hawkeye | 93b304f118709f87fc7233fea68eeb6471d4eb5bb2c2d81684e1fea1a03e82cf

General

Target

PLogger+V5.0/patch.exe
Size

212KB
MD5

6c4e602268e4b8bd575b7db917e48831
SHA1

870ff297863a9248b5a12339a38328eed6390d13
SHA256

26dbe46819c4271f45c830b3d214e513f9b27722c337ffd76cb2c3a719794740
SHA512

b9a6a9b626b27d5002496fa5ca15307e021e339d18b89dbf2bdf03915a6693feb28100fc7ae8eb946caa7d00057d7a1160a35d26f1ef32515c8b4e0ae12ea71e
SSDEEP

3072:0X3djKBqb240NW1qzmgqojoJlS5OzNSLBS9sqLFm+kVXslJMsgE:0X3IWTqzmgoJlS5Oz4BS9sqLFuV8j

Score

10^/10

hawkeye credential_access keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
parsa123456nnn

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Drivers\etc\hosts	Windows Update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	patch.exe

Deletes itself 1 IoCs

pid	Process
1052	Windows Update.exe

Executes dropped EXE 1 IoCs

pid	Process
1052	Windows Update.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1052	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	Windows Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1052	Windows Update.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 1052	2620	patch.exe	85
PID 2620 wrote to memory of 1052	2620	patch.exe	85

C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe
"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Roaming\Windows Update.exe
  "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
  2⤵
  - Drops file in Drivers directory
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
56B

MD5
c356a02c7f1a1918794aef71af9b4b2c

SHA1
6de454586b976a4adafb43de81fe706b0b93a949

SHA256
fae91d54033d51368550f98b10bf7ffc6c54db3a7c2a09c735a3b41f017fd2e7

SHA512
a1c388cc46b6a656f8e116d99568c117279dfb96c322ddaafb4a0a4bb5b9dd208e7fb8a9815c85d1aa988702ccfba419fd5d566f1aa500a486a2fe6e25fc1d5f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
212KB

MD5
6c4e602268e4b8bd575b7db917e48831

SHA1
870ff297863a9248b5a12339a38328eed6390d13

SHA256
26dbe46819c4271f45c830b3d214e513f9b27722c337ffd76cb2c3a719794740

SHA512
b9a6a9b626b27d5002496fa5ca15307e021e339d18b89dbf2bdf03915a6693feb28100fc7ae8eb946caa7d00057d7a1160a35d26f1ef32515c8b4e0ae12ea71e

Download Submit
memory/1052-29-0x000000001FD00000-0x000000002000E000-memory.dmp

Filesize
3.1MB

Download
memory/1052-34-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

Filesize
9.6MB

Download
memory/1052-25-0x000000001C710000-0x000000001C738000-memory.dmp

Filesize
160KB

Download
memory/1052-24-0x000000001CF60000-0x000000001CFFC000-memory.dmp

Filesize
624KB

Download
memory/1052-35-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

Filesize
9.6MB

Download
memory/1052-19-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

Filesize
9.6MB

Download
memory/1052-20-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

Filesize
9.6MB

Download
memory/1052-30-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

Filesize
9.6MB

Download
memory/1052-36-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

Filesize
9.6MB

Download
memory/1052-23-0x000000001C7B0000-0x000000001C812000-memory.dmp

Filesize
392KB

Download
memory/1052-21-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

Filesize
9.6MB

Download
memory/1052-28-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

Filesize
9.6MB

Download
memory/1052-27-0x000000001D4C0000-0x000000001D50C000-memory.dmp

Filesize
304KB

Download
memory/1052-26-0x000000001C6D0000-0x000000001C6D8000-memory.dmp

Filesize
32KB

Download
memory/2620-4-0x000000001C7D0000-0x000000001C876000-memory.dmp

Filesize
664KB

Download
memory/2620-2-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

Filesize
9.6MB

Download
memory/2620-0-0x00007FFB90155000-0x00007FFB90156000-memory.dmp

Filesize
4KB

Download
memory/2620-3-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

Filesize
9.6MB

Download
memory/2620-18-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp

Filesize
9.6MB

Download
memory/2620-1-0x000000001C210000-0x000000001C6DE000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing