hawkeye_reborn | e859cd402b47712b0235056bf30a7ef42a7bf5e2e3c411e8f002e583a479642b

Analysis

max time kernel
157s
max time network
162s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document.exe
Size

663KB
MD5

0e43f07d161f5d0f3739e5588e1bb3e5
SHA1

1c67ae07cc9f304cb40731f6ed64ec1684198aad
SHA256

32a1d99c12d4bbbf6b20ee43a25cf4dccf34ba30d8d40dc68d9c59d4c7ba25d5
SHA512

44a7e55bee5db8a48d90ebada34134bb168d1d9e28aac1864607e2462134113766fdf8e88bc685e4c46576d5c96e2096eb1cd37d1b9f40b85b1005f60f3bcd6d

Score

10^/10

hawkeye_reborn keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.1

Credentials

Protocol: smtp
Host:
mail.eagleeyeapparels.com
Port:
587
Username:
[email protected]
Password:
eagle*qaz

Mutex

f98d37f4-ca90-4ed7-9f6f-6121c4014605

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:eagle*qaz _EmailPort:587 _EmailSSL:true _EmailServer:mail.eagleeyeapparels.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:f98d37f4-ca90-4ed7-9f6f-6121c4014605 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:true _Version:10.0.0.1 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.1, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 bot.whatismyipaddress.com

flow	ioc
3	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 9 IoCs

Processes:

document.exedocument.exedocument.exedocument.exedocument.exedocument.exedocument.exedocument.exedocument.exe

description	pid	process	target process
PID 1948 set thread context of 1936	1948	document.exe	document.exe
PID 1196 set thread context of 1268	1196	document.exe	document.exe
PID 428 set thread context of 1152	428	document.exe	document.exe
PID 1164 set thread context of 1960	1164	document.exe	document.exe
PID 1708 set thread context of 576	1708	document.exe	document.exe
PID 268 set thread context of 1212	268	document.exe	document.exe
PID 1484 set thread context of 552	1484	document.exe	document.exe
PID 1544 set thread context of 1952	1544	document.exe	document.exe
PID 924 set thread context of 2028	924	document.exe	document.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

document.exedocument.exedocument.exedocument.exedocument.exedocument.exe

pid	process
1948	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1464	document.exe
1196	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
1520	document.exe
428	document.exe
1548	document.exe
1548	document.exe
1548	document.exe
1548	document.exe
1548	document.exe
1548	document.exe
1548	document.exe
1548	document.exe
1548	document.exe
1548	document.exe
1548	document.exe
1548	document.exe
1548	document.exe

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

document.exedocument.exedocument.exedocument.exedocument.exedocument.exedocument.exedocument.exedocument.exe

pid	process
1948	document.exe
1196	document.exe
428	document.exe
1164	document.exe
1708	document.exe
268	document.exe
1484	document.exe
1544	document.exe
924	document.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

document.exedocument.exedocument.exedocument.exedocument.exedocument.exedocument.exedocument.exedocument.exedocument.exedocument.exe

description	pid	process	target process
PID 1948 wrote to memory of 1936	1948	document.exe	document.exe
PID 1948 wrote to memory of 1936	1948	document.exe	document.exe
PID 1948 wrote to memory of 1936	1948	document.exe	document.exe
PID 1948 wrote to memory of 1936	1948	document.exe	document.exe
PID 1948 wrote to memory of 1464	1948	document.exe	document.exe
PID 1948 wrote to memory of 1464	1948	document.exe	document.exe
PID 1948 wrote to memory of 1464	1948	document.exe	document.exe
PID 1948 wrote to memory of 1464	1948	document.exe	document.exe
PID 1464 wrote to memory of 1196	1464	document.exe	document.exe
PID 1464 wrote to memory of 1196	1464	document.exe	document.exe
PID 1464 wrote to memory of 1196	1464	document.exe	document.exe
PID 1464 wrote to memory of 1196	1464	document.exe	document.exe
PID 1196 wrote to memory of 1268	1196	document.exe	document.exe
PID 1196 wrote to memory of 1268	1196	document.exe	document.exe
PID 1196 wrote to memory of 1268	1196	document.exe	document.exe
PID 1196 wrote to memory of 1268	1196	document.exe	document.exe
PID 1196 wrote to memory of 1520	1196	document.exe	document.exe
PID 1196 wrote to memory of 1520	1196	document.exe	document.exe
PID 1196 wrote to memory of 1520	1196	document.exe	document.exe
PID 1196 wrote to memory of 1520	1196	document.exe	document.exe
PID 1520 wrote to memory of 428	1520	document.exe	document.exe
PID 1520 wrote to memory of 428	1520	document.exe	document.exe
PID 1520 wrote to memory of 428	1520	document.exe	document.exe
PID 1520 wrote to memory of 428	1520	document.exe	document.exe
PID 428 wrote to memory of 1152	428	document.exe	document.exe
PID 428 wrote to memory of 1152	428	document.exe	document.exe
PID 428 wrote to memory of 1152	428	document.exe	document.exe
PID 428 wrote to memory of 1152	428	document.exe	document.exe
PID 428 wrote to memory of 1548	428	document.exe	document.exe
PID 428 wrote to memory of 1548	428	document.exe	document.exe
PID 428 wrote to memory of 1548	428	document.exe	document.exe
PID 428 wrote to memory of 1548	428	document.exe	document.exe
PID 1548 wrote to memory of 1164	1548	document.exe	document.exe
PID 1548 wrote to memory of 1164	1548	document.exe	document.exe
PID 1548 wrote to memory of 1164	1548	document.exe	document.exe
PID 1548 wrote to memory of 1164	1548	document.exe	document.exe
PID 1164 wrote to memory of 1960	1164	document.exe	document.exe
PID 1164 wrote to memory of 1960	1164	document.exe	document.exe
PID 1164 wrote to memory of 1960	1164	document.exe	document.exe
PID 1164 wrote to memory of 1960	1164	document.exe	document.exe
PID 1164 wrote to memory of 1972	1164	document.exe	document.exe
PID 1164 wrote to memory of 1972	1164	document.exe	document.exe
PID 1164 wrote to memory of 1972	1164	document.exe	document.exe
PID 1164 wrote to memory of 1972	1164	document.exe	document.exe
PID 1972 wrote to memory of 1708	1972	document.exe	document.exe
PID 1972 wrote to memory of 1708	1972	document.exe	document.exe
PID 1972 wrote to memory of 1708	1972	document.exe	document.exe
PID 1972 wrote to memory of 1708	1972	document.exe	document.exe
PID 1708 wrote to memory of 576	1708	document.exe	document.exe
PID 1708 wrote to memory of 576	1708	document.exe	document.exe
PID 1708 wrote to memory of 576	1708	document.exe	document.exe
PID 1708 wrote to memory of 576	1708	document.exe	document.exe
PID 1708 wrote to memory of 340	1708	document.exe	document.exe
PID 1708 wrote to memory of 340	1708	document.exe	document.exe
PID 1708 wrote to memory of 340	1708	document.exe	document.exe
PID 1708 wrote to memory of 340	1708	document.exe	document.exe
PID 340 wrote to memory of 268	340	document.exe	document.exe
PID 340 wrote to memory of 268	340	document.exe	document.exe
PID 340 wrote to memory of 268	340	document.exe	document.exe
PID 340 wrote to memory of 268	340	document.exe	document.exe
PID 268 wrote to memory of 1212	268	document.exe	document.exe
PID 268 wrote to memory of 1212	268	document.exe	document.exe
PID 268 wrote to memory of 1212	268	document.exe	document.exe
PID 268 wrote to memory of 1212	268	document.exe	document.exe

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
2⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe" 2 1936 7081805
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe" 2 1268 7102195
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:428

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe" 2 1152 7120852
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
5⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe" 2 1960 7139354
5⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe" 2 576 7157856
7⤵
- Suspicious use of WriteProcessMemory
PID:340

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
9⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe" 2 1212 7176435
9⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1484

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
11⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe" 2 552 7195062
11⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1544

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
13⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe" 2 1952 7213704
13⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:924

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
15⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe" 2 2028 7232237
15⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
7⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
3⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\document.exe
"C:\Users\Admin\AppData\Local\Temp\document.exe"
1⤵
PID:1268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-118-0x0000000000000000-mapping.dmp

Download
memory/340-110-0x0000000000000000-mapping.dmp

Download
memory/428-79-0x0000000000000000-mapping.dmp

Download
memory/552-143-0x00000000749B0000-0x0000000074F5B000-memory.dmp

Filesize
5.7MB

Download
memory/552-138-0x0000000001EC0000-0x0000000001F50000-memory.dmp

Filesize
576KB

Download
memory/552-139-0x0000000001EC0000-0x0000000001F50000-memory.dmp

Filesize
576KB

Download
memory/552-135-0x000000000052B720-mapping.dmp

Download
memory/576-112-0x0000000001EF0000-0x0000000001F80000-memory.dmp

Filesize
576KB

Download
memory/576-117-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/576-109-0x000000000052B720-mapping.dmp

Download
memory/924-157-0x0000000000000000-mapping.dmp

Download
memory/952-123-0x0000000000000000-mapping.dmp

Download
memory/1152-85-0x0000000001F70000-0x0000000002000000-memory.dmp

Filesize
576KB

Download
memory/1152-86-0x0000000001F70000-0x0000000002000000-memory.dmp

Filesize
576KB

Download
memory/1152-91-0x0000000074720000-0x0000000074CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1152-83-0x000000000052B720-mapping.dmp

Download
memory/1164-92-0x0000000000000000-mapping.dmp

Download
memory/1196-66-0x0000000000000000-mapping.dmp

Download
memory/1212-130-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1212-126-0x0000000001F30000-0x0000000001FC0000-memory.dmp

Filesize
576KB

Download
memory/1212-124-0x0000000001F30000-0x0000000001FC0000-memory.dmp

Filesize
576KB

Download
memory/1212-122-0x000000000052B720-mapping.dmp

Download
memory/1268-73-0x0000000001E00000-0x0000000001E90000-memory.dmp

Filesize
576KB

Download
memory/1268-78-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/1268-72-0x0000000001E00000-0x0000000001E90000-memory.dmp

Filesize
576KB

Download
memory/1268-70-0x000000000052B720-mapping.dmp

Download
memory/1464-58-0x0000000000000000-mapping.dmp

Download
memory/1472-149-0x0000000000000000-mapping.dmp

Download
memory/1484-131-0x0000000000000000-mapping.dmp

Download
memory/1520-71-0x0000000000000000-mapping.dmp

Download
memory/1532-162-0x0000000000000000-mapping.dmp

Download
memory/1544-144-0x0000000000000000-mapping.dmp

Download
memory/1548-84-0x0000000000000000-mapping.dmp

Download
memory/1632-136-0x0000000000000000-mapping.dmp

Download
memory/1708-105-0x0000000000000000-mapping.dmp

Download
memory/1936-65-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-60-0x0000000001EB0000-0x0000000001F40000-memory.dmp

Filesize
576KB

Download
memory/1936-61-0x0000000001EB0000-0x0000000001F40000-memory.dmp

Filesize
576KB

Download
memory/1936-57-0x000000000052B720-mapping.dmp

Download
memory/1948-56-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/1948-54-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download
memory/1952-148-0x000000000052B720-mapping.dmp

Download
memory/1952-152-0x0000000000740000-0x00000000007D0000-memory.dmp

Filesize
576KB

Download
memory/1952-151-0x0000000000740000-0x00000000007D0000-memory.dmp

Filesize
576KB

Download
memory/1952-156-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1960-104-0x00000000749B0000-0x0000000074F5B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-99-0x0000000001E70000-0x0000000001F00000-memory.dmp

Filesize
576KB

Download
memory/1960-96-0x000000000052B720-mapping.dmp

Download
memory/1960-100-0x0000000001E70000-0x0000000001F00000-memory.dmp

Filesize
576KB

Download
memory/1972-97-0x0000000000000000-mapping.dmp

Download
memory/2028-161-0x000000000052B720-mapping.dmp

Download
memory/2028-165-0x0000000001E50000-0x0000000001EE0000-memory.dmp

Filesize
576KB

Download