Malware Analysis Report

2025-06-16 02:24

Sample ID 220310-e5alraghdk
Target 663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394
SHA256 663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394
Tags
hawkeye collection keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394

Threat Level: Known bad

The file 663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394 was found to be: Known bad.

Malicious Activity Summary

hawkeye collection keylogger persistence spyware stealer trojan

HawkEye

Nirsoft

Nirsoft

NirSoft WebBrowserPassView

NirSoft MailPassView

Executes dropped EXE

Uses the VBS compiler for execution

Deletes itself

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-10 04:30

Signatures

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-10 04:30

Reported

2022-03-11 00:25

Platform

win7-20220223-en

Max time kernel

4294195s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1792 set thread context of 1764 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 set thread context of 1328 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1692 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1692 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1692 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1692 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1692 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1692 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1792 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394.exe

"C:\Users\Admin\AppData\Local\Temp\663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 mail.molinense.com udp
DE 35.159.5.169:587 mail.molinense.com tcp
DE 35.159.5.169:587 mail.molinense.com tcp

Files

memory/1692-54-0x0000000076731000-0x0000000076733000-memory.dmp

memory/1692-56-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/1692-55-0x0000000074D20000-0x00000000752CB000-memory.dmp

memory/1692-57-0x0000000074D20000-0x00000000752CB000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 226c62aab7bab3aca802a22b261f844f
SHA1 f00002fd6cea1c847d6df67b44846092c25003c5
SHA256 663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394
SHA512 1ef359486245bd53b93f91fe34709d7398682123ee373c20439ba42bf5511850d29f418743b9a9992511d6919220d3e2d8f68be5ebec7127073fd31ff10802fc

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 226c62aab7bab3aca802a22b261f844f
SHA1 f00002fd6cea1c847d6df67b44846092c25003c5
SHA256 663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394
SHA512 1ef359486245bd53b93f91fe34709d7398682123ee373c20439ba42bf5511850d29f418743b9a9992511d6919220d3e2d8f68be5ebec7127073fd31ff10802fc

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 226c62aab7bab3aca802a22b261f844f
SHA1 f00002fd6cea1c847d6df67b44846092c25003c5
SHA256 663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394
SHA512 1ef359486245bd53b93f91fe34709d7398682123ee373c20439ba42bf5511850d29f418743b9a9992511d6919220d3e2d8f68be5ebec7127073fd31ff10802fc

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 367fd6eae630c3ccf51f45629c016aea
SHA1 1fc6d420acf7373317eb732acefc3bc1be93b269
SHA256 226ff9049ee09e784bca674c7c68ba8ac76566643c0d44705be7233cb2150983
SHA512 1cb4fdd2dc0741f60bd3df7bd4e4904548431d442f57ad4ee823042fa8f166bfe8ee615468315ef5b228aa8342b95809ac8d3cf6c34c5d2e3c9a3f768a3cbd0a

memory/1792-63-0x0000000074D20000-0x00000000752CB000-memory.dmp

memory/1792-64-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1792-65-0x0000000074D20000-0x00000000752CB000-memory.dmp

memory/1792-66-0x0000000000406000-0x0000000000407000-memory.dmp

memory/1764-67-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1764-70-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1328-71-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1328-74-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-10 04:30

Reported

2022-03-11 00:26

Platform

win10v2004-en-20220113

Max time kernel

144s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394.exe

"C:\Users\Admin\AppData\Local\Temp\663d8c19b6d0c03bb3712ffcedac0462959a2575747ab77404202e7aaa0fd394.exe"

C:\Windows\SysWOW64\fondue.exe

"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll

C:\Windows\system32\FonDUE.EXE

"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll

Network

Files

N/A