hawkeye_reborn | 0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0

Analysis

max time kernel
188s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
29-05-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe
Size

919KB
MD5

aa17f62b1fc7dcf6edf419d49c446027
SHA1

ca287294d35750aeeaec14e8eaf5672ffb35abb9
SHA256

0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0
SHA512

ff9832ebdeff5179dd33efc4757b743ca658381f567faa928daa1faa11353f1b4956f9c1bd47d726d59a4726a10f265915f6dd4f9e09fc578d2df4c0dff3719d

Score

10^/10

hawkeye_reborn keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.0

Credentials

Protocol: ftp
Host:
ftp.tsd.in
Port:
21
Username:
[email protected]
Password:
computer@147

Mutex

01cd6961-ea56-4686-ae63-07f848477b70

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:computer@147 _FTPPort:21 _FTPSFTP:false _FTPServer:ftp.tsd.in _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:01cd6961-ea56-4686-ae63-07f848477b70 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1296-64-0x0000000005BF0000-0x0000000005C8A000-memory.dmp	disable_win_def

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/860-96-0x00000000006C0000-0x0000000000736000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/860-96-0x00000000006C0000-0x0000000000736000-memory.dmp	WebBrowserPassView
behavioral1/memory/572-115-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral1/memory/572-116-0x0000000000444D30-mapping.dmp	WebBrowserPassView
behavioral1/memory/572-119-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral1/memory/572-120-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral1/memory/572-121-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral1/memory/860-96-0x00000000006C0000-0x0000000000736000-memory.dmp	Nirsoft
behavioral1/memory/572-115-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/572-116-0x0000000000444D30-mapping.dmp	Nirsoft
behavioral1/memory/572-119-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/572-120-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/572-121-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1296 set thread context of 860	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	29
PID 860 set thread context of 572	860	RegSvcs.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
572	vbc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 780	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	27
PID 1296 wrote to memory of 780	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	27
PID 1296 wrote to memory of 780	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	27
PID 1296 wrote to memory of 780	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	27
PID 1296 wrote to memory of 860	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	29
PID 1296 wrote to memory of 860	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	29
PID 1296 wrote to memory of 860	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	29
PID 1296 wrote to memory of 860	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	29
PID 1296 wrote to memory of 860	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	29
PID 1296 wrote to memory of 860	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	29
PID 1296 wrote to memory of 860	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	29
PID 1296 wrote to memory of 860	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	29
PID 1296 wrote to memory of 860	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	29
PID 1296 wrote to memory of 860	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	29
PID 1296 wrote to memory of 860	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	29
PID 1296 wrote to memory of 860	1296	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	29
PID 860 wrote to memory of 572	860	RegSvcs.exe	31
PID 860 wrote to memory of 572	860	RegSvcs.exe	31
PID 860 wrote to memory of 572	860	RegSvcs.exe	31
PID 860 wrote to memory of 572	860	RegSvcs.exe	31
PID 860 wrote to memory of 572	860	RegSvcs.exe	31
PID 860 wrote to memory of 572	860	RegSvcs.exe	31
PID 860 wrote to memory of 572	860	RegSvcs.exe	31
PID 860 wrote to memory of 572	860	RegSvcs.exe	31
PID 860 wrote to memory of 572	860	RegSvcs.exe	31
PID 860 wrote to memory of 572	860	RegSvcs.exe	31

C:\Users\Admin\AppData\Local\Temp\0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe
"C:\Users\Admin\AppData\Local\Temp\0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HzpPAdErhOf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE715.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5033.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5033.tmp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE715.tmp

Filesize
1KB

MD5
42082b610028e186f82cf22dbe78a5f9

SHA1
e3ce4187b7a9aff3f29a17bc6a4a8a7cc4ec7fef

SHA256
e90453fc613fd555bd1c3ebf05d0fab45d98b8059705603e30ba690ceb49cbfb

SHA512
3d9c367639c9a1df97a508c0ae45783564a065034307f413cf6738b74d23a8aba6654416b11793c6c12dc15d16ed3e92432903ea38088a6ccf0f3472376456c4

Download Submit
memory/572-107-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/572-104-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/572-119-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/572-109-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/572-121-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/572-120-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/572-105-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/572-111-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/572-115-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/860-98-0x0000000070DD0000-0x000000007215F000-memory.dmp

Filesize
19.6MB

Download
memory/860-96-0x00000000006C0000-0x0000000000736000-memory.dmp

Filesize
472KB

Download
memory/860-114-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download
memory/860-78-0x0000000000090000-0x0000000000120000-memory.dmp

Filesize
576KB

Download
memory/860-127-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download
memory/860-82-0x0000000000090000-0x0000000000120000-memory.dmp

Filesize
576KB

Download
memory/860-123-0x0000000070DD0000-0x000000007215F000-memory.dmp

Filesize
19.6MB

Download
memory/860-124-0x0000000072AE0000-0x00000000734F0000-memory.dmp

Filesize
10.1MB

Download
memory/860-75-0x0000000000090000-0x0000000000120000-memory.dmp

Filesize
576KB

Download
memory/860-126-0x0000000073AA0000-0x0000000073C71000-memory.dmp

Filesize
1.8MB

Download
memory/860-112-0x0000000073930000-0x0000000073A53000-memory.dmp

Filesize
1.1MB

Download
memory/860-77-0x0000000000090000-0x0000000000120000-memory.dmp

Filesize
576KB

Download
memory/860-81-0x0000000000090000-0x0000000000120000-memory.dmp

Filesize
576KB

Download
memory/860-125-0x00000000700B0000-0x0000000070DCD000-memory.dmp

Filesize
13.1MB

Download
memory/860-103-0x0000000073AA0000-0x0000000073C71000-memory.dmp

Filesize
1.8MB

Download
memory/860-102-0x0000000072300000-0x0000000072AE0000-memory.dmp

Filesize
7.9MB

Download
memory/860-101-0x00000000700B0000-0x0000000070DCD000-memory.dmp

Filesize
13.1MB

Download
memory/860-91-0x0000000000090000-0x0000000000120000-memory.dmp

Filesize
576KB

Download
memory/860-100-0x0000000073C80000-0x0000000073E14000-memory.dmp

Filesize
1.6MB

Download
memory/860-99-0x0000000072AE0000-0x00000000734F0000-memory.dmp

Filesize
10.1MB

Download
memory/860-95-0x0000000000090000-0x0000000000120000-memory.dmp

Filesize
576KB

Download
memory/860-74-0x0000000000090000-0x0000000000120000-memory.dmp

Filesize
576KB

Download
memory/1296-68-0x0000000073D00000-0x0000000073E94000-memory.dmp

Filesize
1.6MB

Download
memory/1296-90-0x000000006F800000-0x000000006F9D1000-memory.dmp

Filesize
1.8MB

Download
memory/1296-92-0x000000006F6D0000-0x000000006F7F3000-memory.dmp

Filesize
1.1MB

Download
memory/1296-88-0x0000000070A30000-0x000000007174D000-memory.dmp

Filesize
13.1MB

Download
memory/1296-86-0x0000000073D00000-0x0000000073E94000-memory.dmp

Filesize
1.6MB

Download
memory/1296-84-0x0000000071750000-0x0000000072160000-memory.dmp

Filesize
10.1MB

Download
memory/1296-83-0x0000000072160000-0x00000000734EF000-memory.dmp

Filesize
19.6MB

Download
memory/1296-73-0x0000000004300000-0x000000000430A000-memory.dmp

Filesize
40KB

Download
memory/1296-72-0x000000006F6D0000-0x000000006F7F3000-memory.dmp

Filesize
1.1MB

Download
memory/1296-69-0x0000000070A30000-0x000000007174D000-memory.dmp

Filesize
13.1MB

Download
memory/1296-54-0x0000000000290000-0x000000000037C000-memory.dmp

Filesize
944KB

Download
memory/1296-67-0x0000000071750000-0x0000000072160000-memory.dmp

Filesize
10.1MB

Download
memory/1296-66-0x0000000072160000-0x00000000734EF000-memory.dmp

Filesize
19.6MB

Download
memory/1296-65-0x000000006F800000-0x000000006F9D1000-memory.dmp

Filesize
1.8MB

Download
memory/1296-64-0x0000000005BF0000-0x0000000005C8A000-memory.dmp

Filesize
616KB

Download
memory/1296-63-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/1296-62-0x000000006FB10000-0x000000007024E000-memory.dmp

Filesize
7.2MB

Download
memory/1296-61-0x0000000073C00000-0x0000000073CFC000-memory.dmp

Filesize
1008KB

Download
memory/1296-60-0x0000000070250000-0x0000000070A30000-memory.dmp

Filesize
7.9MB

Download
memory/1296-59-0x0000000070A30000-0x000000007174D000-memory.dmp

Filesize
13.1MB

Download
memory/1296-58-0x0000000073D00000-0x0000000073E94000-memory.dmp

Filesize
1.6MB

Download
memory/1296-57-0x0000000071750000-0x0000000072160000-memory.dmp

Filesize
10.1MB

Download
memory/1296-56-0x0000000072160000-0x00000000734EF000-memory.dmp

Filesize
19.6MB

Download
memory/1296-55-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download