Overview

overview

10

Static

static

e08e9c7d45...70.exe

windows7-x64

10

e08e9c7d45...70.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e08e9c7d4571cc271e0b364498260ff4655e381a34aa5bb76f73914e13fe9470

  • Size

    706KB

  • Sample

    221123-s4zq5sda74

  • MD5

    e94cbe2bdc40efd475a5d46dc96a3620

  • SHA1

    b7afdd1a29609fc0bc362650acbfd2ed703cc642

  • SHA256

    e08e9c7d4571cc271e0b364498260ff4655e381a34aa5bb76f73914e13fe9470

  • SHA512

    62eba886982781d2fa604de808b12ceadb79850ed323bddac88900b8d8d9c9da5ed658bc197accbb25e9631d5eb192a5e43e143dbca4e4f26acfa2e62f3b6059

  • SSDEEP

    12288:rLoWMMMMMMMMMMMMMMMMMMEMMMMMMMMMMMMMMMMMMAHMMMMMMMMMMMMMMMMMMeye:RMMMMMMMMMMMMMMMMMMEMMMMMMMMMMMR

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      e08e9c7d4571cc271e0b364498260ff4655e381a34aa5bb76f73914e13fe9470

    • Size

      706KB

    • MD5

      e94cbe2bdc40efd475a5d46dc96a3620

    • SHA1

      b7afdd1a29609fc0bc362650acbfd2ed703cc642

    • SHA256

      e08e9c7d4571cc271e0b364498260ff4655e381a34aa5bb76f73914e13fe9470

    • SHA512

      62eba886982781d2fa604de808b12ceadb79850ed323bddac88900b8d8d9c9da5ed658bc197accbb25e9631d5eb192a5e43e143dbca4e4f26acfa2e62f3b6059

    • SSDEEP

      12288:rLoWMMMMMMMMMMMMMMMMMMEMMMMMMMMMMMMMMMMMMAHMMMMMMMMMMMMMMMMMMeye:RMMMMMMMMMMMMMMMMMMEMMMMMMMMMMMR

    Score
    10/10
    hawkeyecollectionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks