hawkeye_reborn | 56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d

Analysis

max time kernel
154s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe
Size

783KB
MD5

63e9deac74a65e00c0c75dce31676601
SHA1

6876c5e36a85aa066370fc417be0703b88bbdb9a
SHA256

56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d
SHA512

56fce3eb77f81edc8bf4e7b3038fb63bf9abce5a07fe3a869fe3a60266e74523026ce01f369570b328745ea8d1e8db14dd73c29e1b94af00c1fe6fe1471af2df

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
smtp.lycos.com
Port:
587
Username:
[email protected]
Password:
subjected1

Mutex

c0598697-7482-4f6c-84b0-384a27d361b0

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:subjected1 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.lycos.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:c0598697-7482-4f6c-84b0-384a27d361b0 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/4864-137-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4316-149-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4316-151-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4316-152-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4316-153-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/856-142-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/856-144-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/856-145-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/856-146-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

resource	yara_rule
behavioral2/memory/856-142-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/856-144-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/856-145-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/856-146-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4316-149-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4316-151-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4316-152-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4316-153-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1780 set thread context of 4864	1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe	83
PID 4864 set thread context of 856	4864	RegAsm.exe	85
PID 4864 set thread context of 4316	4864	RegAsm.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe
1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe
856	vbc.exe
856	vbc.exe
856	vbc.exe
856	vbc.exe
856	vbc.exe
856	vbc.exe
856	vbc.exe
856	vbc.exe
856	vbc.exe
856	vbc.exe
856	vbc.exe
856	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 4568	1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe	81
PID 1780 wrote to memory of 4568	1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe	81
PID 1780 wrote to memory of 4568	1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe	81
PID 1780 wrote to memory of 4864	1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe	83
PID 1780 wrote to memory of 4864	1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe	83
PID 1780 wrote to memory of 4864	1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe	83
PID 1780 wrote to memory of 4864	1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe	83
PID 1780 wrote to memory of 4864	1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe	83
PID 1780 wrote to memory of 4864	1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe	83
PID 1780 wrote to memory of 4864	1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe	83
PID 1780 wrote to memory of 4864	1780	56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe	83
PID 4864 wrote to memory of 856	4864	RegAsm.exe	85
PID 4864 wrote to memory of 856	4864	RegAsm.exe	85
PID 4864 wrote to memory of 856	4864	RegAsm.exe	85
PID 4864 wrote to memory of 856	4864	RegAsm.exe	85
PID 4864 wrote to memory of 856	4864	RegAsm.exe	85
PID 4864 wrote to memory of 856	4864	RegAsm.exe	85
PID 4864 wrote to memory of 856	4864	RegAsm.exe	85
PID 4864 wrote to memory of 856	4864	RegAsm.exe	85
PID 4864 wrote to memory of 856	4864	RegAsm.exe	85
PID 4864 wrote to memory of 4316	4864	RegAsm.exe	86
PID 4864 wrote to memory of 4316	4864	RegAsm.exe	86
PID 4864 wrote to memory of 4316	4864	RegAsm.exe	86
PID 4864 wrote to memory of 4316	4864	RegAsm.exe	86
PID 4864 wrote to memory of 4316	4864	RegAsm.exe	86
PID 4864 wrote to memory of 4316	4864	RegAsm.exe	86
PID 4864 wrote to memory of 4316	4864	RegAsm.exe	86
PID 4864 wrote to memory of 4316	4864	RegAsm.exe	86
PID 4864 wrote to memory of 4316	4864	RegAsm.exe	86

C:\Users\Admin\AppData\Local\Temp\56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe
"C:\Users\Admin\AppData\Local\Temp\56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VGAdLrlVOsoEf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD387.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4568
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp16E9.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:856
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp28FB.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp16E9.tmp

Filesize
4KB

MD5
508d12363b937319e4dbfc174a10ecba

SHA1
edb7ae72b83074621bc83e12d79e6ec91b28952e

SHA256
2e4b211b03ba5a4b727a3bdeb55afc31be43ca8605fe7189fb755befa4f4e061

SHA512
384f33d45223f2428c80e465ecae7e15a0dc348d2421d4ede7e01e77358e8e6eadcb8002227b9577c2ee1071199267c21a5e35554fc773d4d9f583bff0265e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD387.tmp

Filesize
1KB

MD5
a522a14a406e6b21771805cd33134e30

SHA1
ffd4f9da8e12091d561d6ab0051299b6b3c45c3c

SHA256
cd4a9834f4da6bc9929ba23b62248c90546cd9f0d31da51adafb11c296884e80

SHA512
a176b310a9793ac3b124be1a6d855c88717639bcf76de8daef7243b45ace77d14c1f1ef45a481b2a8ac0c59e51425482f36755388358ca1633510dc32b5220cb

Download Submit
memory/856-142-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/856-146-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/856-145-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/856-144-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1780-133-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/1780-132-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/1780-138-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/4316-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4316-151-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4316-152-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4316-153-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4864-140-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/4864-139-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/4864-137-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download