hawkeye | 368879602c1cbd9aba693fe681b5b3972d033c7ad782c324965f569986ef64aa | Triage

Submit
Reports

Overview

overview

Static

static

368879602c...aa.exe

windows7_x64

368879602c...aa.exe

windows10-2004_x64

8

Sharing

General

Target

368879602c1cbd9aba693fe681b5b3972d033c7ad782c324965f569986ef64aa
Size

723KB
Sample

220626-cpe57adbep
MD5

c9a560b2721b47ca68d577115cfa9d14
SHA1

df85d6c4624325425470ca3f95b18e89598d117d
SHA256

368879602c1cbd9aba693fe681b5b3972d033c7ad782c324965f569986ef64aa
SHA512

98c1e19d9625bcf4ffe6044a5ea6066708528b15c4546c05d2403385e1a54a9360b609bcb214e400c72d21cd1266f56c1cb33fbe144186dd3bc34e7f40d7441c

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

368879602c1cbd9aba693fe681b5b3972d033c7ad782c324965f569986ef64aa.exe

Resource

win7-20220414-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

368879602c1cbd9aba693fe681b5b3972d033c7ad782c324965f569986ef64aa.exe

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  368879602c1cbd9aba693fe681b5b3972d033c7ad782c324965f569986ef64aa
- Size
  
  723KB
- MD5
  
  c9a560b2721b47ca68d577115cfa9d14
- SHA1
  
  df85d6c4624325425470ca3f95b18e89598d117d
- SHA256
  
  368879602c1cbd9aba693fe681b5b3972d033c7ad782c324965f569986ef64aa
- SHA512
  
  98c1e19d9625bcf4ffe6044a5ea6066708528b15c4546c05d2403385e1a54a9360b609bcb214e400c72d21cd1266f56c1cb33fbe144186dd3bc34e7f40d7441c
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy