Extracted

• • Target

    0b9fcc27fb4624fd7d1dfb234c2abf4994d1468b981b41e59d90723e5c77629c

  • Size

    683KB

  • MD5

    e4624bffc68c667d66a9667bf43edc6a

  • SHA1

    5852c8588730cbaf7bf796fab14226d13d6f821e

  • SHA256

    0b9fcc27fb4624fd7d1dfb234c2abf4994d1468b981b41e59d90723e5c77629c

  • SHA512

    36a042b6e3f332c86d33d9e4da4cf62f26feec08e2ddbb2296173e1f2d97aafc5824c570527a3ac5c02d5584bb3383e215200b7c22e459180fb364d184937387

  • SSDEEP

    12288:au49EY7AmXkI10zsbyt5x+LE0QzaaGvm2V82FQpzBhSD8sBF4tvVOpq:aN2YwIsx+LFauV8TzBhSQsBF4tNOE

  Score

  10^/10

  hawkeyecollectionkeyloggerpersistencespywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2