hawkeye | 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46 | Triage

Submit
Reports

Overview

overview

Static

static

2daabbbfe9...46.exe

windows7-x64

2daabbbfe9...46.exe

windows10-2004-x64

9

Sharing

General

Target

2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46
Size

576KB
Sample

221126-17s2rsch6s
MD5

4fbf3ef1ae2a1e7a4ac62217833fd135
SHA1

b1e95acd1d6c5ece5009aad16e200391f04e371b
SHA256

2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46
SHA512

becba007222b52fdb566697ad1ed39ba7bd0f1c6e755dada5a9b2acbe1dd87ef604d43cf07e5d5d1ffa223924a41c87f4c69eb56ed5bfa1e5c993bdd52a361a1
SSDEEP

12288:ekNCadTPVIIZKT4sqqdwGePz+4gXG5Y9Jb/tBLMNn/9IUTUwSBDuC:DpF2hT4jz+4oUY9JRBLCVfIHBy

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe

Resource

win7-20220812-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe

Resource

win10v2004-20221111-en

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46
- Size
  
  576KB
- MD5
  
  4fbf3ef1ae2a1e7a4ac62217833fd135
- SHA1
  
  b1e95acd1d6c5ece5009aad16e200391f04e371b
- SHA256
  
  2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46
- SHA512
  
  becba007222b52fdb566697ad1ed39ba7bd0f1c6e755dada5a9b2acbe1dd87ef604d43cf07e5d5d1ffa223924a41c87f4c69eb56ed5bfa1e5c993bdd52a361a1
- SSDEEP
  
  12288:ekNCadTPVIIZKT4sqqdwGePz+4gXG5Y9Jb/tBLMNn/9IUTUwSBDuC:DpF2hT4jz+4oUY9JRBLCVfIHBy
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy