hawkeye | 93b304f118709f87fc7233fea68eeb6471d4eb5bb2c2d81684e1fea1a03e82cf

General

Target

PLogger+V5.0/patch.exe
Size

212KB
MD5

6c4e602268e4b8bd575b7db917e48831
SHA1

870ff297863a9248b5a12339a38328eed6390d13
SHA256

26dbe46819c4271f45c830b3d214e513f9b27722c337ffd76cb2c3a719794740
SHA512

b9a6a9b626b27d5002496fa5ca15307e021e339d18b89dbf2bdf03915a6693feb28100fc7ae8eb946caa7d00057d7a1160a35d26f1ef32515c8b4e0ae12ea71e
SSDEEP

3072:0X3djKBqb240NW1qzmgqojoJlS5OzNSLBS9sqLFm+kVXslJMsgE:0X3IWTqzmgoJlS5Oz4BS9sqLFuV8j

Score

10^/10

hawkeye credential_access keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
parsa123456nnn

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Drivers\etc\hosts	Windows Update.exe

Deletes itself 1 IoCs

pid	Process
2276	Windows Update.exe

Executes dropped EXE 1 IoCs

pid	Process
2276	Windows Update.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2276	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	Windows Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2276	Windows Update.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2276	3064	patch.exe	28
PID 3064 wrote to memory of 2276	3064	patch.exe	28
PID 3064 wrote to memory of 2276	3064	patch.exe	28

C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe
"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Roaming\Windows Update.exe
  "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
  2⤵
  - Drops file in Drivers directory
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
56B

MD5
c356a02c7f1a1918794aef71af9b4b2c

SHA1
6de454586b976a4adafb43de81fe706b0b93a949

SHA256
fae91d54033d51368550f98b10bf7ffc6c54db3a7c2a09c735a3b41f017fd2e7

SHA512
a1c388cc46b6a656f8e116d99568c117279dfb96c322ddaafb4a0a4bb5b9dd208e7fb8a9815c85d1aa988702ccfba419fd5d566f1aa500a486a2fe6e25fc1d5f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
212KB

MD5
6c4e602268e4b8bd575b7db917e48831

SHA1
870ff297863a9248b5a12339a38328eed6390d13

SHA256
26dbe46819c4271f45c830b3d214e513f9b27722c337ffd76cb2c3a719794740

SHA512
b9a6a9b626b27d5002496fa5ca15307e021e339d18b89dbf2bdf03915a6693feb28100fc7ae8eb946caa7d00057d7a1160a35d26f1ef32515c8b4e0ae12ea71e

Download Submit
memory/2276-13-0x0000000000A10000-0x0000000000A38000-memory.dmp

Filesize
160KB

Download
memory/2276-20-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-9-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-10-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-25-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-24-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-23-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-14-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-15-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-16-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-22-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-21-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/3064-8-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/3064-0-0x000007FEF625E000-0x000007FEF625F000-memory.dmp

Filesize
4KB

Download
memory/3064-7-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/3064-11-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing