Extracted

• • Target

    4972451c5773b795d9499e8153c44ce32cc98958083a4ee7b88f4ac2fd0aedfcN

  • Size

    1.1MB

  • MD5

    a4b7826e6589c71a90858b2f14a02480

  • SHA1

    495270d636c1b04cda524580ea6ef3298f442c25

  • SHA256

    4972451c5773b795d9499e8153c44ce32cc98958083a4ee7b88f4ac2fd0aedfc

  • SHA512

    348725f111cee510af12736a96dcdc1d85383504a89914ebe175892fffabd117e34d9f39f4afe9bfcc38263fc0dc0839742c8243abed38c69ef73b50afd00b52

  • SSDEEP

    24576:hhntGx9yVf41ob4s6ABttGZOATIZXTnR13//lW:PtGZ1oEEbG8xXjlW

  Score

  10^/10

  hawkeyecollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2