Overview

overview

10

Static

static

2a82d6dca9...9c.exe

windows7-x64

10

2a82d6dca9...9c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2a82d6dca9191d0256db3f5b1dd68860c7901699f5297cb22a3bbbe3c339029c

  • Size

    952KB

  • Sample

    221127-rgam3ach37

  • MD5

    d07010e606a7ce5c26a7e8fca6ede289

  • SHA1

    0301b1d31f291af8c9268dcfddb1a9b708fb5064

  • SHA256

    2a82d6dca9191d0256db3f5b1dd68860c7901699f5297cb22a3bbbe3c339029c

  • SHA512

    a91d72788a3e9468b59e3ae0326036962f0648be6602ab953d9e6b83cdffa9570c36b2fa79b46373805d88e4b2bb4bc2a4f08a42f23d1999cf575bcece945674

  • SSDEEP

    24576:IaaIERvwfrJlJjZ55EF2KdZ8shV4VTci/Vxv4Oa:baFBCljf2Dks/4Oitxvg

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      2a82d6dca9191d0256db3f5b1dd68860c7901699f5297cb22a3bbbe3c339029c

    • Size

      952KB

    • MD5

      d07010e606a7ce5c26a7e8fca6ede289

    • SHA1

      0301b1d31f291af8c9268dcfddb1a9b708fb5064

    • SHA256

      2a82d6dca9191d0256db3f5b1dd68860c7901699f5297cb22a3bbbe3c339029c

    • SHA512

      a91d72788a3e9468b59e3ae0326036962f0648be6602ab953d9e6b83cdffa9570c36b2fa79b46373805d88e4b2bb4bc2a4f08a42f23d1999cf575bcece945674

    • SSDEEP

      24576:IaaIERvwfrJlJjZ55EF2KdZ8shV4VTci/Vxv4Oa:baFBCljf2Dks/4Oitxvg

    Score
    10/10
    hawkeyecollectionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Modifies WinLogon for persistence

      persistence

    • Drops file in Drivers directory

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

2
T1081

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks