hawkeye | a20013993c2f6fd82da07e382fc61e80229f217da9013ed3def234b529285453 | Triage

Submit
Reports

Overview

overview

Static

static

idiot.exe

windows11-21h2-x64

Sharing

Copy URL Twitter E-mail

General

Target

idiot.exe
Size

469KB
Sample

250520-1qs1facq8w
MD5

6400d8c9ca64b697f6b2ecac84c5fc9d
SHA1

fa4d9752c7b30eab70c19ad0665679b7e21e3b66
SHA256

a20013993c2f6fd82da07e382fc61e80229f217da9013ed3def234b529285453
SHA512

31d9d3aabba839867acaec6a629084be392923534ddb0e6f05aefeb503aca6a0c84a68199fb745b55ad974f50e8942efc798201157a16b52738814cfdb608626
SSDEEP

12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSNn9:uiLJbpI7I2WhQqZ7N9

Score

10^/10

hawkeye remcos idiot2000 discovery keylogger persistence rat spyware stealer trojan

Static task

static1

idiot2000 remcos

2 signatures

Behavioral task

behavioral1

Sample

idiot.exe

Resource

win11-20250502-en

hawkeye remcos idiot2000 discovery keylogger persistence rat spyware stealer trojan

windows11-21h2-x64

28 signatures

900 seconds

Malware Config

Extracted

Family

remcos

Botnet

idiot2000

C2

toygamin-28778.portmap.io:28778

Attributes

audio_folder
id0tsys
audio_path
%WinDir%\System32
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
ur stoupid.exe
copy_folder
sys33
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
memo
keylog_path
%WinDir%\System32
mouse_option
false
mutex
Rmc-TWENXE
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
screenforId!0t
screenshot_path
%WinDir%\System32
screenshot_time
2
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  idiot.exe
- Size
  
  469KB
- MD5
  
  6400d8c9ca64b697f6b2ecac84c5fc9d
- SHA1
  
  fa4d9752c7b30eab70c19ad0665679b7e21e3b66
- SHA256
  
  a20013993c2f6fd82da07e382fc61e80229f217da9013ed3def234b529285453
- SHA512
  
  31d9d3aabba839867acaec6a629084be392923534ddb0e6f05aefeb503aca6a0c84a68199fb745b55ad974f50e8942efc798201157a16b52738814cfdb608626
- SSDEEP
  
  12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSNn9:uiLJbpI7I2WhQqZ7N9
Score

10^/10

hawkeye remcos idiot2000 discovery keylogger persistence rat spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Hawkeye family
  hawkeye
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

idiot2000remcos

behavioral1

hawkeyeremcosidiot2000discoverykeyloggerpersistenceratspywarestealertrojan

© 2018-2025

Terms | Privacy