Overview

overview

10

Static

static

c78563db25a1cc...59.exe

windows7_x64

10

c78563db25a1cc...59.exe

windows10-2004_x64

10
General
Target

c78563db25a1cc1b5ea436abcd8898630acbba2aced8037230a1bfe4d5ffcd59

Size

755KB

Sample

220701-d698bsccf7

Score
10/10
MD5

1b32e7b6738b33bbb19d82ec80db0468

SHA1

291e3d8c591ba0241edde567221bfb1ac04a5390

SHA256

c78563db25a1cc1b5ea436abcd8898630acbba2aced8037230a1bfe4d5ffcd59

SHA512

2540059c36b6b2676a2ef4710d155f158253f8ac0686b1529aa1469a03888ad47676443f1e970adb3f33f2bdf2643fca4f78db6ff68794e662ea23a86ef3ca66

Malware Config

Extracted

Family

hawkeye_reborn
Version

10.0.0.0
Credentials

Protocol: smtp

Host: mail.privateemail.com

Port: 587

Username: accounts@friendships-ke.icu

Password: MORELOGS123
Attributes
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:MORELOGS123 _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:accounts@friendships-ke.icu _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:a3d2cd1b-13b1-46dd-b106-be7b1a749463 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:false _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null
Targets
Target

c78563db25a1cc1b5ea436abcd8898630acbba2aced8037230a1bfe4d5ffcd59

MD5

1b32e7b6738b33bbb19d82ec80db0468

Filesize

755KB

Score
10/10
SHA1

291e3d8c591ba0241edde567221bfb1ac04a5390

SHA256

c78563db25a1cc1b5ea436abcd8898630acbba2aced8037230a1bfe4d5ffcd59

SHA512

2540059c36b6b2676a2ef4710d155f158253f8ac0686b1529aa1469a03888ad47676443f1e970adb3f33f2bdf2643fca4f78db6ff68794e662ea23a86ef3ca66

Tags

Signatures

  • HawkEye Reborn

    Description

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    Tags

  • NirSoft MailPassView

    Description

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Description

    Password recovery tool for various web browsers

  • Nirsoft

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

  • Uses the VBS compiler for execution

    TTPs

    Scripting

  • Accesses Microsoft Outlook accounts

    Tags

    TTPs

    Email Collection

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

behavioral1behavioral2
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
      Defense Evasion
      Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation
                  Tasks

                  static1

                  Score
                  N/A

                  behavioral1

                  Score
                  10/10

                  behavioral2

                  Score
                  10/10