SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nighthawk (Back to overview)

Nighthawk


C2 framework.

References
2022-12-03Github (kevoreilly)Nikhil Hegde
@online{hegde:20221203:nighthawk:df5c791, author = {Nikhil Hegde}, title = {{Nighthawk DLL Payload Configuration Parser}}, date = {2022-12-03}, organization = {Github (kevoreilly)}, url = {https://github.com/kevoreilly/CAPEv2/blob/master/modules/processing/parsers/CAPE/Nighthawk.py}, language = {English}, urldate = {2022-12-12} } Nighthawk DLL Payload Configuration Parser
Nighthawk
2022-11-25Github (struppigel)Karsten Hahn
@online{hahn:20221125:python:ec3b5d3, author = {Karsten Hahn}, title = {{Python script to decode NightHawk strings}}, date = {2022-11-25}, organization = {Github (struppigel)}, url = {https://github.com/struppigel/hedgehog-tools/blob/main/nighthawk_str_decoder.py}, language = {English}, urldate = {2022-11-28} } Python script to decode NightHawk strings
Nighthawk
2022-11-22ProofpointAlexander Rausch, Proofpoint Threat Research Team
@online{rausch:20221122:nighthawk:48f730c, author = {Alexander Rausch and Proofpoint Threat Research Team}, title = {{Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice}}, date = {2022-11-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice}, language = {English}, urldate = {2022-11-22} } Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice
Nighthawk
2022-09-01Medium michaelkoczwaraMichael Koczwara
@online{koczwara:20220901:hunting:45c54de, author = {Michael Koczwara}, title = {{Hunting C2/Adversaries Infrastructure with Shodan and Censys}}, date = {2022-09-01}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f}, language = {English}, urldate = {2023-01-19} } Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver
2022-05-05Suspicious ActorAustin Hudson
@online{hudson:20220505:studying:da3c36c, author = {Austin Hudson}, title = {{Studying “Next Generation Malware” - NightHawk’s Attempt At Obfuscate and Sleep}}, date = {2022-05-05}, organization = {Suspicious Actor}, url = {https://web.archive.org/web/20220505170100/https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html}, language = {English}, urldate = {2022-12-02} } Studying “Next Generation Malware” - NightHawk’s Attempt At Obfuscate and Sleep
Nighthawk
Yara Rules
[TLP:WHITE] win_nighthawk_auto (20230715 | Detects win.nighthawk.)
rule win_nighthawk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.nighthawk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nighthawk"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c89642468 458d44240f 488d15b54b0800 488d4c2450 e8???????? 488d542450 488d8d50010000 }
            // n = 7, score = 100
            //   4c89642468           | dec                 eax
            //   458d44240f           | lea                 ecx, [ebp - 0x60]
            //   488d15b54b0800       | dec                 eax
            //   488d4c2450           | mov                 dword ptr [ebp - 0x60], ebx
            //   e8????????           |                     
            //   488d542450           | dec                 eax
            //   488d8d50010000       | mov                 dword ptr [ebp - 0x58], esi

        $sequence_1 = { 48c70607000000 6644897ee8 4883c628 488d4ee0 483bcd 75b0 48897c2428 }
            // n = 7, score = 100
            //   48c70607000000       | dec                 eax
            //   6644897ee8           | lea                 edx, [0x64117]
            //   4883c628             | dec                 eax
            //   488d4ee0             | mov                 ecx, dword ptr [esp + 0x50]
            //   483bcd               | dec                 eax
            //   75b0                 | mov                 dword ptr [esp + 0x30], eax
            //   48897c2428           | dec                 eax

        $sequence_2 = { 57 4154 4156 4157 4881ec80000000 0f2970c8 488bda }
            // n = 7, score = 100
            //   57                   | mov                 ecx, dword ptr [ebx + 0x18]
            //   4154                 | dec                 ecx
            //   4156                 | cmp                 ecx, esi
            //   4157                 | jb                  0x623
            //   4881ec80000000       | dec                 esp
            //   0f2970c8             | mov                 eax, dword ptr [ebx]
            //   488bda               | dec                 eax

        $sequence_3 = { 74e8 488bc3 498bef 483bde 744b 488b4810 48ffc5 }
            // n = 7, score = 100
            //   74e8                 | inc                 ebp
            //   488bc3               | lea                 ebp, [esp + 0x11]
            //   498bef               | inc                 ebp
            //   483bde               | mov                 eax, ebp
            //   744b                 | dec                 eax
            //   488b4810             | mov                 edx, eax
            //   48ffc5               | dec                 eax

        $sequence_4 = { 48c70307000000 668973e8 4883c338 488d43d0 483bc7 75d0 488b5c2430 }
            // n = 7, score = 100
            //   48c70307000000       | and                 dword ptr [esp + 0x28], 0
            //   668973e8             | inc                 ebp
            //   4883c338             | xor                 eax, eax
            //   488d43d0             | dec                 eax
            //   483bc7               | and                 dword ptr [esp + 0x20], 0
            //   75d0                 | xor                 edx, edx
            //   488b5c2430           | dec                 eax

        $sequence_5 = { 4c897d37 4c897d2f 44897d23 897d1f c744242040000000 ff15???????? 85c0 }
            // n = 7, score = 100
            //   4c897d37             | mov                 eax, dword ptr [ebx + 0x10]
            //   4c897d2f             | dec                 eax
            //   44897d23             | mov                 edx, ebx
            //   897d1f               | inc                 esp
            //   c744242040000000     | cmp                 byte ptr [eax + 0x19], bh
            //   ff15????????         |                     
            //   85c0                 | je                  0x946

        $sequence_6 = { e9???????? 8b07 89442420 488d5708 488d4c2428 e8???????? 90 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b07                 | dec                 eax
            //   89442420             | cmp                 dword ptr [ebp - 0x80], 0x10
            //   488d5708             | jb                  0x8ec
            //   488d4c2428           | dec                 eax
            //   e8????????           |                     
            //   90                   | mov                 ecx, dword ptr [esp + 0x68]

        $sequence_7 = { e8???????? 90 837c245001 740f 488d4c2448 e8???????? e9???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   90                   | mov                 byte ptr [esp + 0x60], ah
            //   837c245001           | xorps               xmm0, xmm0
            //   740f                 | movdqu              xmmword ptr [ebp - 0x40], xmm0
            //   488d4c2448           | dec                 esp
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_8 = { 4c8bc0 488b556f e8???????? 8983c4000000 4c397d0f 720f 488b4df7 }
            // n = 7, score = 100
            //   4c8bc0               | mov                 dword ptr [ebp + 0x110], esi
            //   488b556f             | dec                 eax
            //   e8????????           |                     
            //   8983c4000000         | mov                 dword ptr [ebp + 0x118], 0xf
            //   4c397d0f             | inc                 ecx
            //   720f                 | mov                 eax, 0x14
            //   488b4df7             | dec                 eax

        $sequence_9 = { 48893e 488d043b 48897e08 4c8bc5 498bd6 48894610 488bcf }
            // n = 7, score = 100
            //   48893e               | mov                 ecx, 4
            //   488d043b             | dec                 esp
            //   48897e08             | lea                 eax, [ebp + 0x67]
            //   4c8bc5               | nop                 
            //   498bd6               | mov                 eax, dword ptr [esp + 0x20]
            //   48894610             | mov                 dword ptr [ebp + 0x90], eax
            //   488bcf               | inc                 ebp

    condition:
        7 of them and filesize < 1949696
}
Download all Yara Rules