Extracted

• • Target

    86ffbeb0ada719b65be47cec2c8ea9bc8aa769e7164576d96e5caf4cf22d1d43.exe

  • Size

    1.2MB

  • MD5

    53bae7f0f82b660c967de37ce34b4ae1

  • SHA1

    8466d79789e5b0be2d4e23c94359676eb61f0e55

  • SHA256

    86ffbeb0ada719b65be47cec2c8ea9bc8aa769e7164576d96e5caf4cf22d1d43

  • SHA512

    72752bd7caa1bb488f3c892f3682b6eb524d395fb749adef0d54be05c0b93deaff7f1953c1ff78f587ed189105274ddf8c941552d2249e9c78f1a12f5187cc2a

  • SSDEEP

    24576:ihntGx9yVf41ob4s6ABttGZOATIZXTnR13/Jt6FclZVb:mtGZ1oEEbG8xXj5T

  Score

  10^/10

  hawkeyecollectiondiscoverykeyloggerpersistencespywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • Hawkeye family

    hawkeye

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2