Extracted

• • Target

    10e933944fd38d4087f252443a6c1ce57e6fe76e59829a8eb5e1930982120b70

  • Size

    1.2MB

  • MD5

    89f7f56c99807e8a8b0d39df66b64c9c

  • SHA1

    138139e54a2956ef71ad49d303f4e35101f1297b

  • SHA256

    10e933944fd38d4087f252443a6c1ce57e6fe76e59829a8eb5e1930982120b70

  • SHA512

    f6b631ec7e113ea1c46dd94a52983ee385c832a9d3b22692f8e3b957955ad2cbe9fa1373b26f7ea888f4c8c167b83b2c016de645fb9f5835b577c419359d9300

  • SSDEEP

    24576:UhntGx9yVf41ob4s6ABttGZOATIZXTnR1e:UtGZ1oEEbG8xXje

  Score

  10^/10

  hawkeyecollectiondiscoverykeyloggerpersistencespywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • Hawkeye family

    hawkeye

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2