hawkeye_reborn | aa890a174bf8bf562508e0fe3fbc85494555a92841b2ab42161d0546c9bde6e8

General

Target

dc759a39363dbcc178782b68a4a4a2d0_JaffaCakes118
Size

548KB
Sample

240912-r9spcazeja
MD5

dc759a39363dbcc178782b68a4a4a2d0
SHA1

746eb9a5fedd728cdfce737f09166577da1d5863
SHA256

aa890a174bf8bf562508e0fe3fbc85494555a92841b2ab42161d0546c9bde6e8
SHA512

f3f7dad53c7fd9249e9123603b60590c2633284b0910f02fd5b853c263c6bddc58d2e2e0019e73efe7f9a96141f4fc5419b6b4810dabbed802f4637681a6bd15
SSDEEP

12288:6q7fq/v3x4whufiGpjRPECDlKfS4yseMXPpzDaJhlIRhS1HMS87uub5So:6+qfxBIfiGF+Fys7x3aJhlGh6ML7uub/

Score

10^/10

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.0.0

Credentials

Protocol: smtp
Host:
mail.bnfurniture.net
Port:
587
Username:
[email protected]
Password:
BNF!vloc.146

Mutex

e8d9ca92-733e-4f3e-93ae-f2671efb738d

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:BNF!vloc.146 _EmailPort:587 _EmailSSL:false _EmailServer:mail.bnfurniture.net _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10080 _MeltFile:false _Mutex:e8d9ca92-733e-4f3e-93ae-f2671efb738d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null

Targets

- Target
  
  INV003889.exe
- Size
  
  808KB
- MD5
  
  9887ee32e22fb96c93bad425744f93be
- SHA1
  
  8e900774103935246250507877d9b39f8445fdba
- SHA256
  
  85534754bd3a7cda7234040ba7f0a4440fe85c198e28286ef22fbeb97b3de14b
- SHA512
  
  0c7eb5e487fc6354d061375e310ca5c3acb793a3424599cc4ffcb0aa653988d4e85f7d77b65d6a1d50a25c9dcf7315501643f3cda3524f958817835c598e2351
- SSDEEP
  
  12288:WVg4HHq/v354wfufiGrjdPEKDlsVSgyseMVPmRLIrJ/Pzjja/Vftd+G3Mqs57HIo:WVfnqf5BWfiG/6NysxQLI5jqW
Score

10^/10

hawkeye_reborn m00nd3v_logger credential_access discovery infostealer keylogger spyware stealer trojan collection
- HawkEye Reborn
  HawkEye Reborn is an enhanced version of the HawkEye malware kit.
  keylogger trojan stealer spyware hawkeye_reborn
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- M00nD3v Logger payload
  Detects M00nD3v Logger payload in memory.
  infostealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2