hawkeye | 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52 | Triage

Submit
Reports

Overview

overview

Static

static

8

58c69a3599...52.exe

windows7-x64

58c69a3599...52.exe

windows10-2004-x64

Sharing

General

Target

58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
Size

5.6MB
Sample

220724-hbq87aagcr
MD5

80a0a3da2f9717c0532cc760b1e7f746
SHA1

999e1bd2c3947f898d21572c2c360de72232ef09
SHA256

58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
SHA512

4edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5

Score

10^/10

hawkeye collection keylogger spyware stealer trojan vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe

Resource

win7-20220718-en

hawkeye collection keylogger spyware stealer trojan vmprotect

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe

Resource

win10v2004-20220721-en

hawkeye collection keylogger spyware stealer trojan vmprotect

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.vivaldi.net
Port:
587
Username:
hklgs@vivaldi.net
Password:
nAMkXP8FUGvSc3wjPCKF

Targets

- Target
  
  58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
- Size
  
  5.6MB
- MD5
  
  80a0a3da2f9717c0532cc760b1e7f746
- SHA1
  
  999e1bd2c3947f898d21572c2c360de72232ef09
- SHA256
  
  58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
- SHA512
  
  4edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5
Score

10^/10

hawkeye collection keylogger spyware stealer trojan vmprotect
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerspywarestealertrojanvmprotect

behavioral2

hawkeyecollectionkeyloggerspywarestealertrojanvmprotect

© 2018-2024

Terms | Privacy