General

  • Target

    3363f122fef4aba07930f568045b2db90a4b07f7b2c3ac47be368019612d762c

  • Size

    1.0MB

  • Sample

    220620-c3c8rabgal

  • MD5

    23b8e57858f2edbef4f8414ae44a1772

  • SHA1

    f23a3473e11dc0e0a7cbd26755460d5ee5d393bf

  • SHA256

    3363f122fef4aba07930f568045b2db90a4b07f7b2c3ac47be368019612d762c

  • SHA512

    43a2deb1cdee1f64194e16f6de87465d9b67260147d94aac0d30de1bf328c7b59d71d77fabbc3ea0835aa1019de4c24566a0bd8c29398e50301e5b9c6e01a4e5

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Targets

    • Target

      3363f122fef4aba07930f568045b2db90a4b07f7b2c3ac47be368019612d762c

    • Size

      1.0MB

    • MD5

      23b8e57858f2edbef4f8414ae44a1772

    • SHA1

      f23a3473e11dc0e0a7cbd26755460d5ee5d393bf

    • SHA256

      3363f122fef4aba07930f568045b2db90a4b07f7b2c3ac47be368019612d762c

    • SHA512

      43a2deb1cdee1f64194e16f6de87465d9b67260147d94aac0d30de1bf328c7b59d71d77fabbc3ea0835aa1019de4c24566a0bd8c29398e50301e5b9c6e01a4e5

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    • M00nD3v Logger Payload

      Detects M00nD3v Logger payload in memory.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks