Extracted

• • Target

    PO Lists --- pdf.exe

  • Size

    1.2MB

  • MD5

    e488e1a45eb1b7ea061c6a3d9f0729f7

  • SHA1

    523c99b72980e3a82a20378fe22949b2c2bf43a1

  • SHA256

    4e08d3d7a3ecb630ccf016f97a79aab7f44b255484737d574599c25acf0952b2

  • SHA512

    a8398e7323c247c5f5bd4239e44f2037aa03619828b8927c30277651128c392950bfd9a3fe59e946f28b3937b473d0ba86169b1baa52f59ed30f53ac7c8ccd53

  • SSDEEP

    12288:p0yiHh/Iwu6+pM3BHB0kTp05xm0Nj/RfycXzN/7RPyIoDvS/efj1WI0CVq:pGhNu65fI5/NjJfRpNPz1AR0C

  Score

  10^/10

  hawkeyecollectionevasionkeyloggerpersistencespywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2