Overview

overview

10

Static

static

3

dcae346b4f...d7.exe

windows10-1703-x64

10

dcae346b4f...d7.exe

windows10-2004-x64

10

dcae346b4f...d7.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.7z

  • Size

    975KB

  • Sample

    240419-xlf9ascf58

  • MD5

    0d7c4b816177e966198db346a8271a39

  • SHA1

    d73a62a4133dec7f46c094b16d1cad8d1cb0e3c9

  • SHA256

    b4c515ace87a3f6c263475f9e9fa57851d872f7ae91a0f32c4c901132ddf549c

  • SHA512

    f99ea18b50797e65cfbc56ecc4187e1e8e3fbc5ebeaa696c9fee72213e88fd2f00090dc3b0599871f271596b91fc74dcb506d2c573edacd9ff36bebc89a2a81a

  • SSDEEP

    24576:MqA61JyP8I2njMmc2m9b15CURDgUC64dA7uUP0:XAvPS/I93CURDFC64ghc

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7

    • Size

      998KB

    • MD5

      88d19703623192e4ddf73cec4aa24a89

    • SHA1

      c23025a02259e6da9a7db46ce7a12274a3cd4b18

    • SHA256

      dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7

    • SHA512

      83e366948e5a8e80fc31e98771029add13293387fa876a2ba8a420032db9b23c043e2ee228eaafce8c7224d1d3b5081a1c9de26b003b7877657d44741abc03e6

    • SSDEEP

      24576:M1eKhP8/X0LknDY1zhdpACe+0RJ7Vz5xDIaTyEYKlZUOXJ:MXhP9LkD4T0htmJWt

    Score
    10/10
    hawkeyecollectionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks