Overview

overview

10

Static

static

678900.pdf.exe

windows7_x64

10

678900.pdf.exe

windows10_x64

10
General
Target

678900.pdf.exe

Size

802KB

Sample

200526-cdkyw2aqts

Score
10/10
MD5

109964ff67ad854a737b1cd1902a5424

SHA1

afcf13c1f3e3d4e19f20e8449302e429e10c5d7c

SHA256

a5a00f206182c8e732f580b520af49f2b5a33c93676f15e8eadb5d1eba6ed497

SHA512

501b5bb9825fd116882863688f72f4d1cc03e64d10c8d3706b5870f48415f6b87675e17a4548e3da2e8d820d529ba1ffc806ddd0926fd2ac67b2be46c0b5003a

Malware Config

Extracted

Family

hawkeye_reborn
Version

10.1.0.0
Credentials

Protocol: smtp

Host: mail.3enaluminyum.com.tr

Port: 587

Username: ihgungor@3enaluminyum.com.tr

Password: 3eN13579?
Attributes
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:3eN13579? _EmailPort:587 _EmailSSL:true _EmailServer:mail.3enaluminyum.com.tr _EmailUsername:ihgungor@3enaluminyum.com.tr _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1278e7d4-dcd9-4a7a-8780-d6f5636aa3de _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null
Targets
Target

678900.pdf.exe

MD5

109964ff67ad854a737b1cd1902a5424

Filesize

802KB

Score
10/10
SHA1

afcf13c1f3e3d4e19f20e8449302e429e10c5d7c

SHA256

a5a00f206182c8e732f580b520af49f2b5a33c93676f15e8eadb5d1eba6ed497

SHA512

501b5bb9825fd116882863688f72f4d1cc03e64d10c8d3706b5870f48415f6b87675e17a4548e3da2e8d820d529ba1ffc806ddd0926fd2ac67b2be46c0b5003a

Tags

Signatures

  • HawkEye Reborn

    Description

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Uses the VBS compiler for execution

    TTPs

    Scripting

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

behavioral1behavioral2
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    Score
                    N/A

                    behavioral1

                    Score
                    10/10

                    behavioral2

                    Score
                    10/10