General

  • Target

    2610472c092f7cff5ccd42946e72cde0N.exe

  • Size

    2.0MB

  • Sample

    240801-bwvnsavalk

  • MD5

    2610472c092f7cff5ccd42946e72cde0

  • SHA1

    230c68801172769aa3c3ccfd09f5d596dbf4099c

  • SHA256

    b74fb19b578a74d705708b87c70735ce4e8fd0a80ccb3c5d677ccc739649f708

  • SHA512

    6d440d72073d3007fefe8f07a76c08740875ed7b2911df5d151a09ebffd9c645532fba639a7382c2a16360b578d3ad62e1df56455a62d4c340d5a110d014e0eb

  • SSDEEP

    49152:DVg5tQ7aeCUBJ2uUkVWArKbXpQgAv2xG62tfviOb5:Zg56wSJrUkQAOpQgAv2g6Ii

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.0

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.sppneumologia.pt
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    bathram0123@!
Mutex

21cda385-e3c5-4953-b3d1-bcff85cd50f6

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:bathram0123@! _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.sppneumologia.pt _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:43800 _MeltFile:false _Mutex:21cda385-e3c5-4953-b3d1-bcff85cd50f6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null

Targets

    • Target

      2610472c092f7cff5ccd42946e72cde0N.exe

    • Size

      2.0MB

    • MD5

      2610472c092f7cff5ccd42946e72cde0

    • SHA1

      230c68801172769aa3c3ccfd09f5d596dbf4099c

    • SHA256

      b74fb19b578a74d705708b87c70735ce4e8fd0a80ccb3c5d677ccc739649f708

    • SHA512

      6d440d72073d3007fefe8f07a76c08740875ed7b2911df5d151a09ebffd9c645532fba639a7382c2a16360b578d3ad62e1df56455a62d4c340d5a110d014e0eb

    • SSDEEP

      49152:DVg5tQ7aeCUBJ2uUkVWArKbXpQgAv2xG62tfviOb5:Zg56wSJrUkQAOpQgAv2g6Ii

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks