hawkeye_reborn | b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a

General

Target

b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a
Size

1.2MB
Sample

220201-eww4dshbe2
MD5

fb2ca93f987313108abdd4a6d687783a
SHA1

0783b8327a88aff87c627497d4333fd778da59be
SHA256

b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a
SHA512

6fc15ca06da66661c733ed4aeeff40a11791739ab104e607262b55e217658277246cfec7b2dd586bbd58067bf1a67a4fd7e9462ffe5f591fc7a2ee1cfefcab25

Score

10^/10

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Targets

- Target
  
  b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a
- Size
  
  1.2MB
- MD5
  
  fb2ca93f987313108abdd4a6d687783a
- SHA1
  
  0783b8327a88aff87c627497d4333fd778da59be
- SHA256
  
  b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a
- SHA512
  
  6fc15ca06da66661c733ed4aeeff40a11791739ab104e607262b55e217658277246cfec7b2dd586bbd58067bf1a67a4fd7e9462ffe5f591fc7a2ee1cfefcab25
Score

10^/10

hawkeye_reborn m00nd3v_logger agilenet keylogger spyware stealer trojan persistence
- HawkEye Reborn
  HawkEye Reborn is an enhanced version of the HawkEye malware kit.
  keylogger trojan stealer spyware hawkeye_reborn
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- M00nD3v Logger Payload
  Detects M00nD3v Logger payload in memory.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Sets service image path in registry
  persistence
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

HawkEye Reborn

M00nd3v_Logger

M00nD3v Logger Payload

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Sets service image path in registry

Obfuscated with Agile.Net obfuscator

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2