hawkeye

General

Target

https://cdn.discordapp.com/attachments/1096943623599312947/1120870643668373535/CraxsRat_4.0.1.zip
Sample

230621-ampkqseh24

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/nipkv/raw

Extracted

Credentials

Protocol: smtp
Host:
smtp.zoho.com
Port:
587
Username:
[email protected]
Password:
Nescau71#

Targets

- Target
  
  https://cdn.discordapp.com/attachments/1096943623599312947/1120870643668373535/CraxsRat_4.0.1.zip
Score

10^/10

hawkeye collection discovery evasion keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Suspicious use of NtCreateUserProcessOtherParentProcess
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Registers COM server for autorun
  persistence
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1