hawkeye | 32cd319e6761e336df91dc0712d9d55068f5c6f8a31eaa4593a4f29430dc8e82 | Triage

Submit
Reports

Overview

overview

Static

static

3

eb9c1e590e...18.exe

windows7-x64

eb9c1e590e...18.exe

windows10-2004-x64

Sharing

General

Target

eb9c1e590efe43a4e30b614657e68fd0_JaffaCakes118
Size

484KB
Sample

240410-v2jm9aaa8x
MD5

eb9c1e590efe43a4e30b614657e68fd0
SHA1

c503a0e0fcee9a1461587830b8d114d33fdd0287
SHA256

32cd319e6761e336df91dc0712d9d55068f5c6f8a31eaa4593a4f29430dc8e82
SHA512

a726311927ec6be8783b357ffc8e9833c4bc7f31f2d47a05bed71ce59a09985e1a4dc39bd87e4979e0814ac0aea7e22cbcdcb720d05995e74b1e69deb8a21488
SSDEEP

12288:xI6Dr6HtQctUGQWgijsqnAy0w9y4jq9y/hmkcKPFM:SecCi/l9y/mh1cYF

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

eb9c1e590efe43a4e30b614657e68fd0_JaffaCakes118.exe

Resource

win7-20240221-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

eb9c1e590efe43a4e30b614657e68fd0_JaffaCakes118.exe

Resource

win10v2004-20240226-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
borismiller02@yandex.ru
Password:
0

Targets

- Target
  
  eb9c1e590efe43a4e30b614657e68fd0_JaffaCakes118
- Size
  
  484KB
- MD5
  
  eb9c1e590efe43a4e30b614657e68fd0
- SHA1
  
  c503a0e0fcee9a1461587830b8d114d33fdd0287
- SHA256
  
  32cd319e6761e336df91dc0712d9d55068f5c6f8a31eaa4593a4f29430dc8e82
- SHA512
  
  a726311927ec6be8783b357ffc8e9833c4bc7f31f2d47a05bed71ce59a09985e1a4dc39bd87e4979e0814ac0aea7e22cbcdcb720d05995e74b1e69deb8a21488
- SSDEEP
  
  12288:xI6Dr6HtQctUGQWgijsqnAy0w9y4jq9y/hmkcKPFM:SecCi/l9y/mh1cYF
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy