hawkeye | 996dd7e35b8a1acd681cb2101beb65f0676799c048bb469f93e5f1abd9c8c901 | Triage

Submit
Reports

Overview

overview

Static

static

996dd7e35b...01.exe

windows7-x64

996dd7e35b...01.exe

windows10-2004-x64

Sharing

General

Target

996dd7e35b8a1acd681cb2101beb65f0676799c048bb469f93e5f1abd9c8c901
Size

1.0MB
Sample

221122-wzw18sgb8t
MD5

1367d317c7569e8610dadd879ed6d131
SHA1

73efe3369bf3298e932f802e98a7f3edbd90b1d9
SHA256

996dd7e35b8a1acd681cb2101beb65f0676799c048bb469f93e5f1abd9c8c901
SHA512

0386caae0ff44d44c704839889ecc4c5bf948af9e290eb91cd0ac2d80408ef43ce73fe1dca928f9da662bc8b6e81ba3999002c71641c0a61530648cb5511939b
SSDEEP

12288:f2eZH+NwioJbAAmL+rhiT+ww66BWP5P7bqtzPhrW2agFmlEJuY7lTzzE5xV9hkKV:+ciYJLIObPZIPbezyfh

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

996dd7e35b8a1acd681cb2101beb65f0676799c048bb469f93e5f1abd9c8c901.exe

Resource

win7-20220812-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

996dd7e35b8a1acd681cb2101beb65f0676799c048bb469f93e5f1abd9c8c901.exe

Resource

win10v2004-20221111-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.spytector.com
Port:
21
Username:
[email protected]
Password:
409d125

Targets

- Target
  
  996dd7e35b8a1acd681cb2101beb65f0676799c048bb469f93e5f1abd9c8c901
- Size
  
  1.0MB
- MD5
  
  1367d317c7569e8610dadd879ed6d131
- SHA1
  
  73efe3369bf3298e932f802e98a7f3edbd90b1d9
- SHA256
  
  996dd7e35b8a1acd681cb2101beb65f0676799c048bb469f93e5f1abd9c8c901
- SHA512
  
  0386caae0ff44d44c704839889ecc4c5bf948af9e290eb91cd0ac2d80408ef43ce73fe1dca928f9da662bc8b6e81ba3999002c71641c0a61530648cb5511939b
- SSDEEP
  
  12288:f2eZH+NwioJbAAmL+rhiT+ww66BWP5P7bqtzPhrW2agFmlEJuY7lTzzE5xV9hkKV:+ciYJLIObPZIPbezyfh
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy