General
-
Target
d9c7f1ebc0661eae412d600581adb8dec003af8e08a22c6bc5087f814a20c5ea
-
Size
797KB
-
Sample
230129-v79fvsfg38
-
MD5
443d14f61c1397d9c6cd03be118221cf
-
SHA1
920a7cedf7c219d1fe8b82628b72a85e175c12be
-
SHA256
d9c7f1ebc0661eae412d600581adb8dec003af8e08a22c6bc5087f814a20c5ea
-
SHA512
ef398c851e8fa1f19d6904e96b1a58baac6b2b785ab69d1ec2e216cd8ef48a4b8bf362c9e2beb2312584333a9a33af2c8308896002a47223f652ea24f79a7237
-
SSDEEP
12288:uYV6MorX7qzuC3QHO9FQVHPF51jgctqlF8/+NdXNa+v5nc95jH38Z9dMDHAaGA2d:NBXu9HGaVHY71d9a+v5cLjMZ4eAkR
Behavioral task
behavioral1
Sample
d9c7f1ebc0661eae412d600581adb8dec003af8e08a22c6bc5087f814a20c5ea.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d9c7f1ebc0661eae412d600581adb8dec003af8e08a22c6bc5087f814a20c5ea.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
BARCELONA21k
5e3bedae-5666-430e-b2a9-ad8d2b35aa51
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:BARCELONA21k _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:5e3bedae-5666-430e-b2a9-ad8d2b35aa51 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Targets
-
-
Target
d9c7f1ebc0661eae412d600581adb8dec003af8e08a22c6bc5087f814a20c5ea
-
Size
797KB
-
MD5
443d14f61c1397d9c6cd03be118221cf
-
SHA1
920a7cedf7c219d1fe8b82628b72a85e175c12be
-
SHA256
d9c7f1ebc0661eae412d600581adb8dec003af8e08a22c6bc5087f814a20c5ea
-
SHA512
ef398c851e8fa1f19d6904e96b1a58baac6b2b785ab69d1ec2e216cd8ef48a4b8bf362c9e2beb2312584333a9a33af2c8308896002a47223f652ea24f79a7237
-
SSDEEP
12288:uYV6MorX7qzuC3QHO9FQVHPF51jgctqlF8/+NdXNa+v5nc95jH38Z9dMDHAaGA2d:NBXu9HGaVHY71d9a+v5cLjMZ4eAkR
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Drops startup file
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-