hawkeye | bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572

General

Target

bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe
Size

569KB
MD5

b0f7f0bd69666af96433c0b100f67b17
SHA1

ab015d53a0ce8fc6f37e20cdf5a7c11d7e2ec76c
SHA256

bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572
SHA512

d47cb20326ac79d05e60b7becdcc9783f03114923dba0b2c2ea3ad24d2cc6ce3b5de473fc60aa1a107188737cad1c76984921679003af87293647d916f579d7b
SSDEEP

12288:FScfcv7ZcVDtUa2fARjhil2JB8PblP4EccL/MBC7zvnpkx7PmG:FScEv7mxUa22ikJyD5cUkB

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 whatismyipaddress.com
36 whatismyipaddress.com

flow	ioc
32	whatismyipaddress.com
36	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exebf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe

description	pid	process	target process
PID 4564 set thread context of 1860	4564	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe
PID 1860 set thread context of 3524	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 set thread context of 2736	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe

pid process

1860 bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe

pid	process
1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exebf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4564	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe
Token: SeDebugPrivilege	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe
Token: SeDebugPrivilege	3524	vbc.exe
Token: SeDebugPrivilege	2736	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe

pid process

1860 bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe

pid	process
1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exebf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe

description	pid	process	target process
PID 4564 wrote to memory of 1860	4564	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe
PID 4564 wrote to memory of 1860	4564	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe
PID 4564 wrote to memory of 1860	4564	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe
PID 4564 wrote to memory of 1860	4564	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe
PID 4564 wrote to memory of 1860	4564	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe
PID 4564 wrote to memory of 1860	4564	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe
PID 4564 wrote to memory of 1860	4564	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe
PID 4564 wrote to memory of 1860	4564	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe
PID 1860 wrote to memory of 3524	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 3524	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 3524	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 3524	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 3524	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 3524	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 3524	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 3524	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 3524	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 2736	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 2736	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 2736	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 2736	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 2736	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 2736	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 2736	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 2736	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe
PID 1860 wrote to memory of 2736	1860	bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe
"C:\Users\Admin\AppData\Local\Temp\bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Local\Temp\bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe
  "C:\Users\Admin\AppData\Local\Temp\bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    - Suspicious use of AdjustPrivilegeToken
    PID:3524
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bf42f4199d400de133a68ed59648cdbaa1a95777e93735ae723ebf027080f572.exe.log

Filesize
588B

MD5
030ca9c99b1511daba5894ca7e2d392a

SHA1
eb86a73fff62c2537e1fe5ddc6067fbf6ca18930

SHA256
8c12b805c76ea34ed79a2304c051e282a8edab97ad1e39f59408630308b28dbd

SHA512
348285069645d6410f6c251dee8c629400003389cc73754bf0f38637b5b0e91f4f71e2b0d763dd77e0fe3c028afb7d2e5e437a8d5037a343cc6386bd60d394b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
271B

MD5
a18df529a77ed1fbd887400151b9728f

SHA1
74912cb5e97566749ccae5f70e52ee87cb4dfa07

SHA256
599ceb2fab753551e7b27340cd3a9d2eb44a887dfb178d1c05015159bb352eb3

SHA512
a446e30992bc63b53952982e06069555e9b65eb25274495470d4410a04bcc9aeaa96b95300fc89512181e0614abf279f439b52f32ffc6ffb3034230c97aa08b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
327B

MD5
e4f3273432f9167e5f8bd2048206773d

SHA1
139b6566c6f8c6a359dd7e6063f88be24f701c8d

SHA256
b620b529c43ed1dab8db9c63b402958e1a0b65c9110029b92ac8ae2c21c0acb2

SHA512
e1bf722b627cd5f1e1678549d51f9556a1d31c8e5f47dfbe343c81aef7bac279ca2b062751666d650b2c196785a84b0d2edca09d1a04b829f4ae869e513e6941

Download Submit
memory/1860-145-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/1860-134-0x0000000000000000-mapping.dmp

Download
memory/1860-135-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1860-138-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/2736-151-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-149-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-148-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-147-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-146-0x0000000000000000-mapping.dmp

Download
memory/3524-141-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3524-144-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3524-142-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3524-140-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3524-139-0x0000000000000000-mapping.dmp

Download
memory/4564-132-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4564-137-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4564-133-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads