Extracted

• • Target

    3f572899a22d1111e4169fe2c55f5817a7b1a9e138614e97e9334d809fef334e

  • Size

    1.4MB

  • MD5

    e30c81f42a72512d32754e595e80e942

  • SHA1

    fe665ba908128e59957ff756a6a7984a0f71b2c6

  • SHA256

    3f572899a22d1111e4169fe2c55f5817a7b1a9e138614e97e9334d809fef334e

  • SHA512

    d5c1c0937ddcea859c4b4fbc4ebdc1c8f8c04f1a49b2082e0968dc6b019d87bae88679983f1322a0fa4db15c1efa853a97375c2e175dfbced240cea89f71f8ff

  • SSDEEP

    24576:j0AZbveE+KiB7+AwKeAm8J7X32A66MisH+98OqoYaejLs13doYg7:vbveE+tyAwBAm8RXale980sjLMA7

  Score

  10^/10

  persistencespywarestealerhawkeyekeyloggertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • Modifies WinLogon for persistence

    persistence

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Uses the VBS compiler for execution

  • Drops desktop.ini file(s)

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2