hawkeye | 02e8e1b20a7507d3bd9cc8987072a4823ee5aeb81a3ff956224d1f0e4aeb0214 | Triage

Submit
Reports

Overview

overview

Static

static

PO9048899AUG13.exe

windows7_x64

PO9048899AUG13.exe

windows10-2004_x64

Sharing

General

Target

02e8e1b20a7507d3bd9cc8987072a4823ee5aeb81a3ff956224d1f0e4aeb0214
Size

587KB
Sample

220521-nxwcxshdcr
MD5

d22b725943195cf571d16dea38e75db5
SHA1

9fc52a99994986a2a7949831b7824913603c71be
SHA256

02e8e1b20a7507d3bd9cc8987072a4823ee5aeb81a3ff956224d1f0e4aeb0214
SHA512

c22f175de0a66433747b4a302b8ddf94f6fd6035ee05686835b7971d6a61f8535131d8e21c9ff40fe5fb11ab916788a7e0df88f0ba619ec48acd5f5f84cea796

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO9048899AUG13.exe

Resource

win7-20220414-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO9048899AUG13.exe

Resource

win10v2004-20220414-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
webmail.tos-thailand.com
Port:
587
Username:
[email protected]
Password:
P@ssw0rd

Targets

- Target
  
  PO9048899AUG13.exe
- Size
  
  947KB
- MD5
  
  73fa9bfb100fa4d8304fef98446d2b62
- SHA1
  
  1ee7c475c40a82dfa230e26669aed12271778f49
- SHA256
  
  9af42638628323098b6873eee65103c97fa1ff971d6640323ab4a5290edc71c2
- SHA512
  
  09748e21766ba6147023b1424109ed394371c2da93334016fe790c8b36df3c3de9e9194b31bcbab06661d0200d11a90c1314505d91bca94d7839066cf0bdbdcb
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy