Overview

overview

10

Static

static

7a59df1dc0...7b.exe

windows7-x64

10

7a59df1dc0...7b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7a59df1dc08e22644f32ed618b450576d9c953dba0d76a5fcc38853ecbc34e7b

  • Size

    950KB

  • Sample

    221128-xlbc2sha77

  • MD5

    e5aa0e99526e791426dcc27eb44b48f1

  • SHA1

    92a1a13d0c4acd9984d5a14ccb3a4a0e0e9490ca

  • SHA256

    7a59df1dc08e22644f32ed618b450576d9c953dba0d76a5fcc38853ecbc34e7b

  • SHA512

    524121e9aa578c3763c89df30e62d2da12135e1840316f357482448386406b03dd6faffc186c1c17bc0405d01c0a852a6a9bdf59f8e6e257e2772fa1db7abce2

  • SSDEEP

    12288:rWubT76a9iUutQwPb3inIT4cpamBcNKflIqgpsj1EiM0si+KeYDdTE5TAKz8M9sx:xTJdWmIcHsj1s08Khujz5KyoftV30

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      7a59df1dc08e22644f32ed618b450576d9c953dba0d76a5fcc38853ecbc34e7b

    • Size

      950KB

    • MD5

      e5aa0e99526e791426dcc27eb44b48f1

    • SHA1

      92a1a13d0c4acd9984d5a14ccb3a4a0e0e9490ca

    • SHA256

      7a59df1dc08e22644f32ed618b450576d9c953dba0d76a5fcc38853ecbc34e7b

    • SHA512

      524121e9aa578c3763c89df30e62d2da12135e1840316f357482448386406b03dd6faffc186c1c17bc0405d01c0a852a6a9bdf59f8e6e257e2772fa1db7abce2

    • SSDEEP

      12288:rWubT76a9iUutQwPb3inIT4cpamBcNKflIqgpsj1EiM0si+KeYDdTE5TAKz8M9sx:xTJdWmIcHsj1s08Khujz5KyoftV30

    Score
    10/10
    hawkeyecollectionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks