hawkeye_reborn | dbd4eef98d4dbbbd1ad2f1271b58ab3332a32fc1cd494a0d533c742c49524e23

General

Target

f31674ef3e0a8c4551828529ac14dfc9_JaffaCakes118
Size

1.3MB
Sample

240924-hyr41avfkj
MD5

f31674ef3e0a8c4551828529ac14dfc9
SHA1

0832401d2c8fad1816f58de894b6a0f5ebca3de9
SHA256

dbd4eef98d4dbbbd1ad2f1271b58ab3332a32fc1cd494a0d533c742c49524e23
SHA512

22fc0413fba1b53c86a104e2372edec59d524e0bb2dd561c53a5b7067cc32c3eb96ccd280897494a2a71e73d44b7b906a5dcfac32645d35605fe60b4e5fbd61d
SSDEEP

24576:VXOv4FbnXI8DJ5QXeuRKyWnIoqH5ozRY6mVanxJbGz7XQBt8IHGYUz:w4tXIqJqbyyH5orfxJbGz7AfGYUz

Score

10^/10

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Targets

- Target
  
  f31674ef3e0a8c4551828529ac14dfc9_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  f31674ef3e0a8c4551828529ac14dfc9
- SHA1
  
  0832401d2c8fad1816f58de894b6a0f5ebca3de9
- SHA256
  
  dbd4eef98d4dbbbd1ad2f1271b58ab3332a32fc1cd494a0d533c742c49524e23
- SHA512
  
  22fc0413fba1b53c86a104e2372edec59d524e0bb2dd561c53a5b7067cc32c3eb96ccd280897494a2a71e73d44b7b906a5dcfac32645d35605fe60b4e5fbd61d
- SSDEEP
  
  24576:VXOv4FbnXI8DJ5QXeuRKyWnIoqH5ozRY6mVanxJbGz7XQBt8IHGYUz:w4tXIqJqbyyH5orfxJbGz7AfGYUz
Score

10^/10

agilenet discovery hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan
- HawkEye Reborn
  HawkEye Reborn is an enhanced version of the HawkEye malware kit.
  keylogger trojan stealer spyware hawkeye_reborn
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- M00nD3v Logger payload
  Detects M00nD3v Logger payload in memory.
  infostealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

HawkEye Reborn

M00nd3v_Logger

Detected Nirsoft tools

M00nD3v Logger payload

NirSoft MailPassView

NirSoft WebBrowserPassView

Obfuscated with Agile.Net obfuscator

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2