hawkeye_reborn | 8492772ab8cba85be77602b00a06b8cc46c2beeecca0c8d52f6b141dc5d50e26

General

Target

8492772ab8cba85be77602b00a06b8cc46c2beeecca0c8d52f6b141dc5d50e26
Size

907KB
Sample

220701-dym3tsbhd2
MD5

77f36f1ae786cf0835ce574b81668db6
SHA1

0987f5681d484ad149890a585766a013cf3b64b3
SHA256

8492772ab8cba85be77602b00a06b8cc46c2beeecca0c8d52f6b141dc5d50e26
SHA512

be477e9ab39c00adc55a24fe4893f835e1475ede17a4632c9359d31064f870edf9639c51550615bfce82e34f5265ab01880099550fa1a4b4d6c9d8be95cdd27a

Score

10^/10

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
smtpout.secureserver.net
Port:
25
Username:
harkzusuu@pacificfloralwholesale.com
Password:
uatm51QlM1

Mutex

99dc177c-6946-4214-9335-e6da61ec656d

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:uatm51QlM1 _EmailPort:25 _EmailSSL:false _EmailServer:smtpout.secureserver.net _EmailUsername:harkzusuu@pacificfloralwholesale.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:60 _MeltFile:false _Mutex:99dc177c-6946-4214-9335-e6da61ec656d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Targets

- Target
  
  8492772ab8cba85be77602b00a06b8cc46c2beeecca0c8d52f6b141dc5d50e26
- Size
  
  907KB
- MD5
  
  77f36f1ae786cf0835ce574b81668db6
- SHA1
  
  0987f5681d484ad149890a585766a013cf3b64b3
- SHA256
  
  8492772ab8cba85be77602b00a06b8cc46c2beeecca0c8d52f6b141dc5d50e26
- SHA512
  
  be477e9ab39c00adc55a24fe4893f835e1475ede17a4632c9359d31064f870edf9639c51550615bfce82e34f5265ab01880099550fa1a4b4d6c9d8be95cdd27a
Score

10^/10

upx hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan
- HawkEye Reborn
  HawkEye Reborn is an enhanced version of the HawkEye malware kit.
  keylogger trojan stealer spyware hawkeye_reborn
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- M00nD3v Logger Payload
  Detects M00nD3v Logger payload in memory.
  infostealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

HawkEye Reborn

M00nd3v_Logger

M00nD3v Logger Payload

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

UPX packed file

Drops startup file

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2