Extracted

• • Target

    3ea4af960ce2b81f85633c2dde7c844573841496bd1ee9b552a394632079d2a8N.exe

  • Size

    1.1MB

  • MD5

    9703cb3f4c927fd9ebb77b723942f690

  • SHA1

    3a7e912ffcdfd07ba890e3ba86c42c407e979c52

  • SHA256

    3ea4af960ce2b81f85633c2dde7c844573841496bd1ee9b552a394632079d2a8

  • SHA512

    4297e09dd7f8467b8b3f65dce07b113105c4d773f93aab65ae574c7d20109a3b45fc457dfd2b6a3dd44fa3fdfe1f3a7b194871a62b121f1dce2b85898e7e8920

  • SSDEEP

    24576:tUktJwwEPcHc2bDCn4bQAKg9Iwv1b8QW5AeIG3Z09C:tfFEUBb2HAtNmZ0Q

  Score

  10^/10

  hawkeyecollectiondiscoverykeyloggerpersistencespywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • Hawkeye family

    hawkeye

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2