hawkeye_reborn | 4e5861ed6a17036fc582174c31c373fcfa464a6c24a2beab96c540f7883e24ba

General

Target

4e5861ed6a17036fc582174c31c373fcfa464a6c24a2beab96c540f7883e24ba
Size

659KB
Sample

220521-djkn6afgd9
MD5

053d8594109a6575e8ff892f6f35123a
SHA1

2310bb6fbc0d5ac219dd748258fbd4bed083d18d
SHA256

4e5861ed6a17036fc582174c31c373fcfa464a6c24a2beab96c540f7883e24ba
SHA512

98958621b1f3f101317fb9f4653bd8453e4c4def7224b09a30f13f72ea59504d60bfbed1816e68138f9b78287c9c92677709150dd50c70f3ecf4607d606d4de2

Score

10^/10

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
tsnewdawn2018

Mutex

18fb0183-a312-4c1a-9aa0-f10270aac54e

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:tsnewdawn2018 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.gmail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:18fb0183-a312-4c1a-9aa0-f10270aac54e _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Targets

- Target
  
  PO 75410085_Pdf_______________.exe
- Size
  
  718KB
- MD5
  
  4cf536a025295e6c6360c749b32c9b07
- SHA1
  
  8e381356bdc365b47ef17e6e74b5f85329c1efd1
- SHA256
  
  623088f292f9cda615bded9d1d9990dfbb3f03943b570054e92d7d6f5a992b3a
- SHA512
  
  ac58f3b82afcff9742b9b3dfe45ecb84f47e64903f798580134ccc6522a9d9194e0f881decdc528006c79d0244e65a3fc3f9bf8b84fee0014e8097ed8acdc9ea
Score

10^/10

hawkeye_reborn m00nd3v_logger collection coreentity infostealer keylogger rezer0 spyware stealer trojan
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- HawkEye Reborn
  HawkEye Reborn is an enhanced version of the HawkEye malware kit.
  keylogger trojan stealer spyware hawkeye_reborn
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- M00nD3v Logger Payload
  Detects M00nD3v Logger payload in memory.
  infostealer
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CoreEntity .NET Packer

HawkEye Reborn

M00nd3v_Logger

M00nD3v Logger Payload

ReZer0 packer

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2