hawkeye | 8b6a0f607c8aa32a95838d10b496bdbd68b86a457ef49f8043badb21f5b12b2a | Triage

Submit
Reports

Overview

overview

Static

static

1

TNT Origin...DF.exe

windows7-x64

TNT Origin...DF.exe

windows10-2004-x64

Sharing

General

Target

TNT Original Invoice PDF.exe
Size

1.0MB
Sample

230213-lg25escc56
MD5

f64fc1f7c9d03819bd76645aab99be48
SHA1

11513e335fefcc3a302aba54ea5f5911f3290b9d
SHA256

8b6a0f607c8aa32a95838d10b496bdbd68b86a457ef49f8043badb21f5b12b2a
SHA512

5e9ffee587fbb61256b3f531a50c9ec40598a6459f6e2e30d022c84940a7786208a38430cf7a529588ee9be2f23a930d7b87afa6718744a25b26f81c476dc625
SSDEEP

24576:wYXIQ57jS4qoLVNVS9nqi06jz8ajDTEnU6D5RJ:x/5+oxS9nC6rLR6

Score

10^/10

hawkeye remcos remotehost collection keylogger rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

TNT Original Invoice PDF.exe

Resource

win7-20221111-en

hawkeye remcos remotehost collection keylogger rat spyware stealer trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

TNT Original Invoice PDF.exe

Resource

win10v2004-20220812-en

remcos remotehost rat

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-52YOYG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  TNT Original Invoice PDF.exe
- Size
  
  1.0MB
- MD5
  
  f64fc1f7c9d03819bd76645aab99be48
- SHA1
  
  11513e335fefcc3a302aba54ea5f5911f3290b9d
- SHA256
  
  8b6a0f607c8aa32a95838d10b496bdbd68b86a457ef49f8043badb21f5b12b2a
- SHA512
  
  5e9ffee587fbb61256b3f531a50c9ec40598a6459f6e2e30d022c84940a7786208a38430cf7a529588ee9be2f23a930d7b87afa6718744a25b26f81c476dc625
- SSDEEP
  
  24576:wYXIQ57jS4qoLVNVS9nqi06jz8ajDTEnU6D5RJ:x/5+oxS9nC6rLR6
Score

10^/10

hawkeye remcos remotehost collection keylogger rat spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hawkeyeremcosremotehostcollectionkeyloggerratspywarestealertrojan

behavioral2

remcosremotehostrat

© 2018-2024

Terms | Privacy