hawkeye | 0a213049df4abf319dbb1c1bd1b5114ffa01bca076e2880dd25e5a8567561f95 | Triage

Submit
Reports

Overview

overview

Static

static

1

c2d55f54c2...12.doc

windows7-x64

c2d55f54c2...12.doc

windows10-2004-x64

1

Sharing

General

Target

10743387837.zip
Size

596KB
Sample

230613-xbr8taad92
MD5

4ad0377c1a5ba6880fe1fcea7c35e1f9
SHA1

0a7ec3e591a4a2d38465ebe2fcc627b7e647364c
SHA256

0a213049df4abf319dbb1c1bd1b5114ffa01bca076e2880dd25e5a8567561f95
SHA512

acda92b6563f61f5a2efa754908e10acf9c43306f4990181992561cda7908a9c2799e6946dc50b47813745d38b481da6c70215a929fc16c35b86f18d8ae60d1b
SSDEEP

12288:c+MRCIGcqPoBlfNg/gdTWvl4qRVSMekFM/s0RjtVNJAZD4NC:clR6DWli/gdYlvzSMx+k0RjjAn

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc

Resource

win7-20230220-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

22 signatures

300 seconds

Behavioral task

behavioral2

Sample

c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc

Resource

win10v2004-20230220-en

windows10-2004-x64

9 signatures

300 seconds

Malware Config

Targets

- Target
  
  c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12
- Size
  
  679KB
- MD5
  
  7f075616272cca52e731c11080d0f3ef
- SHA1
  
  b5142fe556fc114eb221c4b14ad9d19c9e83fe83
- SHA256
  
  c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12
- SHA512
  
  f9fe3bb4f04138c8c924a74f35c293cbe3e777a6f2993c0352e4de9f6677807fcb982190d2a070925ee7a6810a136f2f7c1358babe5e8087736513f6b77982a7
- SSDEEP
  
  12288:WXQnnE6+s3WsZ/lkwR939lgKFWRg1xY0VcRuaHuatAUz3huJ7XrjaJ+:WXQnnYsNHXR9NlgobVcUK7UXrj++
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy