hawkeye | 5cabdd6f5494bbb646f2f84ed05f7e5c999efaeba6f9beea3abe0100780137a5 | Triage

Sharing

General

Target

slinkyloader.exe
Size

17.8MB
Sample

240428-wr7srsdg6w
MD5

fa1764b9b4b43de4ce51b6da0748944c
SHA1

91ae2a9b63bcc0f3194385c306e941d7b628aa33
SHA256

5cabdd6f5494bbb646f2f84ed05f7e5c999efaeba6f9beea3abe0100780137a5
SHA512

bf807ca364e3b94c4ec3d8d859d4e927d7e2b70ddf70727a0c921645474c261798d8b39554b28ab838c6c7b04aae1da6c90caeb3d9cf1a682dea2ecf5d9cac18
SSDEEP

393216:Gr+c50Fa7K39n0LHOz3tcA/YFspJfUXvakYHQFSdbhALSVQtikwtW3Jigc:oot3uLuz3tM6rfUXCkYgU/VQti/W35

Score

10^/10

hawkeye remcos slinky keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

Slinky

C2

shall-stat.gl.at.ply.gg:38560

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Defender.exe
copy_folder
WD
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Logs
keylog_path
%WinDir%\System32
mouse_option
false
mutex
fasdfdsgsghhghd-Y8DVRO
screenshot_crypt
true
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%WinDir%\System32
screenshot_time
10
startup_value
WD Defender
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  slinkyloader.exe
- Size
  
  17.8MB
- MD5
  
  fa1764b9b4b43de4ce51b6da0748944c
- SHA1
  
  91ae2a9b63bcc0f3194385c306e941d7b628aa33
- SHA256
  
  5cabdd6f5494bbb646f2f84ed05f7e5c999efaeba6f9beea3abe0100780137a5
- SHA512
  
  bf807ca364e3b94c4ec3d8d859d4e927d7e2b70ddf70727a0c921645474c261798d8b39554b28ab838c6c7b04aae1da6c90caeb3d9cf1a682dea2ecf5d9cac18
- SSDEEP
  
  393216:Gr+c50Fa7K39n0LHOz3tcA/YFspJfUXvakYHQFSdbhALSVQtikwtW3Jigc:oot3uLuz3tM6rfUXCkYgU/VQti/W35
Score

10^/10

hawkeye remcos slinky keylogger persistence rat spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyeremcosslinkykeyloggerpersistenceratspywarestealertrojan