hawkeye | 3710be0460f2beeb1333465e59c16457bc3d0bc68078c8378062c64dca72d1a1 | Triage

Submit
Reports

Overview

overview

Static

static

order11082020.exe

windows7_x64

order11082020.exe

windows10-2004_x64

Sharing

General

Target

3710be0460f2beeb1333465e59c16457bc3d0bc68078c8378062c64dca72d1a1
Size

537KB
Sample

220521-xhamcabgb9
MD5

3a51ce8f2f8accccf28f3fd69e81514b
SHA1

b7bc9e1d3a968142919734fd7ec406c59177af7f
SHA256

3710be0460f2beeb1333465e59c16457bc3d0bc68078c8378062c64dca72d1a1
SHA512

f342e2d613811d4595c10b84a18ff57d01a374d75bdebe3f23d8f8c033ce71fd959fafcb50d55f652517ad0db115505fa93e6ad65645fb0d9c92c4fddfa79d6e

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

order11082020.exe

Resource

win7-20220414-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

order11082020.exe

Resource

win10v2004-20220414-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
webmail.tos-thailand.com
Port:
587
Username:
sudarat.k@tos-thailand.com
Password:
P@ssw0rd

Targets

- Target
  
  order11082020.exe
- Size
  
  833KB
- MD5
  
  a0b802ef353d5c6815e6c62591a8f838
- SHA1
  
  32c668826f676f184e25981f07a350f5688ad3ea
- SHA256
  
  2bea6b69613e7cfcc0aa58ce7fb8ba250611181f69667b07b51b5f7bf3c11a9d
- SHA512
  
  8bcd5842a256bf4413364376a86eca8723fe30c775347028438e462c995832a3a6a74c1a62f262753370e472e95af871307893a0106418df735eb3998303f6d5
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy