hawkeye | 8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39

General

Target

8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe
Size

564KB
MD5

a8dda1192aaac2da127a99b1e3600f25
SHA1

6e34212ef48f09ff0db836aab80c353f32feb9b4
SHA256

8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39
SHA512

a2b20a46530b936dee7b6ff212f6025d2b56e48cc98ac46e31a655697ff9c45795b6556cb12cc0d6bf91d3623d1a6e76617b4d09c13c9c5da9305e0142e50d38
SSDEEP

12288:qSuqIz05wqquggrepn7rNezSOesRS6BRJvbd:qNz07CRrKSAbPb

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
Waynerossi

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 11 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1692-59-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1692-60-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1692-61-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1692-62-0x000000000047EA3E-mapping.dmp	MailPassView
behavioral1/memory/1692-64-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1692-66-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1980-73-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1980-74-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1980-77-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1980-79-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1980-86-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 11 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1692-59-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1692-60-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1692-61-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1692-62-0x000000000047EA3E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1692-64-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1692-66-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1744-80-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1744-81-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral1/memory/1744-84-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1744-85-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1744-89-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1692-59-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1692-60-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1692-61-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1692-62-0x000000000047EA3E-mapping.dmp	Nirsoft
behavioral1/memory/1692-64-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1692-66-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1980-73-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1980-74-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1980-77-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1980-79-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1744-80-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1744-81-0x0000000000442628-mapping.dmp	Nirsoft
behavioral1/memory/1744-84-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1744-85-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1980-86-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1744-89-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

Processes:

8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h1Vb72t6.lnk	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe

Loads dropped DLL 1 IoCs

Processes:

8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe

pid process

1784 8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1784	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 whatismyipaddress.com
4 whatismyipaddress.com
6 whatismyipaddress.com

flow	ioc
7	whatismyipaddress.com
4	whatismyipaddress.com
6	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exeRegAsm.exe

description	pid	process	target process
PID 1784 set thread context of 1692	1784	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe	RegAsm.exe
PID 1692 set thread context of 1980	1692	RegAsm.exe	vbc.exe
PID 1692 set thread context of 1744	1692	RegAsm.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exeRegAsm.exe

description	pid	process	target process
PID 1784 wrote to memory of 1692	1784	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe	RegAsm.exe
PID 1784 wrote to memory of 1692	1784	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe	RegAsm.exe
PID 1784 wrote to memory of 1692	1784	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe	RegAsm.exe
PID 1784 wrote to memory of 1692	1784	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe	RegAsm.exe
PID 1784 wrote to memory of 1692	1784	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe	RegAsm.exe
PID 1784 wrote to memory of 1692	1784	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe	RegAsm.exe
PID 1784 wrote to memory of 1692	1784	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe	RegAsm.exe
PID 1784 wrote to memory of 1692	1784	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe	RegAsm.exe
PID 1784 wrote to memory of 1692	1784	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe	RegAsm.exe
PID 1784 wrote to memory of 1692	1784	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe	RegAsm.exe
PID 1784 wrote to memory of 1692	1784	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe	RegAsm.exe
PID 1784 wrote to memory of 1692	1784	8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe	RegAsm.exe
PID 1692 wrote to memory of 1980	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1980	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1980	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1980	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1980	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1980	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1980	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1980	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1980	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1980	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1744	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1744	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1744	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1744	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1744	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1744	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1744	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1744	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1744	1692	RegAsm.exe	vbc.exe
PID 1692 wrote to memory of 1744	1692	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe
"C:\Users\Admin\AppData\Local\Temp\8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:1980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Roaming\PSILlzC\WwXBSrQ.exe
Filesize
564KB

MD5
a8dda1192aaac2da127a99b1e3600f25

SHA1
6e34212ef48f09ff0db836aab80c353f32feb9b4

SHA256
8c68528327f35ac8786011785f9903a610b7b9f031d3087067fca490d1abdb39

SHA512
a2b20a46530b936dee7b6ff212f6025d2b56e48cc98ac46e31a655697ff9c45795b6556cb12cc0d6bf91d3623d1a6e76617b4d09c13c9c5da9305e0142e50d38

Download Submit
memory/1692-72-0x0000000074F40000-0x00000000754EB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-59-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1692-87-0x0000000000516000-0x0000000000527000-memory.dmp

Filesize
68KB

Download
memory/1692-78-0x0000000000516000-0x0000000000527000-memory.dmp

Filesize
68KB

Download
memory/1692-61-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1692-62-0x000000000047EA3E-mapping.dmp

Download
memory/1692-64-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1692-66-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1692-60-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1692-56-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1692-57-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1692-71-0x0000000074F40000-0x00000000754EB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-85-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1744-84-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1744-89-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1744-80-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1744-81-0x0000000000442628-mapping.dmp

Download
memory/1784-55-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-70-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-67-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1980-74-0x0000000000411654-mapping.dmp

Download
memory/1980-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1980-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1980-79-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1980-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads