hawkeye_reborn | b2a1a24d9dd2959a99e1bd19135471c6a5af4880aec855f559f9c694cf52ec3e

General

Target

b2a1a24d9dd2959a99e1bd19135471c6a5af4880aec855f559f9c694cf52ec3e
Size

1.5MB
Sample

230129-v52m8sff67
MD5

4659cdc8b536fef205180b46e6a31d3d
SHA1

066076ebe3617b0f02861a2c715e13f1dbed542c
SHA256

b2a1a24d9dd2959a99e1bd19135471c6a5af4880aec855f559f9c694cf52ec3e
SHA512

9bdf707b66b97d41ad92f4ec84e4089975db3e04b64e6a5cf73a40f8cd1d2e8c053c39562f53565419717505aeb24b5cf2e7d9fe3fed117a88c467cdfb46fd70
SSDEEP

24576:6AHnh+eWsN3skA4RV1Hom2KXMmHaIJmhQOeSmXkCbI5xJMdXhGBOzb/Hus2Xe15:Nh+ZkldoPK8Ya6NJsPwxYOztF

Score

10^/10

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: ftp
Host:
frisksecurities.com
Port:
21
Username:
mode9@frisksecurities.com
Password:
Works1234$

Mutex

cc34a34d-8ea5-45bb-a8bc-230d8f573bf0

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:Works1234$ _FTPPort:21 _FTPSFTP:true _FTPServer:frisksecurities.com _FTPUsername:mode9@frisksecurities.com _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:120 _MeltFile:false _Mutex:cc34a34d-8ea5-45bb-a8bc-230d8f573bf0 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Targets

- Target
  
  b2a1a24d9dd2959a99e1bd19135471c6a5af4880aec855f559f9c694cf52ec3e
- Size
  
  1.5MB
- MD5
  
  4659cdc8b536fef205180b46e6a31d3d
- SHA1
  
  066076ebe3617b0f02861a2c715e13f1dbed542c
- SHA256
  
  b2a1a24d9dd2959a99e1bd19135471c6a5af4880aec855f559f9c694cf52ec3e
- SHA512
  
  9bdf707b66b97d41ad92f4ec84e4089975db3e04b64e6a5cf73a40f8cd1d2e8c053c39562f53565419717505aeb24b5cf2e7d9fe3fed117a88c467cdfb46fd70
- SSDEEP
  
  24576:6AHnh+eWsN3skA4RV1Hom2KXMmHaIJmhQOeSmXkCbI5xJMdXhGBOzb/Hus2Xe15:Nh+ZkldoPK8Ya6NJsPwxYOztF
Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan
- HawkEye Reborn
  HawkEye Reborn is an enhanced version of the HawkEye malware kit.
  keylogger trojan stealer spyware hawkeye_reborn
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- M00nD3v Logger payload
  Detects M00nD3v Logger payload in memory.
  infostealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Drops startup file
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

HawkEye Reborn

M00nd3v_Logger

M00nD3v Logger payload

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Drops startup file

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2