hawkeye | fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8 | Triage

Submit
Reports

Overview

overview

Static

static

fc1bf3ec89...f8.exe

windows7-x64

fc1bf3ec89...f8.exe

windows10-2004-x64

Sharing

General

Target

fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8
Size

985KB
Sample

221126-na5yvaag92
MD5

5d2da9b42ecb25a2ef75a3df61cce0f3
SHA1

ab1f675356123b518aea542d0b4d7535c490bf1a
SHA256

fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8
SHA512

5fa781eecd3715b53017989ce8c737d0e760e398631c5088290bbb163b376526ba2c9ea7940b38dbad1ea73f187468bf72369ee22ee48a5e20545c57532b1c41
SSDEEP

24576:7wZc+Mn5x6G+zuRrCtMRYMVi+1iJA3KaGco3SjA6f1Gvz4r:7X9f6G2uN6M8iwdsAm1q

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe

Resource

win7-20220901-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe

Resource

win10v2004-20220901-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8
- Size
  
  985KB
- MD5
  
  5d2da9b42ecb25a2ef75a3df61cce0f3
- SHA1
  
  ab1f675356123b518aea542d0b4d7535c490bf1a
- SHA256
  
  fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8
- SHA512
  
  5fa781eecd3715b53017989ce8c737d0e760e398631c5088290bbb163b376526ba2c9ea7940b38dbad1ea73f187468bf72369ee22ee48a5e20545c57532b1c41
- SSDEEP
  
  24576:7wZc+Mn5x6G+zuRrCtMRYMVi+1iJA3KaGco3SjA6f1Gvz4r:7X9f6G2uN6M8iwdsAm1q
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy