Extracted

• • Target

    27768ff0f6ed892c4a7fb79f83ac3a343067d496e254ee642acf3a26ef084722.exe

  • Size

    1.2MB

  • MD5

    f0ab87c90d5a1176658ac444126e1808

  • SHA1

    ea7baa8102102e6768173e2c11fe92b95364fd8b

  • SHA256

    27768ff0f6ed892c4a7fb79f83ac3a343067d496e254ee642acf3a26ef084722

  • SHA512

    6b6d5a6d0ee74cb71320a0294db283336ef28471fa6bca3a5728d6b781f649d75fa2d65cde9b5338c90f11fac54646c5a3b2c937231d885b0599e303d674edf3

  • SSDEEP

    24576:XhntGx9yVf41ob4s6ABttGZOATIZXTnR13/Jt6Fclb:5tGZ1oEEbG8xXj5b

  Score

  10^/10

  hawkeyecollectiondiscoverykeyloggerpersistencespywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • Hawkeye family

    hawkeye

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2