hawkeye_reborn | 6d4075cae42df68f5e06799b799c60ecfccff4794277c67b00bc9009b3faf1e4

General

Target

f7978d432d1f4d99ad24568643704f88_JaffaCakes118
Size

949KB
Sample

240926-feapha1ekb
MD5

f7978d432d1f4d99ad24568643704f88
SHA1

fd86eb0f4a592d6be7200191aaa705592a4f631f
SHA256

6d4075cae42df68f5e06799b799c60ecfccff4794277c67b00bc9009b3faf1e4
SHA512

3ff3ba2b4c8e6cc282ff79255ec228386e48dc5f7d45208ba30a338992e46a1e72afc7d3f96d1b61ac4cbdbb8687f646cfdb95394873135386ca4f7dab38305b
SSDEEP

12288:knWwI/AJjDTKTCGlZBBx1Vtl9Hx2hsAuyLdyrUNzYweqNoCoOL2VjA05e/hMXRY6:kWwZxKGon31Vtl3OsnWbu4plkPcYxG

Score

10^/10

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Targets

- Target
  
  f7978d432d1f4d99ad24568643704f88_JaffaCakes118
- Size
  
  949KB
- MD5
  
  f7978d432d1f4d99ad24568643704f88
- SHA1
  
  fd86eb0f4a592d6be7200191aaa705592a4f631f
- SHA256
  
  6d4075cae42df68f5e06799b799c60ecfccff4794277c67b00bc9009b3faf1e4
- SHA512
  
  3ff3ba2b4c8e6cc282ff79255ec228386e48dc5f7d45208ba30a338992e46a1e72afc7d3f96d1b61ac4cbdbb8687f646cfdb95394873135386ca4f7dab38305b
- SSDEEP
  
  12288:knWwI/AJjDTKTCGlZBBx1Vtl9Hx2hsAuyLdyrUNzYweqNoCoOL2VjA05e/hMXRY6:kWwZxKGon31Vtl3OsnWbu4plkPcYxG
Score

10^/10

hawkeye_reborn m00nd3v_logger agilenet discovery infostealer keylogger spyware stealer trojan
- HawkEye Reborn
  HawkEye Reborn is an enhanced version of the HawkEye malware kit.
  keylogger trojan stealer spyware hawkeye_reborn
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- M00nD3v Logger payload
  Detects M00nD3v Logger payload in memory.
  infostealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

HawkEye Reborn

M00nd3v_Logger

Detected Nirsoft tools

M00nD3v Logger payload

NirSoft MailPassView

NirSoft WebBrowserPassView

Obfuscated with Agile.Net obfuscator

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2