General

  • Target

    d1050ecae55aa83cfdaf595b29e3028d0a5964aa8f285e92d8a980f001d33169

  • Size

    1.3MB

  • Sample

    220712-stwxhafhgp

  • MD5

    d95dad4b055594d2bb0a33fb96a72fb4

  • SHA1

    18c95e82c43fe78fd9685f165acda3e3b9963795

  • SHA256

    d1050ecae55aa83cfdaf595b29e3028d0a5964aa8f285e92d8a980f001d33169

  • SHA512

    131e61ed8312737d2100d343bb5418ba430983faaf49592095f739525020e01a866f06b0624e19c7f8f1a271fd5368c206169593a61da1afad88d6a0e020193e

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.r2v2.co.uk
  • Port:
    21
  • Username:
    saits@r2v2.co.uk
  • Password:
    FFEfSqq0vELf

Targets

    • Target

      d1050ecae55aa83cfdaf595b29e3028d0a5964aa8f285e92d8a980f001d33169

    • Size

      1.3MB

    • MD5

      d95dad4b055594d2bb0a33fb96a72fb4

    • SHA1

      18c95e82c43fe78fd9685f165acda3e3b9963795

    • SHA256

      d1050ecae55aa83cfdaf595b29e3028d0a5964aa8f285e92d8a980f001d33169

    • SHA512

      131e61ed8312737d2100d343bb5418ba430983faaf49592095f739525020e01a866f06b0624e19c7f8f1a271fd5368c206169593a61da1afad88d6a0e020193e

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    • M00nD3v Logger payload

      Detects M00nD3v Logger payload in memory.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Defense Evasion

Scripting

1
T1064

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Tasks