Extracted

• • Target

    58dabfc1ce6887a4703d9fe73f8b55ca5c82bc6eaa90c308ca2b52f775eed536

  • Size

    384KB

  • MD5

    5b5d1a6d4a06d8baa1661f9bcb4e62d0

  • SHA1

    381c12d16b13773823d562b8c3f7d267bdf15fd9

  • SHA256

    58dabfc1ce6887a4703d9fe73f8b55ca5c82bc6eaa90c308ca2b52f775eed536

  • SHA512

    b1f6fc36f5b69bad5488a2cffd8ae02fe22375fcd13abe5412c5c715145607bea82c85c979b90f0363ddc9bbfbf4116707f660a6553c11c25ead872c80b30f6e

  • SSDEEP

    6144:NlzF0G8Hjx0Ep4Mp0ZAE6bpabV4N0R8t6OSwNLUlfmT1SE2eKfQZnLC/K/W14g/I:NlzF0Gyx0Ep4e0qE6laK2R8t6fdtm5Mk

  Score

  10^/10

  hawkeyecollectionkeyloggerpersistencespywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2