hawkeye | 4d9bc018fa90f713b3489a501f676ee87d975f0466a6e9f63dffd81513fa7a37 | Triage

Submit
Reports

Overview

overview

Static

static

4d9bc018fa...37.exe

windows7-x64

4d9bc018fa...37.exe

windows10-2004-x64

Sharing

General

Target

4d9bc018fa90f713b3489a501f676ee87d975f0466a6e9f63dffd81513fa7a37
Size

906KB
Sample

220720-zb2hlaagdr
MD5

6f44e365d71e852639c9674933814fca
SHA1

20a2ad6ba80fec51f9eafd56bb4e1d6d6ea09f5f
SHA256

4d9bc018fa90f713b3489a501f676ee87d975f0466a6e9f63dffd81513fa7a37
SHA512

cfea2709b8aa9298f6e4a7c3baf8d51572ff40a24082c0090c72c1ce32e0911d46cc7ef3edb9a44d4be6bb4249136bcb78de108fbe22579c9ca02d02f5b5296d

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

4d9bc018fa90f713b3489a501f676ee87d975f0466a6e9f63dffd81513fa7a37.exe

Resource

win7-20220718-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

4d9bc018fa90f713b3489a501f676ee87d975f0466a6e9f63dffd81513fa7a37.exe

Resource

win10v2004-20220414-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  4d9bc018fa90f713b3489a501f676ee87d975f0466a6e9f63dffd81513fa7a37
- Size
  
  906KB
- MD5
  
  6f44e365d71e852639c9674933814fca
- SHA1
  
  20a2ad6ba80fec51f9eafd56bb4e1d6d6ea09f5f
- SHA256
  
  4d9bc018fa90f713b3489a501f676ee87d975f0466a6e9f63dffd81513fa7a37
- SHA512
  
  cfea2709b8aa9298f6e4a7c3baf8d51572ff40a24082c0090c72c1ce32e0911d46cc7ef3edb9a44d4be6bb4249136bcb78de108fbe22579c9ca02d02f5b5296d
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy