hawkeye | c60c8e8aae5599efe8074f15b92cc5298f41a713197438941296cfd94584b979 | Triage

Sharing

General

Target

remcos_a.exe
Size

483KB
Sample

240814-h7aw3szcja
MD5

fbb5244856ca9451f255715fda74cbd6
SHA1

25a0bad14be8583a4d461e97995f9532b2f1eedf
SHA256

c60c8e8aae5599efe8074f15b92cc5298f41a713197438941296cfd94584b979
SHA512

c0122730d7e11fb1cf103ec61d1ed7f7da5e3cb02f1a32abb70445348f0d21b56f0a128849d5c27a415cb18b59323fd0c78ea33afc53a6fd9d2291dc1f9f31bb
SSDEEP

12288:wTlrYw1RUh3NFn+N5WfIQIjbs/ZBn+T4:ApRUh3NDfIQIjeZ

Score

10^/10

hawkeye remcos remotehost discovery evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

mode-clusters.gl.at.ply.gg:36304

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Updater.exe
copy_folder
Remcos
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-CFARP3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  remcos_a.exe
- Size
  
  483KB
- MD5
  
  fbb5244856ca9451f255715fda74cbd6
- SHA1
  
  25a0bad14be8583a4d461e97995f9532b2f1eedf
- SHA256
  
  c60c8e8aae5599efe8074f15b92cc5298f41a713197438941296cfd94584b979
- SHA512
  
  c0122730d7e11fb1cf103ec61d1ed7f7da5e3cb02f1a32abb70445348f0d21b56f0a128849d5c27a415cb18b59323fd0c78ea33afc53a6fd9d2291dc1f9f31bb
- SSDEEP
  
  12288:wTlrYw1RUh3NFn+N5WfIQIjbs/ZBn+T4:ApRUh3NDfIQIjeZ
Score

10^/10

hawkeye remcos remotehost discovery evasion keylogger persistence rat spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

remotehostremcos

behavioral1

hawkeyeremcosremotehostdiscoveryevasionkeyloggerpersistenceratspywarestealertrojan