hawkeye_reborn | 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f

General

Target

522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f
Size

1.3MB
Sample

220717-ed7geaegd6
MD5

5e01622448297de584b36419c58a5cad
SHA1

41666daf497c2997e0c326a22a0d87d2d421e602
SHA256

522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f
SHA512

a7cb35c81d272d0218cdfe6ae46484bc993049a19a78275876ef2512107bca738c548779845a7e20f51714e6181ad6181e40382424e01007a66d730265020a44

Score

10^/10

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Extracted

Credentials

Protocol: smtp
Host:
mail.parwazexpress.com
Port:
587
Username:
groupemail@parwazexpress.com
Password:
karachi123

Targets

- Target
  
  522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f
- Size
  
  1.3MB
- MD5
  
  5e01622448297de584b36419c58a5cad
- SHA1
  
  41666daf497c2997e0c326a22a0d87d2d421e602
- SHA256
  
  522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f
- SHA512
  
  a7cb35c81d272d0218cdfe6ae46484bc993049a19a78275876ef2512107bca738c548779845a7e20f51714e6181ad6181e40382424e01007a66d730265020a44
Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan
- HawkEye Reborn
  HawkEye Reborn is an enhanced version of the HawkEye malware kit.
  keylogger trojan stealer spyware hawkeye_reborn
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- M00nD3v Logger payload
  Detects M00nD3v Logger payload in memory.
  infostealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

HawkEye Reborn

M00nd3v_Logger

M00nD3v Logger payload

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2