General
-
Target
2610472c092f7cff5ccd42946e72cde0N.exe
-
Size
2.0MB
-
Sample
240801-bwvnsavalk
-
MD5
2610472c092f7cff5ccd42946e72cde0
-
SHA1
230c68801172769aa3c3ccfd09f5d596dbf4099c
-
SHA256
b74fb19b578a74d705708b87c70735ce4e8fd0a80ccb3c5d677ccc739649f708
-
SHA512
6d440d72073d3007fefe8f07a76c08740875ed7b2911df5d151a09ebffd9c645532fba639a7382c2a16360b578d3ad62e1df56455a62d4c340d5a110d014e0eb
-
SSDEEP
49152:DVg5tQ7aeCUBJ2uUkVWArKbXpQgAv2xG62tfviOb5:Zg56wSJrUkQAOpQgAv2g6Ii
Static task
static1
Behavioral task
behavioral1
Sample
2610472c092f7cff5ccd42946e72cde0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2610472c092f7cff5ccd42946e72cde0N.exe
Resource
win10v2004-20240730-en
Malware Config
Extracted
hawkeye_reborn
10.0.0.0
Protocol: ftp- Host:
ftp.sppneumologia.pt - Port:
21 - Username:
[email protected] - Password:
bathram0123@!
21cda385-e3c5-4953-b3d1-bcff85cd50f6
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:bathram0123@! _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.sppneumologia.pt _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:43800 _MeltFile:false _Mutex:21cda385-e3c5-4953-b3d1-bcff85cd50f6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null
Targets
-
-
Target
2610472c092f7cff5ccd42946e72cde0N.exe
-
Size
2.0MB
-
MD5
2610472c092f7cff5ccd42946e72cde0
-
SHA1
230c68801172769aa3c3ccfd09f5d596dbf4099c
-
SHA256
b74fb19b578a74d705708b87c70735ce4e8fd0a80ccb3c5d677ccc739649f708
-
SHA512
6d440d72073d3007fefe8f07a76c08740875ed7b2911df5d151a09ebffd9c645532fba639a7382c2a16360b578d3ad62e1df56455a62d4c340d5a110d014e0eb
-
SSDEEP
49152:DVg5tQ7aeCUBJ2uUkVWArKbXpQgAv2xG62tfviOb5:Zg56wSJrUkQAOpQgAv2g6Ii
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-