCs

Processes:

Receipt_01000002097_04292020.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Receipt_01000002097_04292020.exe

C:\Users\Admin\AppData\Local\Temp\Receipt_01000002097_04292020.exe
"C:\Users\Admin\AppData\Local\Temp\Receipt_01000002097_04292020.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UIPykxfugaVz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A9D.tmp"
2⤵
- Creates scheduled task(s)
PID:1976

C:\Users\Admin\AppData\Local\Temp\Receipt_01000002097_04292020.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5A9D.tmp

MD5
e2c19ba03e2ac2d9e70cd7de5e72ff3d

SHA1
173d50c1a0d7fc8d0f924012d0692cd60394f6aa

SHA256
ec2870c7051268667f59a940bd374d1467c1cc2e6493744a496810c90a8bf34d

SHA512
d29e9126497c9b2552aa7a03965b22dca9e8f454e5415403cf808a4cb5bc4acb6014eb6d8a3843ee29cc3fa74058fd2ac6dde36c854c1002bb57c0d4293227eb

Download Submit
memory/1136-64-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1136-61-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1136-62-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1136-63-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1136-65-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1136-66-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1136-67-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/1136-69-0x0000000002290000-0x0000000004360000-memory.dmp

Filesize
32.8MB

Download
memory/1584-57-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/1584-58-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/1584-59-0x0000000007FD0000-0x0000000008068000-memory.dmp

Filesize
608KB

Download
memory/1584-56-0x0000000076511000-0x0000000076513000-memory.dmp

Filesize
8KB

Download
memory/1584-55-0x0000000000A90000-0x0000000000B3A000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads