hawkeye | 674b6a15f88d56fd86dd661440f7ce0c1cd8a8c6e5d3b3a699f3f46b5d8d8e7d | Triage

Submit
Reports

Overview

overview

Static

static

order17062...84.exe

windows7_x64

order17062...84.exe

windows10-2004_x64

Sharing

General

Target

674b6a15f88d56fd86dd661440f7ce0c1cd8a8c6e5d3b3a699f3f46b5d8d8e7d
Size

586KB
Sample

220521-bjpl1abhf6
MD5

04f1446f294db4431eff1d5d18bb912a
SHA1

02cf7619a9a068ea2b5db440cbe92052dad5152e
SHA256

674b6a15f88d56fd86dd661440f7ce0c1cd8a8c6e5d3b3a699f3f46b5d8d8e7d
SHA512

8135cc16bebeb31aedd8e3a8f7da3443152347e67a9bed0691f876570c647f7452dba9139c41623545fc389368e14deb46fd64b693bc580c500a3e35f9b0e56b

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

order17062020BN77384.exe

Resource

win7-20220414-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

order17062020BN77384.exe

Resource

win10v2004-20220414-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.urban.co.th
Port:
587
Username:
[email protected]
Password:
Urban@1143

Targets

- Target
  
  order17062020BN77384.exe
- Size
  
  924KB
- MD5
  
  eeff91ec45d81b553a4772c1183be863
- SHA1
  
  9338477c46a9ebfe2338a9783efe15ec0eced3cf
- SHA256
  
  a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
- SHA512
  
  58a3a2b700a2e79b7c46f471745c3cc18026f8b4291df26c570e3a851347b56f58c056b3bfa4848b153db3b5e55930cb5505b4bcc4db4318f56872f35aa78d5c
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy