hawkeye | 85ed0f5758b61181cef6744d5898aa69d1b19d2adc4c0b16cbe9a5f028661f2a | Triage

Submit
Reports

Overview

overview

Static

static

85ed0f5758...2a.exe

windows7-x64

85ed0f5758...2a.exe

windows10-2004-x64

Sharing

General

Target

85ed0f5758b61181cef6744d5898aa69d1b19d2adc4c0b16cbe9a5f028661f2a
Size

517KB
Sample

221122-w5pt4sch48
MD5

726c6328f05df8367176576697520a6e
SHA1

621dd2c537baf3338a32a857a22699d5b179de4c
SHA256

85ed0f5758b61181cef6744d5898aa69d1b19d2adc4c0b16cbe9a5f028661f2a
SHA512

dc1ad846db17718db17d5a4b021606d2cf47ff9ad7b8cdc515c32810a30ff51501ddc574906bb31429a70edaa3b7940b0388cb317a06dcf92bf6109e9468a277
SSDEEP

12288:xeoLmHOgTEt6Vky/C50FsxPFuiFYcg8y:IiHTYVkya5vPF3E8

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

85ed0f5758b61181cef6744d5898aa69d1b19d2adc4c0b16cbe9a5f028661f2a.exe

Resource

win7-20220901-en

hawkeye collection keylogger spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

85ed0f5758b61181cef6744d5898aa69d1b19d2adc4c0b16cbe9a5f028661f2a.exe

Resource

win10v2004-20221111-en

hawkeye collection keylogger spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  85ed0f5758b61181cef6744d5898aa69d1b19d2adc4c0b16cbe9a5f028661f2a
- Size
  
  517KB
- MD5
  
  726c6328f05df8367176576697520a6e
- SHA1
  
  621dd2c537baf3338a32a857a22699d5b179de4c
- SHA256
  
  85ed0f5758b61181cef6744d5898aa69d1b19d2adc4c0b16cbe9a5f028661f2a
- SHA512
  
  dc1ad846db17718db17d5a4b021606d2cf47ff9ad7b8cdc515c32810a30ff51501ddc574906bb31429a70edaa3b7940b0388cb317a06dcf92bf6109e9468a277
- SSDEEP
  
  12288:xeoLmHOgTEt6Vky/C50FsxPFuiFYcg8y:IiHTYVkya5vPF3E8
Score

10^/10

hawkeye collection keylogger spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerspywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy