hawkeye | d6ff8416aacfd50b3b4c90136d745127d03434a591c56dc18e2fb341ef43243a | Triage

Submit
Reports

Overview

overview

Static

static

d6ff8416aa...3a.exe

windows7-x64

8

d6ff8416aa...3a.exe

windows10-2004-x64

Sharing

General

Target

d6ff8416aacfd50b3b4c90136d745127d03434a591c56dc18e2fb341ef43243a
Size

1.4MB
Sample

221127-mpcp6see4t
MD5

db6c17ea0f62f8899ba154ead5171c0c
SHA1

4908b50c88de84e66daef1900fcc1a06d9847283
SHA256

d6ff8416aacfd50b3b4c90136d745127d03434a591c56dc18e2fb341ef43243a
SHA512

bdf89e1de74ab59c22bd0756142216f4539782cb7febf99a0e0367935135b7de115a3199ab5fdc47b48e2426bf1f1256520d4c92795aac7b3acec028db492b80
SSDEEP

12288:/3MNPsHfoxY5JBNVQ6QL5fDgA1FsHFGjzSU7ucK0rxEwYN6u04XX4ZSBrOZzsmUb:gPkPvS3uGkQxEwYzTVFsfyU97GYxUkg

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

d6ff8416aacfd50b3b4c90136d745127d03434a591c56dc18e2fb341ef43243a.exe

Resource

win7-20220812-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

d6ff8416aacfd50b3b4c90136d745127d03434a591c56dc18e2fb341ef43243a.exe

Resource

win10v2004-20221111-en

hawkeye keylogger persistence spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  d6ff8416aacfd50b3b4c90136d745127d03434a591c56dc18e2fb341ef43243a
- Size
  
  1.4MB
- MD5
  
  db6c17ea0f62f8899ba154ead5171c0c
- SHA1
  
  4908b50c88de84e66daef1900fcc1a06d9847283
- SHA256
  
  d6ff8416aacfd50b3b4c90136d745127d03434a591c56dc18e2fb341ef43243a
- SHA512
  
  bdf89e1de74ab59c22bd0756142216f4539782cb7febf99a0e0367935135b7de115a3199ab5fdc47b48e2426bf1f1256520d4c92795aac7b3acec028db492b80
- SSDEEP
  
  12288:/3MNPsHfoxY5JBNVQ6QL5fDgA1FsHFGjzSU7ucK0rxEwYN6u04XX4ZSBrOZzsmUb:gPkPvS3uGkQxEwYzTVFsfyU97GYxUkg
Score

10^/10

persistence hawkeye keylogger spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

hawkeyekeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy