hawkeye

General

Target

996f3a9bdd016b9fb9926bcb01a4b3e91f181fb5dba177ddc92e02f31d3dfb8d
Size

668KB
Sample

221128-k7bvgsca35
MD5

38576f4e6bb6babc2f6c2b70df7a1cdb
SHA1

0c7433340cf4f7967ebf3abbb97b88f22811e199
SHA256

996f3a9bdd016b9fb9926bcb01a4b3e91f181fb5dba177ddc92e02f31d3dfb8d
SHA512

d031e2d415e4c211c1f176b8afe756cd8317bc68f44e16fc3346b27a15bb535c4a20d3ab223f7788b0126ecc0cdd705c9db1de0b1778148adfdaf67a9b393e37
SSDEEP

12288:ME8rjoDsSbgw5B7ijMwE3872MFnEMUAPUVqzPTcSgrbq0EuawvU21X5rYkO:MVogSbjB7ij7EIFnmA8qEStBY9mkO

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
preston99

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
preston99

Targets

- Target
  
  iROBUX.exe
- Size
  
  692KB
- MD5
  
  f5a4cfa487cf9b551c5e5227c1703dff
- SHA1
  
  eadfe6328dc2e183fcc85cc228d58de5e8876e37
- SHA256
  
  1dd3dd08dc740fc8a12a19446f140e8b43adce8d3e16b4116e9cb8bb36bae2b5
- SHA512
  
  149af066b63c062daffadb6f7df2cf1b4c038a342699ba46bcf1e10bf4375ae88cbcd2625647afa88931027637a4c6a28a1058e3a1e439b5616717d35b75e41d
- SSDEEP
  
  12288:4QtqB5urTIoYWBQk1E+VF9mOx91wXRbsTy:4QtqBorTlYWBhE+V3mOSbsT
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  readme.__________txt.exe
- Size
  
  544KB
- MD5
  
  833d9ac9077ce6415450e05a3ec20f14
- SHA1
  
  887ec9ff2fc9d4cc8223277d0348e7f7f51d0c88
- SHA256
  
  744df077822f8801d301ac27ef90c2249e0f04049bfbaa8abebc47dc168951f0
- SHA512
  
  ad5e758fdb547bf67249742113f05c3a7b93a53e14c2c0f06c368b3d657fd6cb525b41e96d7817e3654eb48f3c0d6aca59837ebd69b7f0749b211a9a92d14de2
- SSDEEP
  
  6144:cu+GnD5bS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9ni:1QtqB5urTIoYWBQk1E+VF9mOx9nw00
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4