hawkeye

General

Target

z1Quotation.scr.exe
Size

569KB
Sample

240930-lvg2eaydkm
MD5

0a648622633dbd21fef151b525657b2c
SHA1

49a34b496d78054a1b6404dd04d9be60d071ae52
SHA256

3cc2813b0ce3a69bd64acdbe194fa68e067a150626cf45e665a27836f39ac39d
SHA512

4cf0488f7fdea3047994e6ca7ce94febd36c861a45c7765f9b30d194e844f8a9af87b317f6517f585dbcd65494bf013acf7fc96082fb42d22382b897126602f8
SSDEEP

12288:oXXiVMOWJOcSBkCedZpqPT5YkxBsdQ6jv2:KXiSjJO7B10DqPT5GNT2

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

subddfg.lol:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZLUOGZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  z1Quotation.scr.exe
- Size
  
  569KB
- MD5
  
  0a648622633dbd21fef151b525657b2c
- SHA1
  
  49a34b496d78054a1b6404dd04d9be60d071ae52
- SHA256
  
  3cc2813b0ce3a69bd64acdbe194fa68e067a150626cf45e665a27836f39ac39d
- SHA512
  
  4cf0488f7fdea3047994e6ca7ce94febd36c861a45c7765f9b30d194e844f8a9af87b317f6517f585dbcd65494bf013acf7fc96082fb42d22382b897126602f8
- SSDEEP
  
  12288:oXXiVMOWJOcSBkCedZpqPT5YkxBsdQ6jv2:KXiSjJO7B10DqPT5GNT2
Score

10^/10

discovery hawkeye remcos remotehost collection keylogger rat spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  dd87a973e01c5d9f8e0fcc81a0af7c7a
- SHA1
  
  c9206ced48d1e5bc648b1d0f54cccc18bf643a14
- SHA256
  
  7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
- SHA512
  
  4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
- SSDEEP
  
  192:VFiQJ77pJp17C8F1A5xjGNxrgFOgb7lrT/993:97pJp48F2exrg5F/9
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  6c881f00ba860b17821d8813aa34dbc6
- SHA1
  
  0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13
- SHA256
  
  bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87
- SHA512
  
  c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6
- SSDEEP
  
  96:DOBtYZKtPsrqBApt1JHpb9XWk7Qe06iE6mE6YNFyVOHd0+ugwEX:DtZKtrAJJJbP7iEHEbN8Ved0PM
Score

3^/10

discovery
behavioral5 behavioral6