hawkeye | 472850f10a31b73507eff393a85df997b3a154bdbca8a4b4da5b2b86d34b7f2d | Triage

Submit
Reports

Overview

overview

Static

static

472850f10a...2d.exe

windows7_x64

9

472850f10a...2d.exe

windows10-2004_x64

Sharing

General

Target

472850f10a31b73507eff393a85df997b3a154bdbca8a4b4da5b2b86d34b7f2d
Size

917KB
Sample

220714-jeq82acfdl
MD5

3035f93f329aa869a91015f30981e6e5
SHA1

d916f5ac85851ec9880cb4262b6fd8884a1ffc28
SHA256

472850f10a31b73507eff393a85df997b3a154bdbca8a4b4da5b2b86d34b7f2d
SHA512

732dbeb4a27e07a8b4029a960ff5d6488741f83046c0ac0378bde23d21cf5a61305249be270511ff2ce1fbb543efd611ee8b9e1fcc29e18fdc55c4653cdef6fc

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

472850f10a31b73507eff393a85df997b3a154bdbca8a4b4da5b2b86d34b7f2d.exe

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

472850f10a31b73507eff393a85df997b3a154bdbca8a4b4da5b2b86d34b7f2d.exe

Resource

win10v2004-20220414-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  472850f10a31b73507eff393a85df997b3a154bdbca8a4b4da5b2b86d34b7f2d
- Size
  
  917KB
- MD5
  
  3035f93f329aa869a91015f30981e6e5
- SHA1
  
  d916f5ac85851ec9880cb4262b6fd8884a1ffc28
- SHA256
  
  472850f10a31b73507eff393a85df997b3a154bdbca8a4b4da5b2b86d34b7f2d
- SHA512
  
  732dbeb4a27e07a8b4029a960ff5d6488741f83046c0ac0378bde23d21cf5a61305249be270511ff2ce1fbb543efd611ee8b9e1fcc29e18fdc55c4653cdef6fc
Score

10^/10

persistence hawkeye collection keylogger spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy