hawkeye | 3857aff7641664e134111eb7e2f373ccc2824d5be5f614b0a2992646b87e6560 | Triage

Submit
Reports

Overview

overview

Static

static

3857aff764...60.exe

windows7-x64

3857aff764...60.exe

windows10-2004-x64

Sharing

General

Target

3857aff7641664e134111eb7e2f373ccc2824d5be5f614b0a2992646b87e6560
Size

1.1MB
Sample

221122-xpx18adg35
MD5

c311711a2b54c663916925c8d1171881
SHA1

946d5729d2fa83a4f2f56f29d1f2271dd2cf34af
SHA256

3857aff7641664e134111eb7e2f373ccc2824d5be5f614b0a2992646b87e6560
SHA512

64bbed820440494ae76a63f8517c8781b6903100e3c41b253dbd276dd90ae6371db4626a7aa78ff76efe9f78a76a903677e14f14ba13c2cf329d8217c09502c7
SSDEEP

24576:L72nfRhfpJo+WdC6OJilSdh1l6NYZMeL/3C5essn17hiUMJ:vkJhxJmc64WSn1lvZtbC53sn1liUM

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

3857aff7641664e134111eb7e2f373ccc2824d5be5f614b0a2992646b87e6560.exe

Resource

win7-20220812-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

3857aff7641664e134111eb7e2f373ccc2824d5be5f614b0a2992646b87e6560.exe

Resource

win10v2004-20220812-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  3857aff7641664e134111eb7e2f373ccc2824d5be5f614b0a2992646b87e6560
- Size
  
  1.1MB
- MD5
  
  c311711a2b54c663916925c8d1171881
- SHA1
  
  946d5729d2fa83a4f2f56f29d1f2271dd2cf34af
- SHA256
  
  3857aff7641664e134111eb7e2f373ccc2824d5be5f614b0a2992646b87e6560
- SHA512
  
  64bbed820440494ae76a63f8517c8781b6903100e3c41b253dbd276dd90ae6371db4626a7aa78ff76efe9f78a76a903677e14f14ba13c2cf329d8217c09502c7
- SSDEEP
  
  24576:L72nfRhfpJo+WdC6OJilSdh1l6NYZMeL/3C5essn17hiUMJ:vkJhxJmc64WSn1lvZtbC53sn1liUM
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Modifies WinLogon for persistence
  persistence
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy