hawkeye_reborn | dbbbfe06f9c52a420edf56ba6acec45a8274a0aca07056ad9f12146309d6a6f4

General

Target

e83a4e536f75dc3325aa275b5d74e261_JaffaCakes118
Size

735KB
Sample

240918-dvyp6a1apr
MD5

e83a4e536f75dc3325aa275b5d74e261
SHA1

190155849d9ffe2e4180b372068bae61d78c0d9f
SHA256

dbbbfe06f9c52a420edf56ba6acec45a8274a0aca07056ad9f12146309d6a6f4
SHA512

750253e7cdaa57a76c75ef7bc975de6e5fcc2ca92ad1c802e3f93864af9e0989492cce8badf4bb2fb5b09e7cd719a01f2501b5f79e0448ceee6a0e9ec8777e61
SSDEEP

12288:R9VTolk03BD2TxiaGwO7fMrK8szVkhq8/nvMh8NCVzrC+eX:R9VTotAoUOfMrK8sOhF6r/k

Score

10^/10

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.1

Credentials

Protocol: ftp
Host:
ftp.flyxpo.com
Port:
21
Username:
[email protected]
Password:
@success2020

Mutex

5b7c015f-10ee-4b9d-838d-a0a1ec7d2461

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:@success2020 _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.flyxpo.com _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:5b7c015f-10ee-4b9d-838d-a0a1ec7d2461 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.0.0.1 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.1, Culture=neutral, PublicKeyToken=null

Targets

- Target
  
  330102020 pdf.exe
- Size
  
  912KB
- MD5
  
  580d2373c37e5781fda8f1c9495e9c4d
- SHA1
  
  279cea6b3100406e9093c3981249e21753086c85
- SHA256
  
  12ac133adac3300ae93a8ad238cc19d4c790c2c710549f97332510fccf8ddf40
- SHA512
  
  a4033b6cfd24de7f21fc102a5df9d0de5f17f9b880fa0676310124bd92c7e232fa68203bfd4dfc598438d64614e54deb2a20d59fcf025303ba60366d1e529795
- SSDEEP
  
  24576:ERBg0oU7tCz+Nd4i+oIclTck1luq5eC/P/f8kHL:E/Ho0tCz+Nd4i4chTRr
Score

10^/10

hawkeye_reborn collection credential_access discovery keylogger spyware stealer trojan
- HawkEye Reborn
  HawkEye Reborn is an enhanced version of the HawkEye malware kit.
  keylogger trojan stealer spyware hawkeye_reborn
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2