hawkeye | 89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

89a1bd1357...68.exe

windows7-x64

89a1bd1357...68.exe

windows10-2004-x64

Sharing

General

Target

89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268
Size

588KB
Sample

221127-szyy2scf2s
MD5

55062296cd82f3b8b5805a06dcb32cf6
SHA1

7c1614ca008dd7f04e6f93ef0daf1379f424af98
SHA256

89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268
SHA512

77829cc9ebe22e91cbba845d57e6c66e0f1cfad2840593a14f09bb4e649fefa7faad07053e264a2e74645d5a929449072e7dc01de9daaaa3b91c19455577b26a
SSDEEP

12288:WpR3kwv7SDitmQJLzpiCdcoW50pvYH9HKQ2TTqwmUyL8DSXzNOY4sxN514:JDktiGWmRYhKbTTLUjfr4

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe

Resource

win7-20220812-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe

Resource

win10v2004-20220812-en

hawkeye keylogger spyware stealer trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268
- Size
  
  588KB
- MD5
  
  55062296cd82f3b8b5805a06dcb32cf6
- SHA1
  
  7c1614ca008dd7f04e6f93ef0daf1379f424af98
- SHA256
  
  89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268
- SHA512
  
  77829cc9ebe22e91cbba845d57e6c66e0f1cfad2840593a14f09bb4e649fefa7faad07053e264a2e74645d5a929449072e7dc01de9daaaa3b91c19455577b26a
- SSDEEP
  
  12288:WpR3kwv7SDitmQJLzpiCdcoW50pvYH9HKQ2TTqwmUyL8DSXzNOY4sxN514:JDktiGWmRYhKbTTLUjfr4
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyekeyloggerspywarestealertrojan

© 2018-2025

Terms | Privacy