Overview

overview

10

Static

static

3

647816ec76...12.exe

windows7-x64

10

647816ec76...12.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.zip

  • Size

    3.8MB

  • Sample

    240402-q7nf6scd95

  • MD5

    cc8d5c07bfaf3255b8f57d8306a7d1be

  • SHA1

    eae7e416fb8262dea83138703c825899f900ee1e

  • SHA256

    61f954a1c4e16eb74c56fb3104bd3d835a298416a133988ad4900f4569aca8d5

  • SHA512

    a40e42034f1b3095f0966976c9be7cba7ae0026315c737acde45c842675dded18ff963008e88e623476e8ed4f85ed11ea0ef5868e82757bf0ea10481514e89db

  • SSDEEP

    98304:G7A0mcJx8SRxaz5d+wZJqFgwOgwilTrJrzfPZcvT1:G3Jxj/aFU6JPilTrJrz3Z+p

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojan

Malware Config

Targets

    • Target

      647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe

    • Size

      5.8MB

    • MD5

      e0ad1b070ad9c0430f491d07c2708484

    • SHA1

      f36de48706a23f38d7b3fa070d8948dbc9ac3491

    • SHA256

      647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712

    • SHA512

      d7bea99b6595f75c0a448d93f8a1394d93a23d88933d3d26ba4c141faa69f9d87a18cf0535cb9e0e3016ad9067ade5320fc0171e7bbe84a42989bfd2f6c25ef9

    • SSDEEP

      98304:AuBV+GvjiaLzY5lk+Ar+fbleEfho0b6s0LSvIragO0fMvU/5Lf62LDY:AbGvPE5Ca183

    Score
    10/10
    hawkeyecollectionkeyloggerspywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks