hawkeye | 023ed4c6a3c1e447ab1e9dcb77e3f92fcf1d301807dc50d8b99c9c0d1f5fe75c | Triage

Submit
Reports

Overview

overview

Static

static

023ed4c6a3...5c.exe

windows7-x64

023ed4c6a3...5c.exe

windows10-2004-x64

Sharing

General

Target

023ed4c6a3c1e447ab1e9dcb77e3f92fcf1d301807dc50d8b99c9c0d1f5fe75c
Size

578KB
Sample

221123-sgegpaec61
MD5

b2bc5759658ec717ac220e2c5bc46304
SHA1

c1b00f497f43119b05eee945dc103f07771c239f
SHA256

023ed4c6a3c1e447ab1e9dcb77e3f92fcf1d301807dc50d8b99c9c0d1f5fe75c
SHA512

00fc98a05ff560e39284c5698e390417a143abebfe798347b926f9c265e210ead3d54c7bbf5296c39bbd23bf066c367fadb53380783d12c395f00d25c4d78210
SSDEEP

12288:rojqg62FocmT9OVifV6klMS55Fs9cx6WOldvwrAADA8a:8e8mSiU+F5W9cROlWAADA

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

023ed4c6a3c1e447ab1e9dcb77e3f92fcf1d301807dc50d8b99c9c0d1f5fe75c.exe

Resource

win7-20221111-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

023ed4c6a3c1e447ab1e9dcb77e3f92fcf1d301807dc50d8b99c9c0d1f5fe75c.exe

Resource

win10v2004-20220812-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  023ed4c6a3c1e447ab1e9dcb77e3f92fcf1d301807dc50d8b99c9c0d1f5fe75c
- Size
  
  578KB
- MD5
  
  b2bc5759658ec717ac220e2c5bc46304
- SHA1
  
  c1b00f497f43119b05eee945dc103f07771c239f
- SHA256
  
  023ed4c6a3c1e447ab1e9dcb77e3f92fcf1d301807dc50d8b99c9c0d1f5fe75c
- SHA512
  
  00fc98a05ff560e39284c5698e390417a143abebfe798347b926f9c265e210ead3d54c7bbf5296c39bbd23bf066c367fadb53380783d12c395f00d25c4d78210
- SSDEEP
  
  12288:rojqg62FocmT9OVifV6klMS55Fs9cx6WOldvwrAADA8a:8e8mSiU+F5W9cROlWAADA
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy