hawkeye | 32cd319e6761e336df91dc0712d9d55068f5c6f8a31eaa4593a4f29430dc8e82 | Triage

Submit
Reports

Overview

overview

Static

static

3

eb9c1e590e...18.exe

windows7-x64

eb9c1e590e...18.exe

windows10-2004-x64

Sharing

General

Target

eb9c1e590efe43a4e30b614657e68fd0_JaffaCakes118
Size

484KB
Sample

240410-v2jm9aaa8x
MD5

eb9c1e590efe43a4e30b614657e68fd0
SHA1

c503a0e0fcee9a1461587830b8d114d33fdd0287
SHA256

32cd319e6761e336df91dc0712d9d55068f5c6f8a31eaa4593a4f29430dc8e82
SHA512

a726311927ec6be8783b357ffc8e9833c4bc7f31f2d47a05bed71ce59a09985e1a4dc39bd87e4979e0814ac0aea7e22cbcdcb720d05995e74b1e69deb8a21488
SSDEEP

12288:xI6Dr6HtQctUGQWgijsqnAy0w9y4jq9y/hmkcKPFM:SecCi/l9y/mh1cYF

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

eb9c1e590efe43a4e30b614657e68fd0_JaffaCakes118.exe

Resource

win7-20240221-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

eb9c1e590efe43a4e30b614657e68fd0_JaffaCakes118.exe

Resource

win10v2004-20240226-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
[email protected]
Password:
0

Targets

- Target
  
  eb9c1e590efe43a4e30b614657e68fd0_JaffaCakes118
- Size
  
  484KB
- MD5
  
  eb9c1e590efe43a4e30b614657e68fd0
- SHA1
  
  c503a0e0fcee9a1461587830b8d114d33fdd0287
- SHA256
  
  32cd319e6761e336df91dc0712d9d55068f5c6f8a31eaa4593a4f29430dc8e82
- SHA512
  
  a726311927ec6be8783b357ffc8e9833c4bc7f31f2d47a05bed71ce59a09985e1a4dc39bd87e4979e0814ac0aea7e22cbcdcb720d05995e74b1e69deb8a21488
- SSDEEP
  
  12288:xI6Dr6HtQctUGQWgijsqnAy0w9y4jq9y/hmkcKPFM:SecCi/l9y/mh1cYF
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2025

Terms | Privacy