hawkeye | d75128655f8603b5802f6b18c46251539e17914fc805923556ab78e41cb53354 | Triage

Submit
Reports

Overview

overview

Static

static

3

Invoice.exe

windows7-x64

Invoice.exe

windows10-2004-x64

Sharing

General

Target

a2cc926b7b025641b2d587ce686c510f914738dd8074afa406546fcc948854b7.zip
Size

3.4MB
Sample

240402-q7pn8sce22
MD5

7c10887bad1c680484a218732680d1f4
SHA1

a21f0514612df6de8dd4606428bd92fcebb2924e
SHA256

d75128655f8603b5802f6b18c46251539e17914fc805923556ab78e41cb53354
SHA512

d842d16be31a386881106059f130132b07c5f7ef5f3dc151825e45b261cd50a98cdb8be0913fb5832b7b405dea7fd28b816b7ad5a1ef1a1a8f3d1f5c98843692
SSDEEP

98304:iWfvTZIIArBwFdycAP6vOW/0rI8c0/ECC+v:iWH1PBy5zN/ECC+v

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Invoice.exe

Resource

win7-20240221-en

hawkeye collection keylogger spyware stealer trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

Invoice.exe

Resource

win10v2004-20240226-en

hawkeye collection keylogger spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  Invoice.exe
- Size
  
  5.8MB
- MD5
  
  e0ad1b070ad9c0430f491d07c2708484
- SHA1
  
  f36de48706a23f38d7b3fa070d8948dbc9ac3491
- SHA256
  
  647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712
- SHA512
  
  d7bea99b6595f75c0a448d93f8a1394d93a23d88933d3d26ba4c141faa69f9d87a18cf0535cb9e0e3016ad9067ade5320fc0171e7bbe84a42989bfd2f6c25ef9
- SSDEEP
  
  98304:AuBV+GvjiaLzY5lk+Ar+fbleEfho0b6s0LSvIragO0fMvU/5Lf62LDY:AbGvPE5Ca183
Score

10^/10

hawkeye collection keylogger spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerspywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy