hawkeye | 959feeeebd550bfb24e4d27f902d45d27e0994d444dcfb5c01a502a88280ab94 | Triage

Submit
Reports

Overview

overview

Static

static

Inquiry_pdf.scr

windows7-x64

Inquiry_pdf.scr

windows10-2004-x64

Sharing

General

Target

959feeeebd550bfb24e4d27f902d45d27e0994d444dcfb5c01a502a88280ab94
Size

389KB
Sample

221126-fqladagg6v
MD5

e59862d500278e1df9ef0e2d755a316b
SHA1

d65b57d7f31549f2eb2da0904e1c1631715eb37a
SHA256

959feeeebd550bfb24e4d27f902d45d27e0994d444dcfb5c01a502a88280ab94
SHA512

9ae25390da0cd4dff03a251f2db49b90a490510b1927e4fe2037f2a06b49fcc2bf3d5bcbfdd07c19dbdded85c58e1ecf45d7297623c23ccd464e1ea880fbd9f9
SSDEEP

12288:Z9tjIvSDwrhI/RBi7r85JTqdMddGvGY2EK9t:Z9ySDDRBi7eHdwvGOK9t

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Inquiry_pdf.scr

Resource

win7-20220901-en

collection persistence

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

Inquiry_pdf.scr

Resource

win10v2004-20220901-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
waterly123

Targets

- Target
  
  Inquiry_pdf.scr
- Size
  
  1005KB
- MD5
  
  d84eb15977825d460358b69daa264677
- SHA1
  
  9bddee35822552ba80d311445913b818f1857d0f
- SHA256
  
  549fb298edd559b7d7a06c185fb78daa65a15eb9d30a8886775a1a8827bdf625
- SHA512
  
  fd4c56a6d4961455d7ddf8cbe17fd872f23c9b8bd7abb1eaf3f914b92583ad25bf07b4e7a65b0c4466800b1d6c20f0981b50cca0121f71fe67a187e9d81feebd
- SSDEEP
  
  12288:nnAiyMZ8oPEVzTEnUycspBKugd7uDjde1sKcilllPqwHiZEIUbWSDz45ohOk0csk:nAdMZHDp6dge1sKgwHMExe53csPM
Score

10^/10

collection persistence hawkeye keylogger spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

collectionpersistence

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy