MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9880b54eff052551b910427ebe39f02e2af781c99336b9f5bbb1a9ba41e0e19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9880b54eff052551b910427ebe39f02e2af781c99336b9f5bbb1a9ba41e0e19
SHA3-384 hash: 35dcad6827d49ea79ab2ed5c92a881862304c02ab128729356783c44147ffce5b983924b847aaad9e3b8d13b948eca2b
SHA1 hash: b9442468d6824450e546f3940451f2adaf21c0ed
MD5 hash: 08ad7896d01b04a00b797f7a5c826d21
humanhash: apart-eighteen-lemon-social
File name:Baldwin Co. Egypt Itams Lid.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:707'584 bytes
First seen:2020-08-04 06:40:26 UTC
Last seen:2020-08-04 08:20:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ff2dc860b3be78716db0209b9220e29 (4 x AgentTesla, 3 x HawkEye, 2 x NetWire)
ssdeep 12288:Z75XAYMt3Q4vRyPFt5lM2cIUu264bQkgdQaAVBYpKu1YQZadw6pB4:dKYfRuIB4bQkgoOKu+QZP634
Threatray 3'107 similar samples on MalwareBazaar
TLSH 44E423D2AB8355C4F974A67884167FD1DB06B4A2EE791C9A0C49DECE1F718E0D78330A
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: server.ismailyonline.com
Sending IP: 173.212.200.137
From: Ahmed Karam <smtpfox-6gshx@awa2lksa.com>
Reply-To: Ahmed Karam <smtpfox-6gshx@awa2lksa.com>
Subject: Inquiry
Attachment: Baldwin Co. Egypt Itams Lid.zip (contains "Baldwin Co. Egypt Itams Lid.exe")

HawkEye SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38196/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a recently created process
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a process with a hidden window
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408663
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected HawkEye Rat
Drops VBS files to the startup folder
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256569 Sample: Baldwin Co. Egypt Itams Lid.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Detected HawkEye Rat 2->41 43 9 other signatures 2->43 8 Baldwin Co. Egypt Itams Lid.exe 2->8         started        11 wscript.exe 1 2->11         started        process3 signatures4 51 Writes to foreign memory regions 8->51 53 Allocates memory in foreign processes 8->53 55 Maps a DLL or memory area into another process 8->55 57 Queues an APC in another process (thread injection) 8->57 13 Baldwin Co. Egypt Itams Lid.exe 5 8->13         started        16 notepad.exe 1 8->16         started        18 Baldwin Co. Egypt Itams Lid.exe 11->18         started        process5 signatures6 59 Sample uses process hollowing technique 13->59 20 vbc.exe 13->20         started        23 vbc.exe 12 13->23         started        61 Drops VBS files to the startup folder 16->61 63 Delayed program exit found 16->63 65 Writes to foreign memory regions 18->65 67 Allocates memory in foreign processes 18->67 69 Maps a DLL or memory area into another process 18->69 25 Baldwin Co. Egypt Itams Lid.exe 4 18->25         started        27 notepad.exe 1 18->27         started        process7 file8 45 Tries to steal Instant Messenger accounts or passwords 20->45 47 Tries to steal Mail credentials (via file access) 20->47 49 Sample uses process hollowing technique 25->49 30 vbc.exe 25->30         started        33 vbc.exe 12 25->33         started        35 C:\Users\user\AppData\Roaming\...\chrom.vbs, ASCII 27->35 dropped signatures9 process10 signatures11 71 Tries to steal Instant Messenger accounts or passwords 30->71 73 Tries to steal Mail credentials (via file access) 30->73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9880b54eff052551b910427ebe39f02e2af781c99336b9f5bbb1a9ba41e0e19/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 23:59:26 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zgeawvhp6bjfkg4raqt6xy47alrk66a4tezwxh23xmnjxja6bymq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
005149b4a8d817af2e11f4aa505878fcb9e7ea38ce96364734ebdc6109fb544b
HawkEye
05b449bf4042b771a25d8d1b850e942325516196b73aba7a70e99f80b996ab2c
HawkEye
0927a3a49404b9de1a120157dc89f931ac98f765a0a452d2c71a7d8daf7a42ff
HawkEye
18a40f97d649fd2106faeddba94fc124beff44f69b713dbf4b88614f151b6f25
HawkEye
1c8e7015a2423c7a1ca5e7c5cdbb0b7eaf175e2b5983269281bfe9d1c8ee9985
HawkEye
3b2850cd8a54bfdb4c52c45f541c4d97047a28b19d034bbec609389b19019094
HawkEye
6c5a6f6633d4de0bb04b962dc15cf213760b7914967809c18bfbbf48355941a2
HawkEye
6c5cbab985bdb5d892675422a21b49c7a364961ca01141bb45ab98d3847d5a5d
HawkEye
83aed4ae8d1c8c859858f028fb69c8ded9f06538bbf46b4909ee04c4e7cf838f
HawkEye
c49423c0fce4c71e3bef5bc92441e9510c7f46d54207446df6496128f9780924
HawkEye
+ 3'097 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/200804-gzgkgwwct6/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9880b54eff052551b910427ebe39f02e2af781c99336b9f5bbb1a9ba41e0e19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip a5ed809c63ad073da4dd38dc730228a9f7b93d0bfef8c5621624d9ce29f918ae

HawkEye

Executable exe c9880b54eff052551b910427ebe39f02e2af781c99336b9f5bbb1a9ba41e0e19

(this sample)

  
Dropped by
MD5 c6a3b41793a004b8ea03a77bf6743a85
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38196/
  
Dropped by
SHA256 a5ed809c63ad073da4dd38dc730228a9f7b93d0bfef8c5621624d9ce29f918ae

Comments