MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c49423c0fce4c71e3bef5bc92441e9510c7f46d54207446df6496128f9780924. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c49423c0fce4c71e3bef5bc92441e9510c7f46d54207446df6496128f9780924
SHA3-384 hash: 87a36b548e6b8e5ad1cc27ea6ae2cb326a770b44ad6323fb4b300b49fbe0cb17875d3919de3b30814c8fb1cc322add15
SHA1 hash: 0b3562814573c3fab3b2e595c6730706b4b14a8b
MD5 hash: 15fff0ee366388b9d008b30343a8e982
humanhash: king-nine-mirror-harry
File name:WSL1960011872.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:721'408 bytes
First seen:2020-08-04 07:30:32 UTC
Last seen:2020-08-04 09:09:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ff2dc860b3be78716db0209b9220e29 (4 x AgentTesla, 3 x HawkEye, 2 x NetWire)
ssdeep 12288:Mj/s0Utb5q651a1OrUBfJ2vw7er5FybgdH5yISbewSTHCNs8RjOSa3Z6:arUn81EUL2vw7pbOU9STHCN0S5
Threatray 3'112 similar samples on MalwareBazaar
TLSH BCE42321DDB739F0CE002434625D3EE54A7DB91E1A9E1D339E08C5493AF31D2A996B8F
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: ns5.de-soft.com
Sending IP: 198.57.255.7
From: Grant Nilsen<GrantNilsen@magnerinternational.com>
Reply-To: Yoanka Aguilar<yaguilar@magnerinternational.com>
Subject: new order
Attachment: WSL1960011872.z (contains "WSL1960011872.exe")

HawkEye SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38291/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a process with a hidden window
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408799
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected HawkEye Rat
Drops VBS files to the startup folder
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256642 Sample: WSL1960011872.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Detected HawkEye Rat 2->41 43 7 other signatures 2->43 8 WSL1960011872.exe 2->8         started        11 wscript.exe 1 2->11         started        process3 signatures4 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->51 53 Writes to foreign memory regions 8->53 55 Allocates memory in foreign processes 8->55 57 3 other signatures 8->57 13 WSL1960011872.exe 5 8->13         started        16 notepad.exe 1 8->16         started        18 WSL1960011872.exe 11->18         started        process5 signatures6 59 Sample uses process hollowing technique 13->59 20 vbc.exe 13->20         started        23 vbc.exe 12 13->23         started        61 Drops VBS files to the startup folder 16->61 63 Delayed program exit found 16->63 65 Writes to foreign memory regions 18->65 67 Allocates memory in foreign processes 18->67 69 Maps a DLL or memory area into another process 18->69 25 WSL1960011872.exe 4 18->25         started        27 notepad.exe 1 18->27         started        process7 file8 45 Tries to steal Instant Messenger accounts or passwords 20->45 47 Tries to steal Mail credentials (via file access) 20->47 49 Sample uses process hollowing technique 25->49 30 vbc.exe 25->30         started        33 vbc.exe 12 25->33         started        35 C:\Users\user\AppData\Roaming\...\chrom.vbs, ASCII 27->35 dropped signatures9 process10 signatures11 71 Tries to steal Instant Messenger accounts or passwords 30->71 73 Tries to steal Mail credentials (via file access) 30->73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c49423c0fce4c71e3bef5bc92441e9510c7f46d54207446df6496128f9780924/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 04:13:22 UTC
AV detection:
33 of 48 (68.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yskchqh44tdr4o7plpesiqpjkegh6rwviidui3pwjfqsr6lybesa._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
005149b4a8d817af2e11f4aa505878fcb9e7ea38ce96364734ebdc6109fb544b
HawkEye
05b449bf4042b771a25d8d1b850e942325516196b73aba7a70e99f80b996ab2c
HawkEye
0927a3a49404b9de1a120157dc89f931ac98f765a0a452d2c71a7d8daf7a42ff
HawkEye
18a40f97d649fd2106faeddba94fc124beff44f69b713dbf4b88614f151b6f25
HawkEye
1c8e7015a2423c7a1ca5e7c5cdbb0b7eaf175e2b5983269281bfe9d1c8ee9985
HawkEye
3b2850cd8a54bfdb4c52c45f541c4d97047a28b19d034bbec609389b19019094
HawkEye
6c5a6f6633d4de0bb04b962dc15cf213760b7914967809c18bfbbf48355941a2
HawkEye
6c5cbab985bdb5d892675422a21b49c7a364961ca01141bb45ab98d3847d5a5d
HawkEye
83aed4ae8d1c8c859858f028fb69c8ded9f06538bbf46b4909ee04c4e7cf838f
HawkEye
c9880b54eff052551b910427ebe39f02e2af781c99336b9f5bbb1a9ba41e0e19
HawkEye
+ 3'102 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/200804-c73511f2ae/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c49423c0fce4c71e3bef5bc92441e9510c7f46d54207446df6496128f9780924

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

z 205f9a9cd105d2327e4c79ed0d0b9673ce0589782ddc13fbd8bbe93edd7662c9

HawkEye

Executable exe c49423c0fce4c71e3bef5bc92441e9510c7f46d54207446df6496128f9780924

(this sample)

  
Dropped by
MD5 737a07952e725c07c25b7caf25f789eb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38291/
  
Dropped by
SHA256 205f9a9cd105d2327e4c79ed0d0b9673ce0589782ddc13fbd8bbe93edd7662c9

Comments