hawkeye_reborn | 0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0

Analysis

max time kernel
172s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
29-05-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe
Size

919KB
MD5

aa17f62b1fc7dcf6edf419d49c446027
SHA1

ca287294d35750aeeaec14e8eaf5672ffb35abb9
SHA256

0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0
SHA512

ff9832ebdeff5179dd33efc4757b743ca658381f567faa928daa1faa11353f1b4956f9c1bd47d726d59a4726a10f265915f6dd4f9e09fc578d2df4c0dff3719d

Score

10^/10

hawkeye_reborn collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.0

Credentials

Protocol: ftp
Host:
ftp.tsd.in
Port:
21
Username:
[email protected]
Password:
computer@147

Mutex

01cd6961-ea56-4686-ae63-07f848477b70

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:computer@147 _FTPPort:21 _FTPSFTP:false _FTPServer:ftp.tsd.in _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:01cd6961-ea56-4686-ae63-07f848477b70 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4280-149-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4280-151-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4280-152-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1832-142-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral2/memory/1832-144-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral2/memory/1832-145-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral2/memory/1832-147-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral2/memory/1832-142-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/1832-144-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/1832-145-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/1832-147-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/4280-149-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4280-151-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4280-152-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3884 set thread context of 1312	3884	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	83
PID 1312 set thread context of 1832	1312	RegSvcs.exe	84
PID 1312 set thread context of 4280	1312	RegSvcs.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1832	vbc.exe
1832	vbc.exe
1832	vbc.exe
1832	vbc.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 3328	3884	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	81
PID 3884 wrote to memory of 3328	3884	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	81
PID 3884 wrote to memory of 3328	3884	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	81
PID 3884 wrote to memory of 1312	3884	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	83
PID 3884 wrote to memory of 1312	3884	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	83
PID 3884 wrote to memory of 1312	3884	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	83
PID 3884 wrote to memory of 1312	3884	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	83
PID 3884 wrote to memory of 1312	3884	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	83
PID 3884 wrote to memory of 1312	3884	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	83
PID 3884 wrote to memory of 1312	3884	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	83
PID 3884 wrote to memory of 1312	3884	0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe	83
PID 1312 wrote to memory of 1832	1312	RegSvcs.exe	84
PID 1312 wrote to memory of 1832	1312	RegSvcs.exe	84
PID 1312 wrote to memory of 1832	1312	RegSvcs.exe	84
PID 1312 wrote to memory of 1832	1312	RegSvcs.exe	84
PID 1312 wrote to memory of 1832	1312	RegSvcs.exe	84
PID 1312 wrote to memory of 1832	1312	RegSvcs.exe	84
PID 1312 wrote to memory of 1832	1312	RegSvcs.exe	84
PID 1312 wrote to memory of 1832	1312	RegSvcs.exe	84
PID 1312 wrote to memory of 1832	1312	RegSvcs.exe	84
PID 1312 wrote to memory of 4280	1312	RegSvcs.exe	85
PID 1312 wrote to memory of 4280	1312	RegSvcs.exe	85
PID 1312 wrote to memory of 4280	1312	RegSvcs.exe	85
PID 1312 wrote to memory of 4280	1312	RegSvcs.exe	85
PID 1312 wrote to memory of 4280	1312	RegSvcs.exe	85
PID 1312 wrote to memory of 4280	1312	RegSvcs.exe	85
PID 1312 wrote to memory of 4280	1312	RegSvcs.exe	85
PID 1312 wrote to memory of 4280	1312	RegSvcs.exe	85
PID 1312 wrote to memory of 4280	1312	RegSvcs.exe	85

C:\Users\Admin\AppData\Local\Temp\0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe
"C:\Users\Admin\AppData\Local\Temp\0d510ab8816b1d504eacfd51c704f47c4d54f1f0c3a6a017704d0ccb6f388ad0.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HzpPAdErhOf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4244.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7B26.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1832
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8151.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:4280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4244.tmp

Filesize
1KB

MD5
6e385ad13d360af34a687ee4be5ff39b

SHA1
4a3c7198f54f88f57cd911e747f1a8d8f2874609

SHA256
9fa0b85715398fc8635a79a6c9605bfdf7aeb089356d76a34ed714be92bc46f1

SHA512
d342eef188b5435d5b5f2401777cf89b07f93910861db827bb4ee8027d85805d21e3c83aae62b6e3c398634556a857e3e382505cd4582a98c65a227a96e7df59

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B26.tmp

Filesize
4KB

MD5
92b3d04dbcf7aa8eabb0096c55624068

SHA1
04a3b14a8f16bdd8a67f1b5d6be8c3db79c766c7

SHA256
84e388e2bbff6a229d99df8d7e0558e46e793106c2f3bb290c6acc06fe31fe9c

SHA512
fbd6a298b66e2117f68028cdf9fa1b3e441f87fa8a052ce1be628ae65116d5b2953cdc8117dce57e86475a75412b1a85f431eb0da6dd788ec5312d34ff71f9d1

Download Submit
memory/1312-140-0x0000000000550000-0x00000000005E0000-memory.dmp

Filesize
576KB

Download
memory/1832-147-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1832-145-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1832-144-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1832-142-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3884-133-0x0000000005760000-0x000000000576A000-memory.dmp

Filesize
40KB

Download
memory/3884-132-0x00000000056A0000-0x0000000005732000-memory.dmp

Filesize
584KB

Download
memory/3884-135-0x00000000013F0000-0x0000000001456000-memory.dmp

Filesize
408KB

Download
memory/3884-134-0x0000000008F90000-0x000000000902C000-memory.dmp

Filesize
624KB

Download
memory/3884-131-0x0000000005D30000-0x00000000062D4000-memory.dmp

Filesize
5.6MB

Download
memory/3884-130-0x0000000000C20000-0x0000000000D0C000-memory.dmp

Filesize
944KB

Download
memory/4280-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4280-151-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4280-152-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download