hawkeye_reborn | 715cb1ccff3cd92b0efe7a49cedb4b8dffe10adf0a110c0121d4097378be3ae4

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2023 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe
Size

787KB
MD5

4c8ee42b6b347ecad6a54c61c5cd909f
SHA1

c72facaef7972892f75c5e97ce1227ddb2bd290b
SHA256

e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3
SHA512

13873989639d0664ca71b03cc79e80cb05a6553ebb99b2ab0532564556a2edb9fff6fd6770ab5492f83fc90a786a28eebbfc47a4e01af9bc73c1e145731d7e27
SSDEEP

12288:M4upPuU6rTGSfztgapw7qJTwHteckqnZJXINmChKdYfUg9qc+Jo2KO:hupGNTHfz+ahZwIc7Xr7OfUg9qto2d

Score

10^/10

hawkeye_reborn collection keylogger rezer0 spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.1

Credentials

Protocol: ftp
Host:
ftp.valuelineadvisors.com
Port:
21
Username:
[email protected]
Password:
computer@147

Mutex

63bbab02-5766-4ccb-828e-6007eebc67fe

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:computer@147 _FTPPort:21 _FTPSFTP:false _FTPServer:ftp.valuelineadvisors.com _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:60 _MeltFile:false _Mutex:63bbab02-5766-4ccb-828e-6007eebc67fe _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.0.0.1 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.1, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4724-18-0x0000000005700000-0x0000000005776000-memory.dmp	MailPassView
behavioral2/memory/5044-35-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/5044-37-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/5044-38-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/5044-40-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4724-18-0x0000000005700000-0x0000000005776000-memory.dmp	WebBrowserPassView
behavioral2/memory/2988-24-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral2/memory/2988-26-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral2/memory/2988-27-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral2/memory/2988-33-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral2/memory/4724-18-0x0000000005700000-0x0000000005776000-memory.dmp	Nirsoft
behavioral2/memory/2988-24-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/2988-26-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/2988-27-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/2988-33-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/5044-35-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/5044-37-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/5044-38-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/5044-40-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral2/memory/4440-8-0x0000000008A30000-0x0000000008AC8000-memory.dmp	rezer0

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4440 set thread context of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	90
PID 4724 set thread context of 2988	4724	RegSvcs.exe	92
PID 4724 set thread context of 5044	4724	RegSvcs.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2988	vbc.exe
2988	vbc.exe
2988	vbc.exe
2988	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4724	RegSvcs.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4940	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	88
PID 4440 wrote to memory of 4940	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	88
PID 4440 wrote to memory of 4940	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	88
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	90
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	90
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	90
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	90
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	90
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	90
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	90
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	90
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	92
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	92
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	92
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	92
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	92
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	92
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	92
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	92
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	92
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	93
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	93
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	93
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	93
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	93
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	93
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	93
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	93
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	93

C:\Users\Admin\AppData\Local\Temp\e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe
"C:\Users\Admin\AppData\Local\Temp\e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mDmCNKdeRpihu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB630.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE918.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2988
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpED5E.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB630.tmp

Filesize
1KB

MD5
31d987c18f9e8aa51eb29591f1d30f4a

SHA1
89a09d00b936e16fbda04cde5e1cbfe38a00558f

SHA256
f0a5eee73911365b8e36c1c21197075657b406370f6242fd2e015fcce358a375

SHA512
8f2594712a8b145fbbedea35f4f5cf7426207bfda21c11d01ca523bc8b3b6f14d5ae4304fd675e3dbdacb6baa5ba3903effc484b929914b303b9831145c1dc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE918.tmp

Filesize
4KB

MD5
4b7a1143d282cad8f95bacd8c4625ee2

SHA1
e70e2be5f0cd1caf14f68b79746cdd17753a64bd

SHA256
7cf5f82980af1b209fec6680ee49623f7e3488676fff8d1a1a5b8c655cb9f6b2

SHA512
edc01a4814a33fd61f7f2b8d8ec9e08b827a0ecd432785816cc3554b8b57eb3bda45203d12d9a8fcf751f9919c279fcd0866603d00502d22a412a15524814063

Download Submit
memory/2988-33-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2988-32-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/2988-27-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2988-26-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2988-24-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4440-7-0x0000000005D00000-0x0000000005D08000-memory.dmp

Filesize
32KB

Download
memory/4440-1-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4440-0-0x0000000000DF0000-0x0000000000EBA000-memory.dmp

Filesize
808KB

Download
memory/4440-8-0x0000000008A30000-0x0000000008AC8000-memory.dmp

Filesize
608KB

Download
memory/4440-17-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4440-2-0x0000000005E50000-0x00000000063F4000-memory.dmp

Filesize
5.6MB

Download
memory/4440-3-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/4440-4-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

Filesize
64KB

Download
memory/4440-5-0x0000000005940000-0x000000000594A000-memory.dmp

Filesize
40KB

Download
memory/4440-6-0x0000000006EB0000-0x0000000006F4C000-memory.dmp

Filesize
624KB

Download
memory/4724-22-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/4724-21-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/4724-20-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-19-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/4724-18-0x0000000005700000-0x0000000005776000-memory.dmp

Filesize
472KB

Download
memory/4724-16-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5044-35-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5044-37-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5044-38-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5044-40-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download