Extracted

• • Target

    2016pdf.exe

  • Size

    965KB

  • MD5

    e289bcf6d77230d7fdb4d8a0bf126723

  • SHA1

    70880bcc5a8ac31df2dc6aa2e03f8f73965f7812

  • SHA256

    98c08e97f88fd09e81a8dc3e3234f89ceed282048a4275c7a2f1b9bc116db41f

  • SHA512

    a7883c1644d143c4d8a6384e7b9d0eeaf9e8ce51c76b3c35f2daf89c04944d77be99af095b31f5a1ba46c8bd271f89aa20d963d4d6a61176cb040e01288395eb

  • SSDEEP

    24576:pQu+IperrOUj6k7ZqC30kKoreoQSQS4kHHDJ1VnmjSd/EG:pQyk7ZxlK5oAkDJ1ZYSds

  Score

  10^/10

  hawkeyecollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2