hawkeye

General

Target

78fc807a0d0b41a65654733c4b7203c9_JaffaCakes118
Size

1.2MB
Sample

240527-ngtt6ahe8v
MD5

78fc807a0d0b41a65654733c4b7203c9
SHA1

ee9a0f2a0cce28e33336c4987ac31992fbef6751
SHA256

884051874b4ba6a28d2a50586da27bb841dde9ce3c770cc7a3bd239a36f17c54
SHA512

d13348c5bc061dd29ed74335b087c2a932481f38064ec000b39eaee8a9b61c43b6be8bc439515646dc2c99f02a2a7571f8f1f178874e3cd830b4907a851d3843
SSDEEP

12288:RgahAN4aebneohnpATnGKfsJDyfgrcA0V387bt4Z/bX8MkQBt8fA:m2ainjhpQk1LwhUbt4VX8XQBt8I

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
fqtfeqaualbtfmle

Targets

- Target
  
  78fc807a0d0b41a65654733c4b7203c9_JaffaCakes118
- Size
  
  1.2MB
- MD5
  
  78fc807a0d0b41a65654733c4b7203c9
- SHA1
  
  ee9a0f2a0cce28e33336c4987ac31992fbef6751
- SHA256
  
  884051874b4ba6a28d2a50586da27bb841dde9ce3c770cc7a3bd239a36f17c54
- SHA512
  
  d13348c5bc061dd29ed74335b087c2a932481f38064ec000b39eaee8a9b61c43b6be8bc439515646dc2c99f02a2a7571f8f1f178874e3cd830b4907a851d3843
- SSDEEP
  
  12288:RgahAN4aebneohnpATnGKfsJDyfgrcA0V387bt4Z/bX8MkQBt8fA:m2ainjhpQk1LwhUbt4VX8XQBt8I
Score

10^/10

agilenet hawkeye collection keylogger spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Obfuscated with Agile.Net obfuscator

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2