hawkeye

General

Target

9aee51de62ef42e5f88cacc1dc9da30a89ea8467a4aa8ae9204161c621372409
Size

908KB
Sample

221126-slh1nsfh71
MD5

3d14fe9cd042dcb6caa9015bc1582b56
SHA1

279aa89bfd75611fb0d1e00b2f7487e21098fa86
SHA256

9aee51de62ef42e5f88cacc1dc9da30a89ea8467a4aa8ae9204161c621372409
SHA512

eeb7c9ac29774117bcce572a90f6ffb4d7e602fa99d049af0c844847613a54f000a2e8e67e46e2ab1b654bbbb575295765bc899ea8d25551d841af659c8ccd1b
SSDEEP

12288:ko8b3FDMm5Sm51z1xHQYhsmr2TCXdyQHO5sD2o6P4x6GhKgufkDRCOvRv+SE3PEF:Sb1l5BdQ604uyDuPGhofLOvJVF

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
waterly123

Targets

- Target
  
  9aee51de62ef42e5f88cacc1dc9da30a89ea8467a4aa8ae9204161c621372409
- Size
  
  908KB
- MD5
  
  3d14fe9cd042dcb6caa9015bc1582b56
- SHA1
  
  279aa89bfd75611fb0d1e00b2f7487e21098fa86
- SHA256
  
  9aee51de62ef42e5f88cacc1dc9da30a89ea8467a4aa8ae9204161c621372409
- SHA512
  
  eeb7c9ac29774117bcce572a90f6ffb4d7e602fa99d049af0c844847613a54f000a2e8e67e46e2ab1b654bbbb575295765bc899ea8d25551d841af659c8ccd1b
- SSDEEP
  
  12288:ko8b3FDMm5Sm51z1xHQYhsmr2TCXdyQHO5sD2o6P4x6GhKgufkDRCOvRv+SE3PEF:Sb1l5BdQ604uyDuPGhofLOvJVF
Score

10^/10

hawkeye collection keylogger spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2