hawkeye | 4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482

General

Target

4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe
Size

556KB
MD5

e3638516b609eed8bfa8e5732e5eebba
SHA1

12c752d26dab93e1b10f81cca4c7bb5d45c7b654
SHA256

4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482
SHA512

ef60515898834800b2b281bb3484591125c4e5f91487dd8e5f1c2e07226d64cb0739448d9a53f68a3e42ab5498cf721e4e55b0702135657f5d9974158d746984

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 11 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2020-61-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2020-63-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2020-64-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2020-70-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2020-68-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2020-65-0x0000000000480C1E-mapping.dmp	MailPassView
behavioral1/memory/1504-77-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1504-76-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1504-80-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1504-82-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1504-83-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 11 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2020-61-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2020-63-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2020-64-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2020-70-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2020-68-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2020-65-0x0000000000480C1E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1460-85-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral1/memory/1460-84-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1460-88-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1460-89-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1460-91-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2020-61-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2020-63-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2020-64-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2020-70-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2020-68-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2020-65-0x0000000000480C1E-mapping.dmp	Nirsoft
behavioral1/memory/1504-77-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1504-76-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1504-80-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1504-82-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1504-83-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1460-85-0x0000000000442628-mapping.dmp	Nirsoft
behavioral1/memory/1460-84-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1460-88-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1460-89-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1460-91-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

2020 svhost.exe
Loads dropped DLL 1 IoCs

Processes:

4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe

pid process

624 4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2020	svhost.exe

pid	process
624	4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com
7 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exesvhost.exe

description	pid	process	target process
PID 624 set thread context of 2020	624	4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe	svhost.exe
PID 2020 set thread context of 1504	2020	svhost.exe	vbc.exe
PID 2020 set thread context of 1460	2020	svhost.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exesvhost.exe

pid process

624 4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe
2020 svhost.exe

pid	process
624	4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe
2020	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	624	4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe
Token: SeDebugPrivilege	2020	svhost.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exesvhost.exe

description	pid	process	target process
PID 624 wrote to memory of 2020	624	4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe	svhost.exe
PID 624 wrote to memory of 2020	624	4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe	svhost.exe
PID 624 wrote to memory of 2020	624	4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe	svhost.exe
PID 624 wrote to memory of 2020	624	4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe	svhost.exe
PID 624 wrote to memory of 2020	624	4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe	svhost.exe
PID 624 wrote to memory of 2020	624	4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe	svhost.exe
PID 624 wrote to memory of 2020	624	4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe	svhost.exe
PID 624 wrote to memory of 2020	624	4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe	svhost.exe
PID 624 wrote to memory of 2020	624	4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe	svhost.exe
PID 2020 wrote to memory of 1504	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1504	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1504	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1504	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1504	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1504	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1504	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1504	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1504	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1504	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1460	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1460	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1460	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1460	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1460	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1460	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1460	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1460	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1460	2020	svhost.exe	vbc.exe
PID 2020 wrote to memory of 1460	2020	svhost.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe
"C:\Users\Admin\AppData\Local\Temp\4c10f8881ab7b1b47a4db73fb9052e23efbfcecf4b2b28c569c01faba944d482.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:1504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
memory/624-55-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/624-56-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/624-74-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/624-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1460-91-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1460-84-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1460-85-0x0000000000442628-mapping.dmp

Download
memory/1460-88-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1460-89-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1504-83-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1504-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1504-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1504-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1504-77-0x0000000000411654-mapping.dmp

Download
memory/2020-73-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-75-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-65-0x0000000000480C1E-mapping.dmp

Download
memory/2020-81-0x00000000003C5000-0x00000000003D6000-memory.dmp

Filesize
68KB

Download
memory/2020-68-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2020-70-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2020-64-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2020-63-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2020-61-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2020-59-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2020-58-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2020-92-0x00000000003C5000-0x00000000003D6000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads