hawkeye | 93b16ee22ee7c8a77ac718a118ac29d3f726d916e3be8c451ee1c9b3708ef0b2 | Triage

Submit
Reports

Overview

overview

Static

static

PO983627289.exe

windows7_x64

PO983627289.exe

windows10-2004_x64

Sharing

General

Target

93b16ee22ee7c8a77ac718a118ac29d3f726d916e3be8c451ee1c9b3708ef0b2
Size

541KB
Sample

220521-myqcmacfg5
MD5

1becde90b6a5d2bb4e315df9fed82c2a
SHA1

105d23942126c1dfdc88a913e7ddad616450098b
SHA256

93b16ee22ee7c8a77ac718a118ac29d3f726d916e3be8c451ee1c9b3708ef0b2
SHA512

6aba15e4aeff052d6559653b959fee7081bbde66b7c0653966ed6feb2fa3bcd90d558fef86374432951ca071f624398f9cc76fbc27e783fc65b17901f3ece57d

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO983627289.exe

Resource

win7-20220414-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO983627289.exe

Resource

win10v2004-20220414-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.urban.co.th
Port:
587
Username:
info@urban.co.th
Password:
Urban@1143

Targets

- Target
  
  PO983627289.exe
- Size
  
  837KB
- MD5
  
  c9ddd7789409993921f935f42e7fcf1a
- SHA1
  
  cd5e920aa114733fe22005fdb282c048d6fa6a75
- SHA256
  
  fce56056a7028ed4787e39d614c90e84804ad0dc03185a6532834564b10b7d5a
- SHA512
  
  e47730702a08704dd9fa2abeed91bdfa8b197c4c7754e1c0af3322c332e4bc82990193d90f6a81cf49d73f9ffd899119c22b2570beab86beddd06389dd3f5447
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy