hawkeye_reborn | 715cb1ccff3cd92b0efe7a49cedb4b8dffe10adf0a110c0121d4097378be3ae4

General

Target

e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe
Size

787KB
MD5

4c8ee42b6b347ecad6a54c61c5cd909f
SHA1

c72facaef7972892f75c5e97ce1227ddb2bd290b
SHA256

e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3
SHA512

13873989639d0664ca71b03cc79e80cb05a6553ebb99b2ab0532564556a2edb9fff6fd6770ab5492f83fc90a786a28eebbfc47a4e01af9bc73c1e145731d7e27
SSDEEP

12288:M4upPuU6rTGSfztgapw7qJTwHteckqnZJXINmChKdYfUg9qc+Jo2KO:hupGNTHfz+ahZwIc7Xr7OfUg9qto2d

Score

10^/10

hawkeye_reborn collection keylogger rezer0 spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.1

Credentials

Protocol: ftp
Host:
ftp.valuelineadvisors.com
Port:
21
Username:
zirox@valuelineadvisors.com
Password:
computer@147

Mutex

63bbab02-5766-4ccb-828e-6007eebc67fe

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:computer@147 _FTPPort:21 _FTPSFTP:false _FTPServer:ftp.valuelineadvisors.com _FTPUsername:zirox@valuelineadvisors.com _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:60 _MeltFile:false _Mutex:63bbab02-5766-4ccb-828e-6007eebc67fe _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.0.0.1 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.1, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4724-18-0x0000000005700000-0x0000000005776000-memory.dmp	MailPassView
behavioral2/memory/5044-35-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/5044-37-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/5044-38-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/5044-40-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4724-18-0x0000000005700000-0x0000000005776000-memory.dmp	WebBrowserPassView
behavioral2/memory/2988-24-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral2/memory/2988-26-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral2/memory/2988-27-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral2/memory/2988-33-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4724-18-0x0000000005700000-0x0000000005776000-memory.dmp	Nirsoft
behavioral2/memory/2988-24-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/2988-26-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/2988-27-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/2988-33-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/5044-35-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/5044-37-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/5044-38-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/5044-40-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/4440-8-0x0000000008A30000-0x0000000008AC8000-memory.dmp	rezer0

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 bot.whatismyipaddress.com

flow	ioc
34	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exeRegSvcs.exe

description	pid	process	target process
PID 4440 set thread context of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 4724 set thread context of 2988	4724	RegSvcs.exe	vbc.exe
PID 4724 set thread context of 5044	4724	RegSvcs.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4940 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vbc.exe

pid process

2988 vbc.exe
2988 vbc.exe
2988 vbc.exe
2988 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 4724 RegSvcs.exe

pid	process
4940	schtasks.exe

pid	process
2988	vbc.exe
2988	vbc.exe
2988	vbc.exe
2988	vbc.exe

description	pid	process
Token: SeDebugPrivilege	4724	RegSvcs.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exeRegSvcs.exe

description	pid	process	target process
PID 4440 wrote to memory of 4940	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	schtasks.exe
PID 4440 wrote to memory of 4940	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	schtasks.exe
PID 4440 wrote to memory of 4940	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	schtasks.exe
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 4440 wrote to memory of 4724	4440	e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe	RegSvcs.exe
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 2988	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	vbc.exe
PID 4724 wrote to memory of 5044	4724	RegSvcs.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe
"C:\Users\Admin\AppData\Local\Temp\e6c68d5aebde1da285975801a26465882250940bbd124f1887d59af0251c82e3.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mDmCNKdeRpihu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB630.tmp"
2⤵
- Creates scheduled task(s)
PID:4940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE918.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpED5E.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:5044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB630.tmp
Filesize
1KB

MD5
31d987c18f9e8aa51eb29591f1d30f4a

SHA1
89a09d00b936e16fbda04cde5e1cbfe38a00558f

SHA256
f0a5eee73911365b8e36c1c21197075657b406370f6242fd2e015fcce358a375

SHA512
8f2594712a8b145fbbedea35f4f5cf7426207bfda21c11d01ca523bc8b3b6f14d5ae4304fd675e3dbdacb6baa5ba3903effc484b929914b303b9831145c1dc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE918.tmp
Filesize
4KB

MD5
4b7a1143d282cad8f95bacd8c4625ee2

SHA1
e70e2be5f0cd1caf14f68b79746cdd17753a64bd

SHA256
7cf5f82980af1b209fec6680ee49623f7e3488676fff8d1a1a5b8c655cb9f6b2

SHA512
edc01a4814a33fd61f7f2b8d8ec9e08b827a0ecd432785816cc3554b8b57eb3bda45203d12d9a8fcf751f9919c279fcd0866603d00502d22a412a15524814063

Download Submit
memory/2988-33-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2988-32-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/2988-27-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2988-26-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2988-24-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4440-7-0x0000000005D00000-0x0000000005D08000-memory.dmp

Filesize
32KB

Download
memory/4440-1-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4440-0-0x0000000000DF0000-0x0000000000EBA000-memory.dmp

Filesize
808KB

Download
memory/4440-8-0x0000000008A30000-0x0000000008AC8000-memory.dmp

Filesize
608KB

Download
memory/4440-17-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4440-2-0x0000000005E50000-0x00000000063F4000-memory.dmp

Filesize
5.6MB

Download
memory/4440-3-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/4440-4-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

Filesize
64KB

Download
memory/4440-5-0x0000000005940000-0x000000000594A000-memory.dmp

Filesize
40KB

Download
memory/4440-6-0x0000000006EB0000-0x0000000006F4C000-memory.dmp

Filesize
624KB

Download
memory/4724-22-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/4724-21-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/4724-20-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-19-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/4724-18-0x0000000005700000-0x0000000005776000-memory.dmp

Filesize
472KB

Download
memory/4724-16-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5044-35-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5044-37-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5044-38-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5044-40-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads