hawkeye | d0dad8f66c443a86d9c863941d10166c0d512bc59f093eb3dd99ece3fc8aff4b | Triage

Submit
Reports

Overview

overview

Static

static

5

d0dad8f66c...4b.exe

windows7-x64

d0dad8f66c...4b.exe

windows10-2004-x64

Sharing

General

Target

d0dad8f66c443a86d9c863941d10166c0d512bc59f093eb3dd99ece3fc8aff4b
Size

2.1MB
Sample

221126-nnfwwabd46
MD5

3fdd44fca6e5b994734a575c7b7e5069
SHA1

2c6ff085c796a87b321696ce4192b9506e93b611
SHA256

d0dad8f66c443a86d9c863941d10166c0d512bc59f093eb3dd99ece3fc8aff4b
SHA512

ec96c9cedd99624d0c054494c916da1f228a3259dc3fde6e60b28d5d38a57769f5043ae8a94b5a4aacfabd2beae3e77beb828d837413a1bc51eaeaaadb953e04
SSDEEP

49152:kkwkn9IMHeaKP6vC4CS1oR72/nbI9pveshwaPCS:PdnVPCOe4bapvh1PC

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

d0dad8f66c443a86d9c863941d10166c0d512bc59f093eb3dd99ece3fc8aff4b.exe

Resource

win7-20221111-en

hawkeye collection keylogger spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

d0dad8f66c443a86d9c863941d10166c0d512bc59f093eb3dd99ece3fc8aff4b.exe

Resource

win10v2004-20220901-en

hawkeye collection keylogger spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  d0dad8f66c443a86d9c863941d10166c0d512bc59f093eb3dd99ece3fc8aff4b
- Size
  
  2.1MB
- MD5
  
  3fdd44fca6e5b994734a575c7b7e5069
- SHA1
  
  2c6ff085c796a87b321696ce4192b9506e93b611
- SHA256
  
  d0dad8f66c443a86d9c863941d10166c0d512bc59f093eb3dd99ece3fc8aff4b
- SHA512
  
  ec96c9cedd99624d0c054494c916da1f228a3259dc3fde6e60b28d5d38a57769f5043ae8a94b5a4aacfabd2beae3e77beb828d837413a1bc51eaeaaadb953e04
- SSDEEP
  
  49152:kkwkn9IMHeaKP6vC4CS1oR72/nbI9pveshwaPCS:PdnVPCOe4bapvh1PC
Score

10^/10

hawkeye collection keylogger spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerspywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy