Extracted

• • Target

    acbe388dc869bfd90eb95a39428ca06098fe128d27763b240b491e5d8ae38e91.exe

  • Size

    1.1MB

  • MD5

    f17541c37cd429e19841423923d9b710

  • SHA1

    256d9b340fb5dd96e3143ec76c76d8c66d877f4b

  • SHA256

    acbe388dc869bfd90eb95a39428ca06098fe128d27763b240b491e5d8ae38e91

  • SHA512

    1e70278613ab0684933a2fc60c413c2adcf9f00ce0bfeccd2395733f1ac45654bd3e51649a1877ce7457153151c7f770150aee67cc46f90b740ce7597bd71edc

  • SSDEEP

    24576:tUktJwwEPcHc2bDCn4bQAKg9Iwv1b8QW5AeIG3Z09CW:tfFEUBb2HAtNmZ0QW

  Score

  10^/10

  hawkeyecollectiondiscoverykeyloggerpersistencespywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • Hawkeye family

    hawkeye

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2