hawkeye | 0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c

General

Target

0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe
Size

1.1MB
MD5

be77119e22610ed15c2c80807d895225
SHA1

c252c1dbe02adb8b327a319224e016181d023762
SHA256

0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c
SHA512

716ee6b8cace20ca686a7ab82c25236504c633b0bb274ca75f590d25f6506b6bb4d5c54f7b1f09635208b04062981369303070e236f1b6618b897c2e3162e192
SSDEEP

24576:52LTkXBwWja4SlukeeKL0xJaqT//aqT8E94Tf3C:ox6

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com
7 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe

description	pid	process	target process
PID 2016 set thread context of 832	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 set thread context of 1132	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe

pid process

2016 0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe

pid	process
2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe
Token: SeDebugPrivilege	832	vbc.exe
Token: SeDebugPrivilege	1132	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe

pid process

2016 0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe

pid	process
2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe

description	pid	process	target process
PID 2016 wrote to memory of 832	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 832	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 832	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 832	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 832	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 832	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 832	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 832	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 832	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 832	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 1132	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 1132	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 1132	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 1132	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 1132	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 1132	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 1132	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 1132	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 1132	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe
PID 2016 wrote to memory of 1132	2016	0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe
"C:\Users\Admin\AppData\Local\Temp\0bae1f5243ee21062dd56285454a0862516d7f22d7f9f6bd798c24baf048ee5c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
400B

MD5
de4e5ff058882957cf8a3b5f839a031f

SHA1
0b3d8279120fb5fa27efbd9eee89695aa040fc24

SHA256
ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

SHA512
a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
329B

MD5
f8ddf0fe04f214d64c3e5094ed622858

SHA1
245a91a1c968c45820fbbb319c1bcfc98b01b04e

SHA256
f73d76c930aa76b78390a50ee72b9169c7064b9e1256de76ab9ffb43bca8f5d3

SHA512
e6385a3d47f8969f2079ae28a4e2753c2da60e37601ebd15049e21f1490e7a1ec760a3cc6c8b75a8049aa8a08735a9f24187d7ad13c6ac8d4a5510dc88718900

Download Submit
memory/832-71-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/832-73-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/832-66-0x0000000000462B6D-mapping.dmp

Download
memory/832-64-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/832-60-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/832-65-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/832-57-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/832-58-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/832-69-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/832-62-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1132-75-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1132-86-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1132-89-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1132-74-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1132-87-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1132-77-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1132-79-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1132-81-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1132-83-0x0000000000460E2D-mapping.dmp

Download
memory/1132-82-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2016-54-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/2016-56-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-55-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-70-0x00000000002A5000-0x00000000002B6000-memory.dmp

Filesize
68KB

Download
memory/2016-90-0x00000000002A5000-0x00000000002B6000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads