hawkeye | 5085b0ca2f92b564192b4e5161917e146f72bdbb475718b51221aeb66fde89f0 | Triage

Submit
Reports

Overview

overview

Static

static

BL#HSZX000...df.exe

windows7_x64

BL#HSZX000...df.exe

windows10_x64

Sharing

General

Target

BL#HSZX00034256_pdf.exe
Size

960KB
Sample

201111-tkaq9cs1de
MD5

54d657c9a3d9b7b41c8d6c3c351e8e00
SHA1

dc0e9be372763bcec640dc646d2cfe20311a059a
SHA256

5085b0ca2f92b564192b4e5161917e146f72bdbb475718b51221aeb66fde89f0
SHA512

01a41d2d70db000581c6b5b6f2af4fc783172837279b28520b1a6db94c488ca4099b3ab68d7c08414a797f3813182dd458a1241c4d1babbd3b1e84aaa8df8a0c

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

BL#HSZX00034256_pdf.exe

Resource

win7v20201028

hawkeye keylogger persistence spyware stealer trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

BL#HSZX00034256_pdf.exe

Resource

win10v20201028

hawkeye keylogger persistence spyware stealer trojan upx

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.ilkimegitim.com
Port:
587
Username:
savas@ilkimegitim.com
Password:
Savas581

Targets

- Target
  
  BL#HSZX00034256_pdf.exe
- Size
  
  960KB
- MD5
  
  54d657c9a3d9b7b41c8d6c3c351e8e00
- SHA1
  
  dc0e9be372763bcec640dc646d2cfe20311a059a
- SHA256
  
  5085b0ca2f92b564192b4e5161917e146f72bdbb475718b51221aeb66fde89f0
- SHA512
  
  01a41d2d70db000581c6b5b6f2af4fc783172837279b28520b1a6db94c488ca4099b3ab68d7c08414a797f3813182dd458a1241c4d1babbd3b1e84aaa8df8a0c
Score

10^/10

hawkeye keylogger persistence spyware stealer trojan upx
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hawkeyekeyloggerpersistencespywarestealertrojanupx

behavioral2

hawkeyekeyloggerpersistencespywarestealertrojanupx

© 2018-2024

Terms | Privacy