Overview

overview

10

Static

static

567963ab67...8a.exe

windows7-x64

10

567963ab67...8a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a

  • Size

    1.1MB

  • Sample

    220725-dne98scbh4

  • MD5

    bc50a53d9a77b3eb7df4a2f1ce3b8acd

  • SHA1

    8f482f408a9d4ea1bb52c18210cc3213e56af21f

  • SHA256

    567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a

  • SHA512

    59388652a5546680fb0c9f3ca41254fb1d71aefbbed1548114077eee797ace783321316965120216108f80d0f07fd536bf55af4f9f62c0a639460ee3d2c0cbe1

Score
10/10
agentteslahawkeye_rebornm00nd3v_loggercollectioninfostealerkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.mail.com
  • Port:
    587
  • Username:
    kingsleyscot@mail.com
  • Password:
    ghost419

Targets

    • Target

      567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a

    • Size

      1.1MB

    • MD5

      bc50a53d9a77b3eb7df4a2f1ce3b8acd

    • SHA1

      8f482f408a9d4ea1bb52c18210cc3213e56af21f

    • SHA256

      567963ab67118eba223ec95f6a9106681f4fed348c655139208c48e969bd568a

    • SHA512

      59388652a5546680fb0c9f3ca41254fb1d71aefbbed1548114077eee797ace783321316965120216108f80d0f07fd536bf55af4f9f62c0a639460ee3d2c0cbe1

    Score
    10/10
    hawkeye_rebornm00nd3v_loggerinfostealerkeyloggerspywarestealertrojanagentteslacollectionpersistence

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

      keyloggertrojanstealerspywarehawkeye_reborn

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

      stealerspywarem00nd3v_logger

    • M00nD3v Logger payload

      Detects M00nD3v Logger payload in memory.

      infostealer

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks