MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b774ad4c9780bdb6e4fec9dbd688f1ac6d0ee75e9771c64de99e1f5152e0b385. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 5 Comments

SHA256 hash: b774ad4c9780bdb6e4fec9dbd688f1ac6d0ee75e9771c64de99e1f5152e0b385
SHA3-384 hash: 0af5a2377bc6cbf365ef0c11387807142e617537100c28d755c89aa100f0dca6b80a7a908f2fa80fabdf54e785e0ecf0
SHA1 hash: 85f8c093f487db02ebbbda53d0893be9bdbc0ace
MD5 hash: 269a05d36d071c206dc87187d6136352
humanhash: emma-asparagus-quiet-rugby
File name:Versanddetails.exe
Download: download sample
Signature HawkEye
File size:610'816 bytes
First seen:2020-07-31 10:21:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:rbp6PijqEQEYD+8HvcgoVUN2iR8r/be2DSafN41N+D68:rtUAqEJYDdEgoVUN27lSaVg+
TLSH 00D49C4F4185DE64FB5592B0A19FB7F303B240976BD78F8E2FC4958635C3B818A2C296
Reporter @abuse_ch
Tags:DEU DHL exe geo HawkEye


Twitter
@abuse_ch
Malspam distributing HawkEye:

HELO: vps.ajlogos.es
Sending IP: 91.142.220.142
From: DHL DELIVERY SERVICE <shipment@dhl.de>
Reply-To: s.peters.edur@bk.ru
Subject: Re: Versanddetails
Attachment: Versanddetails.zip (contains "Versanddetails.exe")

HawkEye SMTP exfil server:
server165.web-hosting.com:26

Intelligence


File Origin
# of uploads :
1
# of downloads :
27
Origin country :
US US
Mail intelligence
Geo location:
IT Italy
Volume:
Low
Geo location:
Global
Volume:
High
Vendor Threat Intelligence
Result
Threat name:
HawkEye MailPassView
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Detected HawkEye Rat
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.FormBook
Status:
Malicious
First seen:
2020-07-31 01:37:00 UTC
AV detection:
23 of 31 (74.19%)
Threat level
  5/5
Result
Malware family:
hawkeye
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:hawkeye
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Looks up external IP address via web service
Uses the VBS compiler for execution
Reads user/profile data of web browsers
HawkEye
Threat name:
Kryptik
Score:
1.00

Yara Signatures


Rule name:Hawkeye
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:RAT_HawkEye
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:win_hawkeye_keylogger_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_hawkeye_keylogger_w0
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

Executable exe b774ad4c9780bdb6e4fec9dbd688f1ac6d0ee75e9771c64de99e1f5152e0b385

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments