SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nighthawk (Back to overview)

Nighthawk

VTCollection    

C2 framework.

References
2022-12-03Github (kevoreilly)Nikhil Hegde
Nighthawk DLL Payload Configuration Parser
Nighthawk
2022-11-25Github (struppigel)Karsten Hahn
Python script to decode NightHawk strings
Nighthawk
2022-11-22ProofpointAlexander Rausch, Proofpoint Threat Research Team
Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice
Nighthawk
2022-09-01Medium michaelkoczwaraMichael Koczwara
Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver
2022-05-05Suspicious ActorAustin Hudson
Studying “Next Generation Malware” - NightHawk’s Attempt At Obfuscate and Sleep
Nighthawk
Yara Rules
[TLP:WHITE] win_nighthawk_auto (20230808 | Detects win.nighthawk.)
rule win_nighthawk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.nighthawk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nighthawk"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8983a8000000 4c397d0f 720f 488b4df7 4885c9 7406 e8???????? }
            // n = 7, score = 100
            //   8983a8000000         | inc                 esi
            //   4c397d0f             | mov                 byte ptr [ecx + esi*8 + 0x3e], bl
            //   720f                 | dec                 eax
            //   488b4df7             | cmp                 edx, esi
            //   4885c9               | dec                 ecx
            //   7406                 | mov                 edx, ebx
            //   e8????????           |                     

        $sequence_1 = { ff15???????? 48897b48 48837b3808 720e 488b4b20 4885c9 7405 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   48897b48             | je                  0xe3d
            //   48837b3808           | movsx               edx, byte ptr [eax]
            //   720e                 | inc                 ecx
            //   488b4b20             | add                 edx, edi
            //   4885c9               | dec                 eax
            //   7405                 | lea                 ecx, [eax + 1]

        $sequence_2 = { 740d 0f104030 448d7701 0f11442420 498d4f30 ff15???????? 4585f6 }
            // n = 7, score = 100
            //   740d                 | dec                 eax
            //   0f104030             | lea                 eax, [0x3a954]
            //   448d7701             | dec                 eax
            //   0f11442420           | lea                 edx, [edx + 2]
            //   498d4f30             | test                ax, ax
            //   ff15????????         |                     
            //   4585f6               | jne                 0x1e37

        $sequence_3 = { 4c8bd2 488d354b95f5ff 4183e20f 488bfa 492bfa 488bda 4c8bc1 }
            // n = 7, score = 100
            //   4c8bd2               | mov                 edx, 4
            //   488d354b95f5ff       | dec                 eax
            //   4183e20f             | mov                 ecx, ebx
            //   488bfa               | dec                 eax
            //   492bfa               | mov                 ecx, edi
            //   488bda               | dec                 esp
            //   4c8bc1               | mov                 eax, eax

        $sequence_4 = { 7419 e8???????? 488b5310 41b801000000 488bc8 e8???????? eba5 }
            // n = 7, score = 100
            //   7419                 | mov                 eax, 4
            //   e8????????           |                     
            //   488b5310             | dec                 ecx
            //   41b801000000         | mov                 ecx, ebp
            //   488bc8               | dec                 ecx
            //   e8????????           |                     
            //   eba5                 | sub                 ebp, esp

        $sequence_5 = { ff15???????? 85c0 0f844a040000 448b4510 4c897588 4c897598 458d7e0f }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | mov                 esi, dword ptr [esi]
            //   0f844a040000         | jmp                 0xb33
            //   448b4510             | dec                 ecx
            //   4c897588             | mov                 esi, esi
            //   4c897598             | je                  0xb45
            //   458d7e0f             | dec                 eax

        $sequence_6 = { 8b02 418901 890a e9???????? 418b08 418b03 418900 }
            // n = 7, score = 100
            //   8b02                 | movzx               ecx, byte ptr [edx + edx]
            //   418901               | lea                 eax, [edx + 1]
            //   890a                 | inc                 esi
            //   e9????????           |                     
            //   418b08               | movzx               eax, byte ptr [eax + edx]
            //   418b03               | lea                 eax, [edx + 2]
            //   418900               | dec                 ecx

        $sequence_7 = { 4903ca 4b890c01 eb34 6683f803 7509 4923ce 46011401 }
            // n = 7, score = 100
            //   4903ca               | mov                 dword ptr [edi + 0xe8], ebp
            //   4b890c01             | dec                 esp
            //   eb34                 | mov                 dword ptr [edi + 0xf8], ebp
            //   6683f803             | dec                 eax
            //   7509                 | mov                 dword ptr [edi + 0x100], ebx
            //   4923ce               | inc                 sp
            //   46011401             | mov                 dword ptr [edi + 0xe8], ebp

        $sequence_8 = { 488d542470 488d4d20 e8???????? 488bd0 488d4d40 e8???????? 90 }
            // n = 7, score = 100
            //   488d542470           | mov                 ebx, eax
            //   488d4d20             | inc                 esp
            //   e8????????           |                     
            //   488bd0               | lea                 eax, [edx + 0x20]
            //   488d4d40             | dec                 esp
            //   e8????????           |                     
            //   90                   | mov                 eax, ebx

        $sequence_9 = { 4c894c2448 4c89642440 4c89642438 4489642430 48894c2428 4889442420 4533c9 }
            // n = 7, score = 100
            //   4c894c2448           | dec                 eax
            //   4c89642440           | test                ecx, ecx
            //   4c89642438           | je                  0x12d3
            //   4489642430           | nop                 
            //   48894c2428           | dec                 esp
            //   4889442420           | mov                 dword ptr [esp + 0x20], ebp
            //   4533c9               | dec                 eax

    condition:
        7 of them and filesize < 1949696
}
Download all Yara Rules