

Rewterz Threat Alert – WannaCry Ransomware – Active IOCs
August 2, 2022
Rewterz Threat Alert – DanaBot Trojan – Active IOCs
August 2, 2022
Rewterz Threat Alert – WannaCry Ransomware – Active IOCs
August 2, 2022
Rewterz Threat Alert – DanaBot Trojan – Active IOCs
August 2, 2022Severity
Medium
Analysis Summary
HawkEye, primarily an infostealer, has additional capabilities such as bypassing of AV systems and keylogging. A spear-phishing campaign is detected using malicious RTF documents sent via corona-themed emails to distribute the HawkEye keylogger. While most malicious RTF documents use exploits to trigger Object Linking and Embedding (OLE) calls, in this case, the documents use the \objupdate switch. A victim would need to enable macros for the infection process to begin. The embedded OLE objects, five of them in this case, appear to be macro-enabled Excel sheets. PowerShell is used to execute .NET code which downloads and executes the Hawkeye payload.
Impact
- Information Theft
- Credential Theft
- Antivirus Bypass
Indicators of Compromise
MD5
- 8826f2195559eaac97acd1806bd19044
- 38ff1032b0bcfc6dc30f63749d379022
SHA-256
- fc218ee6d2ebace3f7d764b427db2ade46447783260cad5ede4211f68cf32a04
- ddad4e4e91bdcf7d47f2d11d9886fb66083e38b7213551c5d2b3ec17cdb84b38
SHA-1
- 9fd7479a7e56314fe808a97657454ccdf984d722
- 6cf99fcd0d1c484828fcff3cc976113ee016e27b
Remediation
- Search for IOCs in your environment.
- Block all threat indications at their respective controls.