hawkeye_reborn | 715cb1ccff3cd92b0efe7a49cedb4b8dffe10adf0a110c0121d4097378be3ae4

General

Target

e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe
Size

787KB
MD5

4c8ee42b6b347ecad6a54c61c5cd909f
SHA1

c72facaef7972892f75c5e97ce1227ddb2bd290b
SHA256

e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3
SHA512

13873989639d0664ca71b03cc79e80cb05a6553ebb99b2ab0532564556a2edb9fff6fd6770ab5492f83fc90a786a28eebbfc47a4e01af9bc73c1e145731d7e27
SSDEEP

12288:M4upPuU6rTGSfztgapw7qJTwHteckqnZJXINmChKdYfUg9qc+Jo2KO:hupGNTHfz+ahZwIc7Xr7OfUg9qto2d

Score

10^/10

hawkeye_reborn keylogger rezer0 spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.1

Credentials

Protocol: ftp
Host:
ftp.valuelineadvisors.com
Port:
21
Username:
zirox@valuelineadvisors.com
Password:
computer@147

Mutex

63bbab02-5766-4ccb-828e-6007eebc67fe

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:computer@147 _FTPPort:21 _FTPSFTP:false _FTPServer:ftp.valuelineadvisors.com _FTPUsername:zirox@valuelineadvisors.com _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:60 _MeltFile:false _Mutex:63bbab02-5766-4ccb-828e-6007eebc67fe _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.0.0.1 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.1, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2284-25-0x00000000041F0000-0x0000000004266000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2284-25-0x00000000041F0000-0x0000000004266000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2284-25-0x00000000041F0000-0x0000000004266000-memory.dmp	Nirsoft

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/2120-4-0x0000000005FA0000-0x0000000006038000-memory.dmp	rezer0

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe

description	pid	process	target process
PID 2120 set thread context of 2284	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2096 schtasks.exe

pid	process
2096	schtasks.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exeRegSvcs.exe

description	pid	process	target process
PID 2120 wrote to memory of 2096	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	schtasks.exe
PID 2120 wrote to memory of 2096	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	schtasks.exe
PID 2120 wrote to memory of 2096	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	schtasks.exe
PID 2120 wrote to memory of 2096	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	schtasks.exe
PID 2120 wrote to memory of 2284	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 2120 wrote to memory of 2284	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 2120 wrote to memory of 2284	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 2120 wrote to memory of 2284	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 2120 wrote to memory of 2284	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 2120 wrote to memory of 2284	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 2120 wrote to memory of 2284	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 2120 wrote to memory of 2284	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 2120 wrote to memory of 2284	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 2120 wrote to memory of 2284	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 2120 wrote to memory of 2284	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 2120 wrote to memory of 2284	2120	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 2284 wrote to memory of 2736	2284	RegSvcs.exe	vbc.exe
PID 2284 wrote to memory of 2736	2284	RegSvcs.exe	vbc.exe
PID 2284 wrote to memory of 2736	2284	RegSvcs.exe	vbc.exe
PID 2284 wrote to memory of 2736	2284	RegSvcs.exe	vbc.exe
PID 2284 wrote to memory of 2736	2284	RegSvcs.exe	vbc.exe
PID 2284 wrote to memory of 2736	2284	RegSvcs.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe
"C:\Users\Admin\AppData\Local\Temp\e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mDmCNKdeRpihu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB442.tmp"
2⤵
- Creates scheduled task(s)
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE86C.tmp"
3⤵
PID:2736

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB442.tmp
Filesize
1KB

MD5
9bd18c09b2ea7a96e5f8e4a894b84ec9

SHA1
d2eb7839936a2aa200210f2b0a34006c354dfa74

SHA256
ba8412b167d512d475e57db1c4f42ef0523f0d57b985a0b5863a6e05f5029884

SHA512
6bf45cbdbb5f99c1d7d96a46182c278a90d6e33cc270f9931378065b976466b413840b4a5cb18a178aa88a481c2c7563918347f38eb735b5c626d8f4625d80d7

Download Submit
memory/2120-0-0x0000000000B00000-0x0000000000BCA000-memory.dmp

Filesize
808KB

Download
memory/2120-1-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2120-2-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2120-3-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2120-4-0x0000000005FA0000-0x0000000006038000-memory.dmp

Filesize
608KB

Download
memory/2120-23-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2284-20-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2284-25-0x00000000041F0000-0x0000000004266000-memory.dmp

Filesize
472KB

Download
memory/2284-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2284-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2284-18-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2284-11-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2284-22-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2284-24-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2284-10-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2284-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2284-26-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/2284-27-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2284-28-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/2284-30-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/2284-37-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/2736-33-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2736-35-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2736-31-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads