hawkeye | 712e38d6f7ec0cb09be6fea727a3748b2de1c7c8286b33bb227f68dca34b6073 | Triage

Submit
Reports

Overview

overview

Static

static

E141889364...DF.exe

windows7-x64

E141889364...DF.exe

windows10-2004-x64

Sharing

General

Target

E1418893649007.PDF.exe
Size

1.1MB
Sample

220801-j58wrsfebn
MD5

21491189acd58edf2ffcc5829abbb7a6
SHA1

97439584bd72e0ea470085983cf18a02581b76b4
SHA256

712e38d6f7ec0cb09be6fea727a3748b2de1c7c8286b33bb227f68dca34b6073
SHA512

0f0cb57475a5ba07f00c8993febec95cb953b4d1b5f13229db9463e81e4cf584d15b8b1d58a3ffafb459baf0b67dda46efdb445b128ed0470784faef6b8cd716

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

E1418893649007.PDF.exe

Resource

win7-20220718-en

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

E1418893649007.PDF.exe

Resource

win10v2004-20220721-en

hawkeye collection keylogger spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.trambaohanhelectroluxhn.com
Port:
21
Username:
LOGGSS2022@suachuaduongongnuoc.net
Password:
Wn5b%iX[O%95

Targets

- Target
  
  E1418893649007.PDF.exe
- Size
  
  1.1MB
- MD5
  
  21491189acd58edf2ffcc5829abbb7a6
- SHA1
  
  97439584bd72e0ea470085983cf18a02581b76b4
- SHA256
  
  712e38d6f7ec0cb09be6fea727a3748b2de1c7c8286b33bb227f68dca34b6073
- SHA512
  
  0f0cb57475a5ba07f00c8993febec95cb953b4d1b5f13229db9463e81e4cf584d15b8b1d58a3ffafb459baf0b67dda46efdb445b128ed0470784faef6b8cd716
Score

10^/10

hawkeye collection keylogger spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

hawkeyecollectionkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy