Extracted

• • Target

    RSL-2019.exe

  • Size

    782KB

  • MD5

    960ac9e115b8ee2adfe3460d7a9f0eed

  • SHA1

    f845c68575e67d0a5112113c31fc8a46a1cb9d01

  • SHA256

    fd4612dd41fcb1d4038385cde915ff6c3b3136ba4edee76bdf1224eb224914ad

  • SHA512

    ad85679b972fc19afcef5177502c83824e0d62b19827ef00ac9285f2e645cb0178160caf7ddd8aecb94564783a4b1ff7758b66677bff6341ce78c69ee6a9eb34

  • SSDEEP

    12288:CTCHhLQk3jEB0/iR+V2b5Y1bz9tPfFpb4m7LjeZx3TJu/Hv0J5tmCB77k:CTwv6R+G5e/95HbB7Lje3TgHv0JmCZQ

  Score

  10^/10

  hawkeyecollectionkeyloggerpersistencespywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2