hawkeye_reborn | ff23502f02959c5a6a227342a4b0d1374ed59bd4ad2dd9baa48603ea6dd517d7

General

Target

ff23502f02959c5a6a227342a4b0d1374ed59bd4ad2dd9baa48603ea6dd517d7
Size

1.4MB
Sample

220701-sca9gaaga3
MD5

4bef254bee75e556d95fe554ea533955
SHA1

a7c01ff15918059971eb7fe58459f0e50ea6b3bc
SHA256

ff23502f02959c5a6a227342a4b0d1374ed59bd4ad2dd9baa48603ea6dd517d7
SHA512

5f1533440b2c0da33643e514bcd0917061b545b55f1c1b43e1a713cbd8fa2283ed1ad252bdf97669424ba6b7f5545dce15f1eb0167ccf4ac5a60e7020500f3d0

Score

10^/10

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.0

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
ajonwa

Mutex

99962c92-eee7-4494-95c3-cd8974204d95

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:ajonwa _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:1 _MeltFile:false _Mutex:99962c92-eee7-4494-95c3-cd8974204d95 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null

Extracted

Family

lokibot

C2

http://extrememx.net/off/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  DHL_SHIP.EXE
- Size
  
  663KB
- MD5
  
  2e36f6782801ac6be4b0fae3bc66d3eb
- SHA1
  
  faae086629f2895097732d54353d708f14ca302c
- SHA256
  
  3ba1dc2aac23384e6a3b3bc09debde9a2029864c7fd14f12d06ff06efcd9e977
- SHA512
  
  4cf83a5fce2d41485dc54f4198a3d068be7a35499a06798c120341c61e5ed1b26e685e6b97085585cbfa4214d7559d87c6cf59cbdcc8304fea88145e28457f87
Score

10^/10

hawkeye_reborn keylogger spyware stealer trojan collection
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- HawkEye Reborn
  HawkEye Reborn is an enhanced version of the HawkEye malware kit.
  keylogger trojan stealer spyware hawkeye_reborn
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  RECEIPT_.EXE
- Size
  
  183KB
- MD5
  
  6396c3c483ae81eddbf7b1641e369d14
- SHA1
  
  7199053955d10be57f11d0213cb748c498dbfbdf
- SHA256
  
  ff5756e0b48f71c775b874828172fb0cd3a4bbb45664c2ca032bd8f24784b60b
- SHA512
  
  bb60a4fbdf272683849f6dcba2ce0c82571f17c760ca8c16ba7cea51ef979021a2383c42ea90c6b5fae9562d400c709a5198d2c2c00c70d58dee5bda80fbfd3f
Score

10^/10

lokibot collection spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata
- suricata: ET MALWARE LokiBot Checkin
  suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Contains code to disable Windows Defender

HawkEye Reborn

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

Looks up external IP address via web service

Suspicious use of SetThreadContext

Lokibot

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4