hawkeye | 286b416351f4ca6cc215c58692af9be6b9f4eb54c4641160e2a31dfd16c43ec7 | Triage

Submit
Reports

Overview

overview

Static

static

Prueba de pago.exe

windows7_x64

Prueba de pago.exe

windows10_x64

Sharing

General

Target

Prueba de pago.exe
Size

1.1MB
Sample

201118-qxkd8j3gqa
MD5

b3a244a097904a4d6689a582d7ec9985
SHA1

b16032d83c91ee333221fafadd5f2381ca659d78
SHA256

286b416351f4ca6cc215c58692af9be6b9f4eb54c4641160e2a31dfd16c43ec7
SHA512

533cbddf7d78740e2586d58588c5d0ad4407417c835c0407d93d86b3202626f160d664b69aefb3d32f94416d7558d6ba9377a28f44be3ff21ace2fd4e51f0748

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

Prueba de pago.exe

Resource

win7v20201028

hawkeye keylogger persistence spyware stealer trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Prueba de pago.exe

Resource

win10v20201028

hawkeye keylogger persistence spyware stealer trojan upx

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.jif-asesores.com
Port:
587
Username:
administracion@jif-asesores.com
Password:
Aa122334455

Targets

- Target
  
  Prueba de pago.exe
- Size
  
  1.1MB
- MD5
  
  b3a244a097904a4d6689a582d7ec9985
- SHA1
  
  b16032d83c91ee333221fafadd5f2381ca659d78
- SHA256
  
  286b416351f4ca6cc215c58692af9be6b9f4eb54c4641160e2a31dfd16c43ec7
- SHA512
  
  533cbddf7d78740e2586d58588c5d0ad4407417c835c0407d93d86b3202626f160d664b69aefb3d32f94416d7558d6ba9377a28f44be3ff21ace2fd4e51f0748
Score

10^/10

hawkeye keylogger persistence spyware stealer trojan upx
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hawkeyekeyloggerpersistencespywarestealertrojanupx

behavioral2

hawkeyekeyloggerpersistencespywarestealertrojanupx

© 2018-2024

Terms | Privacy