hawkeye_reborn | 41b53c982c2edd57486bd2c699e783446b01c244915254067ac0cb073926b4db

General

Target

PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
Size

781KB
MD5

f31581564b5bbc14d3c862c2be157a52
SHA1

64e62fe3198a16cb205acd31400af967ad3dd347
SHA256

7c0f66eed3a2fc7c90ab5db03483aada693894a77a1480e22521ccf422a08ba3
SHA512

ded28a91894313cbdd5678ec191c1e138d524ce3785ca96a255b2bc09cf5f18b8d287a48cf6b754d658f5ab70d95f933899208dc54c21f6b113a0e87200f3f1a

Score

10^/10

hawkeye_reborn keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.1

Credentials

Protocol: smtp
Host:
mail.eagleeyeapparels.com
Port:
587
Username:
[email protected]
Password:
eagle*qaz

Mutex

f98d37f4-ca90-4ed7-9f6f-6121c4014605

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:eagle*qaz _EmailPort:587 _EmailSSL:true _EmailServer:mail.eagleeyeapparels.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:f98d37f4-ca90-4ed7-9f6f-6121c4014605 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:true _Version:10.0.0.1 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.1, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 bot.whatismyipaddress.com

flow	ioc
3	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

description	pid	process	target process
PID 384 set thread context of 1968	384	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

pid process

384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

description pid process

Token: SeDebugPrivilege 384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

pid	process
384	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
384	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

description	pid	process
Token: SeDebugPrivilege	384	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

description	pid	process	target process
PID 384 wrote to memory of 1968	384	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
PID 384 wrote to memory of 1968	384	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
PID 384 wrote to memory of 1968	384	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
PID 384 wrote to memory of 1968	384	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
PID 384 wrote to memory of 1968	384	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
PID 384 wrote to memory of 1968	384	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
PID 384 wrote to memory of 1968	384	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
PID 384 wrote to memory of 1968	384	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
PID 384 wrote to memory of 1968	384	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe	PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
"C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
"{path}"
2⤵
PID:1968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-54-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/384-55-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-56-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1968-57-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1968-59-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1968-60-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1968-61-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1968-62-0x000000000048B39E-mapping.dmp

Download
memory/1968-64-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1968-66-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1968-68-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing