Overview

overview

10

Static

static

9a53fefa79...49.exe

windows7-x64

10

9a53fefa79...49.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9a53fefa798c0d51e309fe0ceeba84d52f4481e3234cadc18df73a547c0e2d49

  • Size

    1.6MB

  • Sample

    221126-szw5fsea22

  • MD5

    7920294040c481e979653aa3b0184df8

  • SHA1

    6f8ffd5416fe9d40b7afcab95a382d202e367044

  • SHA256

    9a53fefa798c0d51e309fe0ceeba84d52f4481e3234cadc18df73a547c0e2d49

  • SHA512

    f1a450f9b167909263bb329f7245af981c977f01f410e6e154c3ad1b4c5db455039ba23f6a01050841f3e845c057f6d9b26bff2cdcb8364becdc837d998634dd

  • SSDEEP

    49152:ZUdM+MZVtNmqtmr29Sl67GkmdfTeWFbni92VKk7iDIZE:CdmNvt829K2Kf3eDj

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      9a53fefa798c0d51e309fe0ceeba84d52f4481e3234cadc18df73a547c0e2d49

    • Size

      1.6MB

    • MD5

      7920294040c481e979653aa3b0184df8

    • SHA1

      6f8ffd5416fe9d40b7afcab95a382d202e367044

    • SHA256

      9a53fefa798c0d51e309fe0ceeba84d52f4481e3234cadc18df73a547c0e2d49

    • SHA512

      f1a450f9b167909263bb329f7245af981c977f01f410e6e154c3ad1b4c5db455039ba23f6a01050841f3e845c057f6d9b26bff2cdcb8364becdc837d998634dd

    • SSDEEP

      49152:ZUdM+MZVtNmqtmr29Sl67GkmdfTeWFbni92VKk7iDIZE:CdmNvt829K2Kf3eDj

    Score
    10/10
    hawkeyecollectionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks