hawkeye | hxxps://oxy[.]st/d/BNQh | Triage

Submit
Reports

Overview

overview

Static

static

1

URLScan

urlscan

1

https://oxy.st/d/BNQh

windows10-2004-x64

Resubmissions

18-05-2024 07:56

240518-js2a6aaf51 10

17-05-2024 19:50

240517-ykrjbaga59 10

17-05-2024 19:47

240517-yhmscaff8t 10

Sharing

General

Target

https://oxy.st/d/BNQh
Sample

240517-ykrjbaga59

Score

10^/10

hawkeye xworm evasion execution keylogger persistence rat spyware stealer trojan

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

https://oxy.st/d/BNQh

Resource

win10v2004-20240226-en

hawkeye xworm evasion execution keylogger persistence rat spyware stealer trojan

windows10-2004-x64

30 signatures

1800 seconds

Malware Config

Extracted

Family

xworm

C2

pacific-ambient.gl.at.ply.gg:44633

Attributes

Install_directory
%AppData%
install_file
WindowsUpdate.exe

Targets

- Target
  
  https://oxy.st/d/BNQh
Score

10^/10

hawkeye xworm evasion execution keylogger persistence rat spyware stealer trojan
- Detect Xworm Payload
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Modifies visibility of file extensions in Explorer
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

urlscan1

behavioral1

hawkeyexwormevasionexecutionkeyloggerpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy