hawkeye_reborn | aa890a174bf8bf562508e0fe3fbc85494555a92841b2ab42161d0546c9bde6e8

General

Target

INV003889.exe
Size

808KB
MD5

9887ee32e22fb96c93bad425744f93be
SHA1

8e900774103935246250507877d9b39f8445fdba
SHA256

85534754bd3a7cda7234040ba7f0a4440fe85c198e28286ef22fbeb97b3de14b
SHA512

0c7eb5e487fc6354d061375e310ca5c3acb793a3424599cc4ffcb0aa653988d4e85f7d77b65d6a1d50a25c9dcf7315501643f3cda3524f958817835c598e2351
SSDEEP

12288:WVg4HHq/v354wfufiGrjdPEKDlsVSgyseMVPmRLIrJ/Pzjja/Vftd+G3Mqs57HIo:WVfnqf5BWfiG/6NysxQLI5jqW

Score

10^/10

hawkeye_reborn m00nd3v_logger collection credential_access discovery infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.0.0

Credentials

Protocol: smtp
Host:
mail.bnfurniture.net
Port:
587
Username:
[email protected]
Password:
BNF!vloc.146

Mutex

e8d9ca92-733e-4f3e-93ae-f2671efb738d

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:BNF!vloc.146 _EmailPort:587 _EmailSSL:false _EmailServer:mail.bnfurniture.net _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10080 _MeltFile:false _Mutex:e8d9ca92-733e-4f3e-93ae-f2671efb738d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 9 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral2/memory/1600-11-0x00000000051B0000-0x0000000005264000-memory.dmp	Nirsoft
behavioral2/memory/3856-19-0x0000000000400000-0x0000000000477000-memory.dmp	Nirsoft
behavioral2/memory/3856-21-0x0000000000400000-0x0000000000477000-memory.dmp	Nirsoft
behavioral2/memory/3856-22-0x0000000000400000-0x0000000000477000-memory.dmp	Nirsoft
behavioral2/memory/3856-27-0x0000000000400000-0x0000000000477000-memory.dmp	Nirsoft
behavioral2/memory/2980-30-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral2/memory/2980-32-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral2/memory/2980-33-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral2/memory/2980-36-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/1600-6-0x0000000000400000-0x00000000004AA000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1600-11-0x00000000051B0000-0x0000000005264000-memory.dmp	MailPassView
behavioral2/memory/2980-30-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView
behavioral2/memory/2980-32-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView
behavioral2/memory/2980-33-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView
behavioral2/memory/2980-36-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/1600-11-0x00000000051B0000-0x0000000005264000-memory.dmp	WebBrowserPassView
behavioral2/memory/3856-19-0x0000000000400000-0x0000000000477000-memory.dmp	WebBrowserPassView
behavioral2/memory/3856-21-0x0000000000400000-0x0000000000477000-memory.dmp	WebBrowserPassView
behavioral2/memory/3856-22-0x0000000000400000-0x0000000000477000-memory.dmp	WebBrowserPassView
behavioral2/memory/3856-27-0x0000000000400000-0x0000000000477000-memory.dmp	WebBrowserPassView

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 bot.whatismyipaddress.com

flow	ioc
36	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

INV003889.exeRegAsm.exe

description	pid	process	target process
PID 1904 set thread context of 1600	1904	INV003889.exe	RegAsm.exe
PID 1600 set thread context of 3856	1600	RegAsm.exe	vbc.exe
PID 1600 set thread context of 2980	1600	RegAsm.exe	vbc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

INV003889.exeRegAsm.exevbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INV003889.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vbc.exe

pid process

3856 vbc.exe
3856 vbc.exe
3856 vbc.exe
3856 vbc.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

INV003889.exe

pid process

1904 INV003889.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1600 RegAsm.exe

pid	process
3856	vbc.exe
3856	vbc.exe
3856	vbc.exe
3856	vbc.exe

pid	process
1904	INV003889.exe

description	pid	process
Token: SeDebugPrivilege	1600	RegAsm.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

INV003889.exeRegAsm.exe

description	pid	process	target process
PID 1904 wrote to memory of 1600	1904	INV003889.exe	RegAsm.exe
PID 1904 wrote to memory of 1600	1904	INV003889.exe	RegAsm.exe
PID 1904 wrote to memory of 1600	1904	INV003889.exe	RegAsm.exe
PID 1904 wrote to memory of 1600	1904	INV003889.exe	RegAsm.exe
PID 1600 wrote to memory of 3856	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 3856	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 3856	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 3856	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 3856	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 3856	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 3856	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 3856	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 3856	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 2980	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 2980	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 2980	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 2980	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 2980	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 2980	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 2980	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 2980	1600	RegAsm.exe	vbc.exe
PID 1600 wrote to memory of 2980	1600	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\INV003889.exe
"C:\Users\Admin\AppData\Local\Temp\INV003889.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF5F9.tmp"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFA01.tmp"
3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF5F9.tmp
Filesize
4KB

MD5
1891919175c888ce82e9bd8a047b01ad

SHA1
502a6892a5d27ecb791ac5aa6d8586944f540453

SHA256
a6c43b4e4b8681cf0ef56c49c730fa77e34dc82db0260253a3ba75039030b9ec

SHA512
8bb940050b1abf6c27db133ed446f41e108f670f361ed5102408832ce33d9b87cd0880723441f1632292eeeb0a319c4e0fac0ea659eb55ebe1130cc3e6c776a3

Download Submit
memory/1600-6-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1600-12-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1600-14-0x00000000098C0000-0x000000000995C000-memory.dmp

Filesize
624KB

Download
memory/1600-15-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1600-16-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/1600-18-0x0000000005DA0000-0x0000000005E32000-memory.dmp

Filesize
584KB

Download
memory/1600-37-0x0000000005D90000-0x0000000005D9A000-memory.dmp

Filesize
40KB

Download
memory/1600-13-0x0000000009ED0000-0x000000000A474000-memory.dmp

Filesize
5.6MB

Download
memory/1600-9-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1600-11-0x00000000051B0000-0x0000000005264000-memory.dmp

Filesize
720KB

Download
memory/1904-10-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1904-1-0x0000000000510000-0x00000000005E0000-memory.dmp

Filesize
832KB

Download
memory/1904-3-0x0000000004F30000-0x0000000004FE2000-memory.dmp

Filesize
712KB

Download
memory/1904-0-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/1904-4-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/1904-8-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1904-2-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1904-5-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/2980-33-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2980-32-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2980-34-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/2980-36-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2980-30-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3856-27-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3856-22-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3856-21-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3856-19-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads