hawkeye

General

Target

7717f4dc57fe4ba6ff71c5404318b6b0_JaffaCakes118
Size

1.8MB
Sample

240727-fcqypsyakj
MD5

7717f4dc57fe4ba6ff71c5404318b6b0
SHA1

a73becf5f2b7ea51fe2b09e750e6ffb4a237a403
SHA256

93b304f118709f87fc7233fea68eeb6471d4eb5bb2c2d81684e1fea1a03e82cf
SHA512

45895bab392718e3157c73b2c4f9039cd3bee056fc36906e853e6f4914a8207eb28b1dcacf89c882a48ae60a9733dbeda3c24291c54078556fa1cdee9c99b9f2
SSDEEP

49152:G1JrHhT3ggfKAIPxC4EhdHzW1gPnj11KhIdGl7ITR:G/tBSBOdHq1gPnqhI8lg

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
parsa123456nnn

Targets

- Target
  
  PLogger+V5.0/PLogger P8 gold Edi.6.exe
- Size
  
  1.8MB
- MD5
  
  37f75487d20137ef1413da5b75dc0571
- SHA1
  
  b1f6bfb64be3ad224fd77621f9a3bd727dc77ef1
- SHA256
  
  e57b60c1aa19fff7cd2f7ffc4327fece6e357bc3c68cbef40fca749daed802dd
- SHA512
  
  ec2c324e5ce7e6c4ac2443e2d85fffdeec3e131e2d58bac96055fa52d335b2d9559db3df327c62d0d9702ce957b860850308f254179ff0ec1d7fe7c2713498ed
- SSDEEP
  
  49152:NZ4vYfhPJtnkDnDfmIWmEYfbrWIzszL1pQ5KtBPTjZBu52+XQ:NOvYBJpkbDum9bSIzM1K5KJsg
Score

5^/10

discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  PLogger+V5.0/patch.exe
- Size
  
  212KB
- MD5
  
  6c4e602268e4b8bd575b7db917e48831
- SHA1
  
  870ff297863a9248b5a12339a38328eed6390d13
- SHA256
  
  26dbe46819c4271f45c830b3d214e513f9b27722c337ffd76cb2c3a719794740
- SHA512
  
  b9a6a9b626b27d5002496fa5ca15307e021e339d18b89dbf2bdf03915a6693feb28100fc7ae8eb946caa7d00057d7a1160a35d26f1ef32515c8b4e0ae12ea71e
- SSDEEP
  
  3072:0X3djKBqb240NW1qzmgqojoJlS5OzNSLBS9sqLFm+kVXslJMsgE:0X3IWTqzmgoJlS5Oz4BS9sqLFuV8j
Score

10^/10

hawkeye credential_access keylogger spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
behavioral3 behavioral4