hawkeye

General

Target

c5f616f3c54dfca4225acfc3cc107773_JaffaCakes118
Size

547KB
Sample

240827-3ylx7sxemf
MD5

c5f616f3c54dfca4225acfc3cc107773
SHA1

6e503972eceea524302648f626384e75205e1511
SHA256

61999ad1811489155367e1223b2ac5d24703a3701e9ceddaf1c6dd8958b282b5
SHA512

d4261bcef895b628cf6b6f1a1b0f41c2ea7429200d4e3da251d691dbb01fe9637a0d15f40afb97b457afbbdf3e968125e975a7402d5576cea753b8eca472c0ff
SSDEEP

12288:DllSxxQjrbsdmeTD7++mTPA2alviql7Y+SzVjlUMGU/KWjNuGFV:DTUN9TPSMXdi4mZlU0KWx

Score

10^/10

Malware Config

Targets

- Target
  
  c5f616f3c54dfca4225acfc3cc107773_JaffaCakes118
- Size
  
  547KB
- MD5
  
  c5f616f3c54dfca4225acfc3cc107773
- SHA1
  
  6e503972eceea524302648f626384e75205e1511
- SHA256
  
  61999ad1811489155367e1223b2ac5d24703a3701e9ceddaf1c6dd8958b282b5
- SHA512
  
  d4261bcef895b628cf6b6f1a1b0f41c2ea7429200d4e3da251d691dbb01fe9637a0d15f40afb97b457afbbdf3e968125e975a7402d5576cea753b8eca472c0ff
- SSDEEP
  
  12288:DllSxxQjrbsdmeTD7++mTPA2alviql7Y+SzVjlUMGU/KWjNuGFV:DTUN9TPSMXdi4mZlU0KWx
Score

10^/10

hawkeye collection credential_access discovery keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2