hawkeye

General

Target

payloads.7z
Size

4.3MB
Sample

221124-1lfvbaee4w
MD5

15cf3b0e76984199b371021d5b858200
SHA1

e4c37862729be6cd4cbe93df690fa94a8196416d
SHA256

f10ff26e4882c7eab600b372b29278374cda555f4da20b93d8d600a3222a59e2
SHA512

a81310823cfbf3e199a6b0b792c2f1092ead599f5c19193eadadfa6875471284c86c185a393f826fe330df4445d2a1e87c7f660e097847061c59dcb95e462fd9
SSDEEP

98304:TY73WCRyTcj5K0PzxUlI4LzonQZn3VYjzKF4TXCrwmbxMZ+m:FCRDjoQzw06nlGY8CMmbxMJ

Score

10^/10

Malware Config

Targets

- Target
  
  payload.exe.exe
- Size
  
  502KB
- MD5
  
  becb2f014c1cbebcad2e3b8388ce3040
- SHA1
  
  96eda53b2dce7058189589d79cdcc0c359de73b8
- SHA256
  
  db92de179132a3a9b1172d9cbb40f0720d8a24a1af416c77f15ffa44498ccf44
- SHA512
  
  a7201a2ff3a39d0cf47980454ddfa71572dc44ea454a1ad5280058eaeb9610194a710da127f6e5b02637f0a478106bf0c2d761d280ad59854e73ccfec6a00b27
- SSDEEP
  
  6144:rbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9zHj:rQtqB5urTIoYWBQk1E+VF9mOx9P
Score

6^/10
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1
- Target
  
  payload.exe_protected.exe
- Size
  
  4.1MB
- MD5
  
  6b09bdd2536034fd92a6566125d06395
- SHA1
  
  6f72dac783433b63d7cdac4897748052b24ce73d
- SHA256
  
  61eaf05d36fd2b921f67d4154dc4c7ef573572015a1b0aff1936a99644c2245d
- SHA512
  
  9925d988b9d9e066123ac86a33c57d6e1a41e412933aecb3a290c6f4f968b22956e1423fc8129799411e5a835ea5002c9458214d16c9af8924d809ec79a59186
- SSDEEP
  
  98304:Eff7JW0H4T0GbQ7wVUUOzR9qq5YaFgQacIQJaRDW8RG:OfL4T0Gb9U3NPhFgpcxJ8DO
Score

10^/10

hawkeye collection evasion keylogger spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral2