hawkeye

General

Target

10397957094.zip
Size

1.2MB
Sample

230510-wsehlsbd4v
MD5

292c310e47a8f69c242e8e19700dbd79
SHA1

7e50d6488dad5e8ecd3949c85c1089afe3e7b303
SHA256

1e7abeab7b40ca56a3f6a8d49cfd86b567bce43b790e01a9d7688789944373fb
SHA512

b6e0da385fd6884275912283bb23974bfe48c928200efeec60680de2ecf5bbec1a6c9ec938e59c5e41412763ff7a95dfc7054e41f6d34df4e0da3ce49edd380c
SSDEEP

24576:hHfNdnqm1Q4u4GNh8da1nbiXcgdSlTlp3Wg/1+0LXFtt+6MPtehdB4:hHf+m1jTGIdOnbKcgdS1lpPt+6Vttvx4

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.tcci.org.sa
Port:
587
Username:
khedre@tcci.org.sa
Password:
Brown3044

Targets

- Target
  
  9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660
- Size
  
  1.1MB
- MD5
  
  0ede5189d2124e2de33daca7dfacecd8
- SHA1
  
  b5b62e468bbc494bf039a2b84748a1c54ddf21cb
- SHA256
  
  9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660
- SHA512
  
  dc97f9c4a840ad4968b5ab04824f5253b538103a11735c301e68862acf60469734dded0c322610d2138afb6b87eaa7db56551d1d1b38c7f1480ede0190dfe18e
- SSDEEP
  
  12288:jy0Vd6+UYMUiv4MBBlLakiL5R6ftjGFwWod5wgEBit9QVXdNo:j9ygM3lLalRajGeWmwgEBisVt6
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  d2b638bc930015604dbede40dc3cb202e1fbfa8956c6168923e0bc0bfd400d98
- Size
  
  661KB
- MD5
  
  d793dff0e3e0046d9f13c9b75d4d67a1
- SHA1
  
  2357b41b9a5d5d4880cdfc76724bc96931e9e643
- SHA256
  
  d2b638bc930015604dbede40dc3cb202e1fbfa8956c6168923e0bc0bfd400d98
- SHA512
  
  2bcde02d15c5497ab0a17d445abc9a7b4bccd50732ace2b2d99e6820d420a16b76262a5ff6472389733e1f71e33de7ff9fcecfdc99c5630a0666bc8539f602e3
- SSDEEP
  
  12288:AMx+hr1rttGnqqzhY/RG5/weutM7eiWZ0rgkHgqmCSni7KtaNy3P4Z95lW0pDl:pkrPGn3aImeutR0ZHgd67KtaNGAZ9GI
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4