Malware Analysis Report

2025-06-16 02:26

Sample ID 220222-zmm5caeghm
Target 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c
SHA256 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c
Tags
hawkeye collection keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c

Threat Level: Known bad

The file 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c was found to be: Known bad.

Malicious Activity Summary

hawkeye collection keylogger persistence spyware stealer trojan

HawkEye

Nirsoft

NirSoft WebBrowserPassView

NirSoft MailPassView

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Adds Run key to start application

Looks up external IP address via web service

autoit_exe

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-22 20:50

Signatures

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-22 20:50

Reported

2022-02-22 21:04

Platform

win7-en-20211208

Max time kernel

148s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3466\3466.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1772 set thread context of 1960 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 set thread context of 980 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1472 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe C:\Users\Admin\AppData\Local\Temp\3466\3466.exe
PID 1472 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe C:\Users\Admin\AppData\Local\Temp\3466\3466.exe
PID 1472 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe C:\Users\Admin\AppData\Local\Temp\3466\3466.exe
PID 1472 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe C:\Users\Admin\AppData\Local\Temp\3466\3466.exe
PID 1064 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\3466\3466.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1064 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\3466\3466.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1064 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\3466\3466.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1064 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\3466\3466.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1064 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\3466\3466.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1064 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\3466\3466.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1064 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\3466\3466.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1772 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe

"C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe"

C:\Users\Admin\AppData\Local\Temp\3466\3466.exe

"C:\Users\Admin\AppData\Local\Temp\3466\3466.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.155.36:80 whatismyipaddress.com tcp
US 104.16.155.36:443 whatismyipaddress.com tcp
US 104.16.155.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 smtp.gmail.com udp
US 142.250.102.109:587 smtp.gmail.com tcp
US 142.250.102.109:587 smtp.gmail.com tcp

Files

memory/1472-54-0x0000000076151000-0x0000000076153000-memory.dmp

\Users\Admin\AppData\Local\Temp\3466\3466.exe

MD5 8911ced838a1e703cd5feec9a6cd3d86
SHA1 a0b7da517f0a6eceb94e29e00f78630cb96ba046
SHA256 f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102
SHA512 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632

\Users\Admin\AppData\Local\Temp\3466\3466.exe

MD5 8911ced838a1e703cd5feec9a6cd3d86
SHA1 a0b7da517f0a6eceb94e29e00f78630cb96ba046
SHA256 f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102
SHA512 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632

\Users\Admin\AppData\Local\Temp\3466\3466.exe

MD5 8911ced838a1e703cd5feec9a6cd3d86
SHA1 a0b7da517f0a6eceb94e29e00f78630cb96ba046
SHA256 f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102
SHA512 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632

\Users\Admin\AppData\Local\Temp\3466\3466.exe

MD5 8911ced838a1e703cd5feec9a6cd3d86
SHA1 a0b7da517f0a6eceb94e29e00f78630cb96ba046
SHA256 f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102
SHA512 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632

C:\Users\Admin\AppData\Local\Temp\3466\3466.exe

MD5 8911ced838a1e703cd5feec9a6cd3d86
SHA1 a0b7da517f0a6eceb94e29e00f78630cb96ba046
SHA256 f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102
SHA512 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632

C:\Users\Admin\AppData\Local\Temp\3466\3466.exe

MD5 8911ced838a1e703cd5feec9a6cd3d86
SHA1 a0b7da517f0a6eceb94e29e00f78630cb96ba046
SHA256 f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102
SHA512 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632

memory/1064-62-0x0000000074251000-0x0000000074252000-memory.dmp

memory/1064-64-0x0000000074252000-0x0000000074254000-memory.dmp

memory/1064-63-0x0000000000750000-0x0000000000751000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 8911ced838a1e703cd5feec9a6cd3d86
SHA1 a0b7da517f0a6eceb94e29e00f78630cb96ba046
SHA256 f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102
SHA512 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 8911ced838a1e703cd5feec9a6cd3d86
SHA1 a0b7da517f0a6eceb94e29e00f78630cb96ba046
SHA256 f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102
SHA512 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 8911ced838a1e703cd5feec9a6cd3d86
SHA1 a0b7da517f0a6eceb94e29e00f78630cb96ba046
SHA256 f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102
SHA512 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632

memory/1772-70-0x00000000021F0000-0x00000000021F1000-memory.dmp

memory/1772-69-0x0000000074251000-0x0000000074252000-memory.dmp

memory/1772-71-0x0000000074252000-0x0000000074254000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 99de8d7177c283523f98a7d7dd0519c3
SHA1 04864a33e03c6a5bc3c8b5bb9fb8a127a39455ab
SHA256 6501ba7ac6b6a7b48f6a06963b2101112ff8587d4873d497eb7fa4880acb47bb
SHA512 96acbc6f5e2fb7b42d3c657807600e5f10afa028601e651625d95066d7b270331b0e23d839031ac672431d865c3eb853eef91f18d3da9345add7887b7cfc6da0

memory/1960-73-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1772-75-0x0000000002206000-0x0000000002207000-memory.dmp

memory/1960-76-0x0000000000400000-0x000000000041B000-memory.dmp

memory/980-77-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holdermail.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/980-80-0x0000000000400000-0x0000000000458000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-22 20:50

Reported

2022-02-22 21:04

Platform

win10v2004-en-20220113

Max time kernel

150s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe"

Signatures

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3466\3466.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe

"C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe"

C:\Users\Admin\AppData\Local\Temp\3466\3466.exe

"C:\Users\Admin\AppData\Local\Temp\3466\3466.exe"

C:\Windows\SysWOW64\fondue.exe

"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll

C:\Windows\system32\FonDUE.EXE

"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll

Network

Country Destination Domain Proto
US 52.109.8.20:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\3466\3466.exe

MD5 8911ced838a1e703cd5feec9a6cd3d86
SHA1 a0b7da517f0a6eceb94e29e00f78630cb96ba046
SHA256 f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102
SHA512 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632

C:\Users\Admin\AppData\Local\Temp\3466\3466.exe

MD5 8911ced838a1e703cd5feec9a6cd3d86
SHA1 a0b7da517f0a6eceb94e29e00f78630cb96ba046
SHA256 f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102
SHA512 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632