hawkeye | 9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a

General

Target

9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
Size

1.1MB
MD5

99203ece2279f8e4d612e96876981f2d
SHA1

b3e5bf7a0df685497b087684167ab6aa1d737247
SHA256

9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a
SHA512

5a119d8cbee31dc4767976d353dbb9eb77df1b7ca79b573927d1b6df4c4ba34d58308bc70eadf7236a63e338220eb765468fa11fa356508bccaa3ed967d30a27
SSDEEP

24576:6h/HaSBfArBcviIMS8s6cmVM6e5YW8xT7eps1:6VaSBcKIPs6xBQYW85X

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\4h7Ttr70cQqIqapT = "C:\\Users\\Admin\\AppData\\Roaming\\8rqOuyCGP40TM2CG\\f4Dgrs3ah1yX.exe"	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 whatismyipaddress.com
5 whatismyipaddress.com
6 whatismyipaddress.com

flow	ioc
3	whatismyipaddress.com
5	whatismyipaddress.com
6	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe

description	pid	process	target process
PID 1280 set thread context of 1992	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
PID 1992 set thread context of 1904	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 set thread context of 1988	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe

pid	process
1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
Token: SeDebugPrivilege	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
Token: SeDebugPrivilege	1904	vbc.exe
Token: SeDebugPrivilege	1988	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe

pid process

1992 9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe

pid	process
1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe

description	pid	process	target process
PID 1280 wrote to memory of 1772	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
PID 1280 wrote to memory of 1772	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
PID 1280 wrote to memory of 1772	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
PID 1280 wrote to memory of 1772	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
PID 1280 wrote to memory of 1992	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
PID 1280 wrote to memory of 1992	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
PID 1280 wrote to memory of 1992	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
PID 1280 wrote to memory of 1992	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
PID 1280 wrote to memory of 1992	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
PID 1280 wrote to memory of 1992	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
PID 1280 wrote to memory of 1992	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
PID 1280 wrote to memory of 1992	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
PID 1280 wrote to memory of 1992	1280	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
PID 1992 wrote to memory of 1904	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1904	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1904	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1904	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1904	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1904	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1904	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1904	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1904	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1904	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1988	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1988	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1988	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1988	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1988	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1988	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1988	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1988	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1988	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe
PID 1992 wrote to memory of 1988	1992	9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
"C:\Users\Admin\AppData\Local\Temp\9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
"C:\Users\Admin\AppData\Local\Temp\9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe"
2⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe
"C:\Users\Admin\AppData\Local\Temp\9507b6351c55f69c05b90d1f9aa91a976e3c5383866d991d8c0bf97682188a5a.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
400B

MD5
de4e5ff058882957cf8a3b5f839a031f

SHA1
0b3d8279120fb5fa27efbd9eee89695aa040fc24

SHA256
ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

SHA512
a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
329B

MD5
f8ddf0fe04f214d64c3e5094ed622858

SHA1
245a91a1c968c45820fbbb319c1bcfc98b01b04e

SHA256
f73d76c930aa76b78390a50ee72b9169c7064b9e1256de76ab9ffb43bca8f5d3

SHA512
e6385a3d47f8969f2079ae28a4e2753c2da60e37601ebd15049e21f1490e7a1ec760a3cc6c8b75a8049aa8a08735a9f24187d7ad13c6ac8d4a5510dc88718900

Download Submit
memory/1280-55-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1280-56-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1280-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1904-83-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1904-86-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1904-84-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1904-74-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1904-80-0x0000000000462B6D-mapping.dmp

Download
memory/1904-79-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1904-71-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1904-72-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1904-76-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1904-78-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1988-88-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1988-89-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1988-102-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1988-100-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1988-96-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1988-97-0x0000000000460E2D-mapping.dmp

Download
memory/1988-95-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1988-93-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1988-91-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1992-63-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1992-58-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1992-87-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-60-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1992-62-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1992-70-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-64-0x000000000051BB2E-mapping.dmp

Download
memory/1992-66-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1992-57-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1992-68-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads