Extracted

• • Target

    CyberghostVPN Premium (CRACKED).exe

  • Size

    506KB

  • MD5

    6be1fce1a3abcf89e0cdeb09d3cf40ad

  • SHA1

    b0a4f12ca291ddef0f549e377631af84d2064e2c

  • SHA256

    c477cd79e2951a1df8afa40388ac0470159b61cf06867d447b2ccbc1ad3986a7

  • SHA512

    ca0df2532e86132dd739614e1e7a61e7e8d0d25c6fb7cc0b0421d19df7cba7584a569d371cbed782b703503663c4593afaf82a4a26d30d775f482775b337ccf1

  • SSDEEP

    6144:3IJbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9bCI:YJQtqB5urTIoYWBQk1E+VF9mOx9j

  Score

  10^/10

  hawkeyecollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2