MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c79fa61d99b4033bc4c88603c1ac8aa581b3bfe89721e1376ea6e744dd8f4af9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c79fa61d99b4033bc4c88603c1ac8aa581b3bfe89721e1376ea6e744dd8f4af9
SHA3-384 hash: 98e97957a82cd809ec2502546e724eb72152f589b31230e0d8170f72d725ba4c27f9de086304a7ab892ba596b00cca71
SHA1 hash: 1fe6bdd381cf68dc293d186040cb9e6445f305d4
MD5 hash: f92c101848d4e76fa78bc80259958658
humanhash: winner-snake-angel-mike
File name:Coronavirus Disease (COVID-19)..exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:894'976 bytes
First seen:2020-03-28 09:09:05 UTC
Last seen:2020-03-28 11:00:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:tJc7T6jNMmbWy5gJaBlJO+slmqwZzQvkM7Tb:g72RbbWsgJaVslmOkM
Threatray 3'163 similar samples on MalwareBazaar
TLSH B91501983250B2EFC86FD6B59D942C60A36074BB530BD393954354EA990DB9BCF242F3
Reporter abuse_ch
Tags:COVID-19 exe HawkEye


Avatar
abuse_ch
COVID-19 themed malspam, dropping HawkEye:

HELO: who.int
Sending IP: 185.208.211.173
Mail from: Tedros Adhanom <TedrosAdhanom@who.int>
Subject: RE: Coronavirus disease (COVID-19) outbreak prevention and cure update.
Attachment: CoronavirusDiseaseCOVID-19..zip (contains CoronavirusDiseaseCOVID-19..exe)

HawkEye config:
Version: 10.1.0.0
Mutex: 0646acc9-0a86-4da1-b5d5-2d5dd4ac5c7d
Email Username: info@leadasiacoaching.com
Email Server: mail.leadasiacoaching.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.45878.32730.31864.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-03-28 08:15:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y6p2mhmzwqbtxrgiqyb4dlekuwa3hp7is4q6cn3ou3tujxmpjl4q._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
0299150a64cbdf7b7ec5048b5ddab864171910cf4ed9da586a44caa2228be443
HawkEye
0ac30990fdf9e06367b60690e98803de01f668f8bc6b76c673a9295acb435d16
HawkEye
30aa96552ed6d03af50adcf6557a6ec3c3cb54f78fc50ee822d6d3c2bf70f9bc
HawkEye
3721089eac3795e9978560e17f9df3c26a177e3b6cbfd52f4f8fcb278b4ce30f
HawkEye
6ad339e5764e335403390892ed5461bcc70d63d2575228de85311e5d6878d1f1
HawkEye
776c7ce560ca7459a622d906f61ceba94e541898731d00cf2b14ba2b06037d74
HawkEye
80e321d63e5c084fbd8c213f315e9eb7e56b7fffdbeb48c2c35f9e172bba9c36
HawkEye
85534754bd3a7cda7234040ba7f0a4440fe85c198e28286ef22fbeb97b3de14b
HawkEye
a0045765610bd2c41ad8266c0e2266f6efb04c2767349ef323f35e6a47c6c6be
HawkEye
cc46386a34dedf7e75ceb2ca1d44cad29dfdd9822d85c2827fbfa114f3328dec
HawkEye
+ 3'153 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870
Rule name:win_hawkeye_keylogger_g0
Create hunting rule
Author:Various authors / Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip df613973c7709fb37e06ea2b6e63f08adcf17158de9d2fb362a46307b1c1644f

HawkEye

Executable exe c79fa61d99b4033bc4c88603c1ac8aa581b3bfe89721e1376ea6e744dd8f4af9

(this sample)

  
Dropped by
MD5 57faee041b9e54a3e6df99df6b2597c0
  
Dropped by
SHA256 df613973c7709fb37e06ea2b6e63f08adcf17158de9d2fb362a46307b1c1644f
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments