hawkeye | d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107 | Triage

Submit
Reports

Overview

overview

Static

static

d9d28ca9c0...07.exe

windows7-x64

d9d28ca9c0...07.exe

windows10-2004-x64

9

Sharing

General

Target

d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107
Size

479KB
Sample

221123-s7wtnadc45
MD5

2df68ab29c946eeba1b06bf56f221d09
SHA1

2c00c9f6d0064fc681a65fa64b8cfe78695dce2d
SHA256

d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107
SHA512

0ef9e7fe97a2496e5464b34f9e60247a7a81c764bd21c5790257c592c36296a3dac06751262f28564237319efb49de6cc8d0c09731d4c387bbe0ec604854b51a
SSDEEP

12288:ULoNMMMMMMMMMMMMMMMMMMEMMMMMMMMMMMMMMMMMMAHMMMMMMMMMMMMMMMMMMeyB:RMMMMMMMMMMMMMMMMMMEMMMMMMMMMMMb

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107.exe

Resource

win7-20221111-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107.exe

Resource

win10v2004-20221111-en

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Targets

- Target
  
  d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107
- Size
  
  479KB
- MD5
  
  2df68ab29c946eeba1b06bf56f221d09
- SHA1
  
  2c00c9f6d0064fc681a65fa64b8cfe78695dce2d
- SHA256
  
  d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107
- SHA512
  
  0ef9e7fe97a2496e5464b34f9e60247a7a81c764bd21c5790257c592c36296a3dac06751262f28564237319efb49de6cc8d0c09731d4c387bbe0ec604854b51a
- SSDEEP
  
  12288:ULoNMMMMMMMMMMMMMMMMMMEMMMMMMMMMMMMMMMMMMAHMMMMMMMMMMMMMMMMMMeyB:RMMMMMMMMMMMMMMMMMMEMMMMMMMMMMMb
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy