hawkeye | ffcab968f30e88d9b7ef76e5122624cdbda44e484b501f34f4f4be7fff25489b | Triage

Submit
Reports

Overview

overview

Static

static

ffcab968f3...9b.exe

windows7-x64

ffcab968f3...9b.exe

windows10-2004-x64

Sharing

General

Target

ffcab968f30e88d9b7ef76e5122624cdbda44e484b501f34f4f4be7fff25489b
Size

1.4MB
Sample

221126-ra3p9shc39
MD5

329fb1fd25cd861c44a4f4d17fadbceb
SHA1

a6e64e5d7cf00e3a83fdfa9b0cf3ed165ba0ab2a
SHA256

ffcab968f30e88d9b7ef76e5122624cdbda44e484b501f34f4f4be7fff25489b
SHA512

a12e4b6673c1607e05519d0fea1b5947791ab7c9a8dcf70307fd3041320970c81a6d9b965304302dbfba1d1ea96d1b33998520e5c76dd72d19c9301e94dd260c
SSDEEP

24576:/U6uhs8w/n3GcRjiSlb29hbhcw6B3V5cTXDCAtRa58muSK/:/ZuhzyWQb29hbWzViTXDLo8muSm

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

ffcab968f30e88d9b7ef76e5122624cdbda44e484b501f34f4f4be7fff25489b.exe

Resource

win7-20220812-en

hawkeye collection keylogger spyware stealer trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

ffcab968f30e88d9b7ef76e5122624cdbda44e484b501f34f4f4be7fff25489b.exe

Resource

win10v2004-20220812-en

hawkeye collection keylogger spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  ffcab968f30e88d9b7ef76e5122624cdbda44e484b501f34f4f4be7fff25489b
- Size
  
  1.4MB
- MD5
  
  329fb1fd25cd861c44a4f4d17fadbceb
- SHA1
  
  a6e64e5d7cf00e3a83fdfa9b0cf3ed165ba0ab2a
- SHA256
  
  ffcab968f30e88d9b7ef76e5122624cdbda44e484b501f34f4f4be7fff25489b
- SHA512
  
  a12e4b6673c1607e05519d0fea1b5947791ab7c9a8dcf70307fd3041320970c81a6d9b965304302dbfba1d1ea96d1b33998520e5c76dd72d19c9301e94dd260c
- SSDEEP
  
  24576:/U6uhs8w/n3GcRjiSlb29hbhcw6B3V5cTXDCAtRa58muSK/:/ZuhzyWQb29hbWzViTXDLo8muSm
Score

10^/10

hawkeye collection keylogger spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerspywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy