MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1de91436b3674fb28cbbfb0a16ccc2f428598b3eff15bafefbe82939cd423835. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1de91436b3674fb28cbbfb0a16ccc2f428598b3eff15bafefbe82939cd423835
SHA3-384 hash: fec62af589c5a28f89f6ca01d75d21a53e24d70a1aadd37181004eb806f828068f9092a93819075fa8ab80895e5e9975
SHA1 hash: def255dae34548cdc4ace48efdf716d7b1e39c8c
MD5 hash: 4a2d307c1f80a76266acefa61399312c
humanhash: zulu-colorado-jig-maine
File name:BANK OF CHINA PAYMENT NOTIFICATION_Xls.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:2'038'272 bytes
First seen:2020-04-01 12:18:29 UTC
Last seen:2020-04-01 13:05:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:ACdxte/80jYLT3U1jfsWacMX2XEC+THTcMCB5sN6wbvNQDFG1rjoFNAFXbhebdZZ:pw80cTsjkWacjX+TcNSvNQR9ANe/Hc+
Threatray 7'141 similar samples on MalwareBazaar
TLSH 7295F12273DDC370CB669173BF6AB7012EBF78654634B86B1F880D7DA950161222D7A3
Reporter c_APT_ure
Tags:HawkEye

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.19347.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-01 15:50:00 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dxurinvtm5h3fdf37mfbntgc6quftcz674k3v7x35autttkcha2q._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
13f51d450568dc6ee7223eb76584d17417a2ef85141e74720445cfba0b10ad5d
HawkEye
3dd0e88a93b6d4fa561f0ece77fee607262c53a5ecb7164b64c29505b88083a8
HawkEye
6c18ca5bda44004c45e35e8224736bac8da9c64e901a5d3342a9834cb43d93ae
HawkEye
87577cf9a668390b93b9fe82794b21cd0579d4b1a7b4f0a4d0b841d03d046daa
HawkEye
a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e
HawkEye
ad89c1a605bbc657714b5c70d3fe0311875cfe7b5730b5b2a2012e177f989890
HawkEye
bbf613ce1f6850b2b62c6f55082ab7b9bcc7f92db0a8ec8f0b495e29cb4988ae
HawkEye
e842dbdc4b41d7516d87ccc21fa365b93c4c94ce5a75dc6f06321f90efa19e29
HawkEye
f46f7af124b25fff7a984b802bfa9f1f01f1efcc3416221aa9b6254150ac9667
HawkEye
fbdf3aed799b476ec4a89b100195efd05bcbc7d51728dd2415ce2c506b4b72cf
HawkEye
+ 7'131 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

Executable exe 1de91436b3674fb28cbbfb0a16ccc2f428598b3eff15bafefbe82939cd423835

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments