hawkeye_reborn | 81dc465b443d6207c3c3371bdffb7ccab9ab8991404f60b3f8b0f2dd34d124f7

General

Target

c08140b86fcf9923dc47dbb44726a0a7_JaffaCakes118
Size

1.1MB
Sample

240825-l58l4sycqg
MD5

c08140b86fcf9923dc47dbb44726a0a7
SHA1

d7d3957ad7f745c12df312a0dace7ae701b5fdf4
SHA256

81dc465b443d6207c3c3371bdffb7ccab9ab8991404f60b3f8b0f2dd34d124f7
SHA512

5c4fa93e506906ff41a6ce6a28d5309976c56a6fea91d87001447d137c3db3b0c07d8b29863168573cf8c9ba2a3be4149fe52132ae76433456bc86579f167b3a
SSDEEP

24576:02TgBtmRfOV3HtmRkNQEFOxt/pogktu/mTst50GaWcrbESFhahWtP:JBOFYRkNQKI/pogktu/mwt50G0EIUI

Score

10^/10

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.0.0

Credentials

Protocol: ftp
Host:
ftp.zzv.ro
Port:
21
Username:
[email protected]
Password:
^36f4OT-q^-?

Mutex

68a8e7d3-0361-4556-8999-3035430b0044

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:^36f4OT-q^-? _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.zzv.ro _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:570000 _MeltFile:false _Mutex:68a8e7d3-0361-4556-8999-3035430b0044 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null

Targets

- Target
  
  c08140b86fcf9923dc47dbb44726a0a7_JaffaCakes118
- Size
  
  1.1MB
- MD5
  
  c08140b86fcf9923dc47dbb44726a0a7
- SHA1
  
  d7d3957ad7f745c12df312a0dace7ae701b5fdf4
- SHA256
  
  81dc465b443d6207c3c3371bdffb7ccab9ab8991404f60b3f8b0f2dd34d124f7
- SHA512
  
  5c4fa93e506906ff41a6ce6a28d5309976c56a6fea91d87001447d137c3db3b0c07d8b29863168573cf8c9ba2a3be4149fe52132ae76433456bc86579f167b3a
- SSDEEP
  
  24576:02TgBtmRfOV3HtmRkNQEFOxt/pogktu/mTst50GaWcrbESFhahWtP:JBOFYRkNQKI/pogktu/mwt50G0EIUI
Score

10^/10

hawkeye_reborn m00nd3v_logger credential_access discovery infostealer keylogger spyware stealer trojan upx collection
- HawkEye Reborn
  HawkEye Reborn is an enhanced version of the HawkEye malware kit.
  keylogger trojan stealer spyware hawkeye_reborn
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- M00nD3v Logger payload
  Detects M00nD3v Logger payload in memory.
  infostealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2