Overview

overview

10

Static

static

PO 29102 (1).exe

windows7-x64

10

PO 29102 (1).exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    43583f825e6ba3b57cf38f0594389551607f82aaa85b02d099330df415b959fa

  • Size

    989KB

  • Sample

    221003-b62j3sbah3

  • MD5

    55dca6cac11f9479d1c7c47a2fd2b410

  • SHA1

    a6200c4b69083916a2e5a896fe58f2b0a2a9757e

  • SHA256

    43583f825e6ba3b57cf38f0594389551607f82aaa85b02d099330df415b959fa

  • SHA512

    38b9a819217cab628f6dc0f5184535cfa5641425eeff784c2aca3445cf4348879b916cfcab575d1c4c7992a3ce7c18fb9972b2f7352308d6218a91e870ce9af6

  • SSDEEP

    24576:vPGolp10GNq0kNGIiMrC0u2ID0n+TFQsucXQDjGlRz:mS1TNq0R+P1IS0uoWjG3z

Score
10/10
hawkeyecollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      PO 29102 (1).exe

    • Size

      1.3MB

    • MD5

      23ae1bb4fdd3ec336cd3a041448b68b8

    • SHA1

      74d22f287a332b8285881b8e9693740eab912cbc

    • SHA256

      91566a26cf3aa1217ae7956e95f95dfe0621f398ef18f7f2950f555ee43fe796

    • SHA512

      be786ec30212be2d757d5d1e9458326ec8442459da510f523daa504f5ccc6a3ad23fb50005d139840f05128686827bc4d252705228444d2f2a643a04f0412fbe

    • SSDEEP

      24576:z2O/Gl3GAsjPqmgGjiPIhdWi7t74vDq4FN7g6zwzRQegxP24VE2:/9GmgFPcLg5k1t4O2

    Score
    10/10
    hawkeyecollectionevasionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1
T1158

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks