General

  • Target

    3e37e8b2e70c6371ee52f082232f63710074cb77c7bad7437829823c7a2b9103

  • Size

    937KB

  • Sample

    220701-j3jh4abdbl

  • MD5

    f1136a9f43ac8d7e3a29a1e1da20e17a

  • SHA1

    2cd28ff7463a1936872265b00b42ccfdecd4e7e8

  • SHA256

    3e37e8b2e70c6371ee52f082232f63710074cb77c7bad7437829823c7a2b9103

  • SHA512

    8302301a2e9a9c32f9c6618fe50c08890e9f530007ff09676f020d69e7822d309db49095ce402eccba9f4ebd7c0bcde3da035cae49e822ed41306e7e624f3569

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

  • Protocol:
    smtp
  • Host:
    mail.coniketransport.com
  • Port:
    26
  • Username:
    dk@coniketransport.com
  • Password:
    goodyear@2019
Mutex

dde4d7c6-f1a1-4b47-b7dd-d26fcb529029

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:goodyear@2019 _EmailPort:26 _EmailSSL:false _EmailServer:mail.coniketransport.com _EmailUsername:dk@coniketransport.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:180 _MeltFile:false _Mutex:dde4d7c6-f1a1-4b47-b7dd-d26fcb529029 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Targets

    • Target

      3e37e8b2e70c6371ee52f082232f63710074cb77c7bad7437829823c7a2b9103

    • Size

      937KB

    • MD5

      f1136a9f43ac8d7e3a29a1e1da20e17a

    • SHA1

      2cd28ff7463a1936872265b00b42ccfdecd4e7e8

    • SHA256

      3e37e8b2e70c6371ee52f082232f63710074cb77c7bad7437829823c7a2b9103

    • SHA512

      8302301a2e9a9c32f9c6618fe50c08890e9f530007ff09676f020d69e7822d309db49095ce402eccba9f4ebd7c0bcde3da035cae49e822ed41306e7e624f3569

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    • M00nD3v Logger Payload

      Detects M00nD3v Logger payload in memory.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Defense Evasion

Scripting

1
T1064

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Tasks