hawkeye | 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31 | Triage

Submit
Reports

Overview

overview

Static

static

3

621bbd51e4...18.exe

windows7-x64

621bbd51e4...18.exe

windows10-2004-x64

Sharing

General

Target

621bbd51e44db9b507a911ceba8c6e4dJaffaCakes118
Size

883KB
Sample

240523-asfj1seh56
MD5

621bbd51e44db9b507a911ceba8c6e4d
SHA1

524a771f04ee76bddc16d5a6c0d59ac4f97b3398
SHA256

5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
SHA512

b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8
SSDEEP

24576:xCDIvM+NgeFi4kQOZiAIxAhlmA35AtbeHFnb:xCDknZi+x/NS

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

621bbd51e44db9b507a911ceba8c6e4dJaffaCakes118.exe

Resource

win7-20240508-en

hawkeye collection keylogger persistence spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

621bbd51e44db9b507a911ceba8c6e4dJaffaCakes118.exe

Resource

win10v2004-20240508-en

hawkeye collection keylogger persistence spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  621bbd51e44db9b507a911ceba8c6e4dJaffaCakes118
- Size
  
  883KB
- MD5
  
  621bbd51e44db9b507a911ceba8c6e4d
- SHA1
  
  524a771f04ee76bddc16d5a6c0d59ac4f97b3398
- SHA256
  
  5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
- SHA512
  
  b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8
- SSDEEP
  
  24576:xCDIvM+NgeFi4kQOZiAIxAhlmA35AtbeHFnb:xCDknZi+x/NS
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

behavioral2

hawkeyecollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy