hawkeye

General

Target

ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118
Size

1.3MB
Sample

240421-qe6r2sce7w
MD5

ff59b59d6fb138bd3a588d89ea0fa1d7
SHA1

fad22ded5983e8d5a9bffa398c3281670e496f46
SHA256

8e1c67e8ed76591ed779773be365b2b66440d958f1bf3556d4512f71836c3d2f
SHA512

7c3017e263d812bac1ad57bf4ed4371fe7414cbde8af077e507811a9ce538d1fdbbb5d396f355792dae67cdf9c25e3b0128a036816d74a48ad68c62e5109054e
SSDEEP

24576:x6qt46zuDJ+ssHguZbtg2aLJ5eKSKmR9Fmt5J2NY9/:xZqARsV5VmFmzJ2M/

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.merchantexint.com
Port:
587
Username:
amin@merchantexint.com
Password:
merW&13@

Targets

- Target
  
  ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  ff59b59d6fb138bd3a588d89ea0fa1d7
- SHA1
  
  fad22ded5983e8d5a9bffa398c3281670e496f46
- SHA256
  
  8e1c67e8ed76591ed779773be365b2b66440d958f1bf3556d4512f71836c3d2f
- SHA512
  
  7c3017e263d812bac1ad57bf4ed4371fe7414cbde8af077e507811a9ce538d1fdbbb5d396f355792dae67cdf9c25e3b0128a036816d74a48ad68c62e5109054e
- SSDEEP
  
  24576:x6qt46zuDJ+ssHguZbtg2aLJ5eKSKmR9Fmt5J2NY9/:xZqARsV5VmFmzJ2M/
Score

10^/10

hawkeye agilenet collection keylogger spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2