Rewterz Threat Alert – HawkEye Infostealer – Active IOCs

August 2, 2022

Severity

Medium

Analysis Summary

HawkEye, primarily an infostealer, has additional capabilities such as bypassing of AV systems and keylogging. A spear-phishing campaign is detected using malicious RTF documents sent via corona-themed emails to distribute the HawkEye keylogger. While most malicious RTF documents use exploits to trigger Object Linking and Embedding (OLE) calls, in this case, the documents use the \objupdate switch. A victim would need to enable macros for the infection process to begin. The embedded OLE objects, five of them in this case, appear to be macro-enabled Excel sheets. PowerShell is used to execute .NET code which downloads and executes the Hawkeye payload.

Impact

Information Theft
Credential Theft
Antivirus Bypass

Indicators of Compromise

MD5

8826f2195559eaac97acd1806bd19044
38ff1032b0bcfc6dc30f63749d379022

SHA-256

fc218ee6d2ebace3f7d764b427db2ade46447783260cad5ede4211f68cf32a04
ddad4e4e91bdcf7d47f2d11d9886fb66083e38b7213551c5d2b3ec17cdb84b38

SHA-1

9fd7479a7e56314fe808a97657454ccdf984d722
6cf99fcd0d1c484828fcff3cc976113ee016e27b

Remediation

Search for IOCs in your environment.
Block all threat indications at their respective controls.

Rewterz Annual Threat Intelligence Report 2024 - Download Now

Rewterz Annual Threat Intelligence Report 2024 - Download Now

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Cobalt Strike Malware – Active IOCs

CVE-2025-49719 – Microsoft SQL Server Zero-Day Vulnerability

Multiple Cisco Splunk Enterprise Vulnerabilities

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Rewterz Threat Alert – WannaCry Ransomware – Active IOCs

Rewterz Threat Alert – DanaBot Trojan – Active IOCs