Overview

overview

10

Static

static

3

f52ab24732...18.exe

windows7-x64

10

f52ab24732...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f52ab247321a7ce8b83f8ccf9511cfd8_JaffaCakes118

  • Size

    742KB

  • Sample

    240925-exn46sxgpg

  • MD5

    f52ab247321a7ce8b83f8ccf9511cfd8

  • SHA1

    84010fbc63cc59d908db261f706f8065e903a72d

  • SHA256

    3ff6a400208079709780ba2f7ed1f79e2ca1e114f5b0732ed8aaa990d3b4329e

  • SHA512

    43ee1dfa4d40a757cbfe5b6a7aa3c5ae454f8bf45341aab01e011f0f4680bffe4193a223aca9e2e4c3da5f8ddcda00e4eede60d22758473b7f0e96395a0eaf1f

  • SSDEEP

    12288:lDT40cglZGEfkxeQkVPeYb4HB8zZMS4YaPt7FQUxoKAHCH2n1fVxAd5pjL:140cg+WkYPe04HCN17aF7JxoKAi6dxAF

Score
10/10
hawkeye_rebornm00nd3v_loggeragilenetcollectiondiscoveryinfostealerkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.zoho.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    CONNECT2018

Targets

    • Target

      f52ab247321a7ce8b83f8ccf9511cfd8_JaffaCakes118

    • Size

      742KB

    • MD5

      f52ab247321a7ce8b83f8ccf9511cfd8

    • SHA1

      84010fbc63cc59d908db261f706f8065e903a72d

    • SHA256

      3ff6a400208079709780ba2f7ed1f79e2ca1e114f5b0732ed8aaa990d3b4329e

    • SHA512

      43ee1dfa4d40a757cbfe5b6a7aa3c5ae454f8bf45341aab01e011f0f4680bffe4193a223aca9e2e4c3da5f8ddcda00e4eede60d22758473b7f0e96395a0eaf1f

    • SSDEEP

      12288:lDT40cglZGEfkxeQkVPeYb4HB8zZMS4YaPt7FQUxoKAHCH2n1fVxAd5pjL:140cg+WkYPe04HCN17aF7JxoKAi6dxAF

    Score
    10/10
    hawkeye_rebornm00nd3v_loggeragilenetcollectiondiscoveryinfostealerkeyloggerpersistencespywarestealertrojan

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

      keyloggertrojanstealerspywarehawkeye_reborn

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

      stealerspywarem00nd3v_logger

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • M00nD3v Logger payload

      Detects M00nD3v Logger payload in memory.

      infostealer

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks