MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 047d3bebe340180add07832e734233f7aa762de34f1eca2b5059d48a2daca6bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 9


Intelligence 9 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 047d3bebe340180add07832e734233f7aa762de34f1eca2b5059d48a2daca6bc
SHA3-384 hash: 62f030e3592564421d91750013bfa14638855b3cebed1a5691b29e469795b3523d133f6e40004e922d6adbc9bc446208
SHA1 hash: 1079108984d0587302e2576c6e72c18a1021154b
MD5 hash: 4f0fdcac715b3d952ffab9e7d3ee86ac
humanhash: blue-mango-ohio-social
File name:Y88576645635_03112021.PDF.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:1'821'696 bytes
First seen:2021-03-12 01:10:08 UTC
Last seen:2021-03-12 02:35:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:0cyb8nxp8HA+bY+hHUsP3DOl7ZUzsajRaWOegWb:BLxp8HrDHUsPJznjDOegW
Threatray 600 similar samples on MalwareBazaar
TLSH 7C8512BC7614B6DECC2B893AC9A41C24EAB070A74707D74B90575AECCD0D99BCF250E6
Reporter Anonymous
Tags:HawkEye

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Y88576645635_03112021.PDF.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-12 01:11:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/edd1cd6d-40e8-4da9-a7d3-9faaa3137fab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
HawkEye
Create hunting rule
Link:
https://www.capesandbox.com/analysis/123885/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36489870.12252.19264.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/637471
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 367711 Sample: Y88576645635_03112021.PDF.exe Startdate: 12/03/2021 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 15 other signatures 2->43 8 Y88576645635_03112021.PDF.exe 3 2->8         started        process3 file4 29 C:\...\Y88576645635_03112021.PDF.exe.log, ASCII 8->29 dropped 57 Detected unpacking (changes PE section rights) 8->57 59 Detected unpacking (overwrites its own PE header) 8->59 61 Injects a PE file into a foreign processes 8->61 12 Y88576645635_03112021.PDF.exe 2 8->12         started        14 Y88576645635_03112021.PDF.exe 8->14         started        16 Y88576645635_03112021.PDF.exe 8->16         started        signatures5 process6 process7 18 Y88576645635_03112021.PDF.exe 15 4 12->18         started        22 Y88576645635_03112021.PDF.exe 12->22         started        dnsIp8 31 ftp.triplelink.co.th 103.27.200.199, 21, 35996, 49749 BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH Thailand 18->31 33 192.168.2.1 unknown unknown 18->33 35 84.102.13.0.in-addr.arpa 18->35 45 Changes the view of files in windows explorer (hidden files and folders) 18->45 47 Sample uses process hollowing technique 18->47 24 vbc.exe 1 18->24         started        27 vbc.exe 13 18->27         started        signatures9 process10 signatures11 49 Tries to steal Mail credentials (via file registry) 24->49 51 Tries to steal Instant Messenger accounts or passwords 24->51 53 Tries to steal Mail credentials (via file access) 24->53 55 Tries to harvest and steal browser information (history, passwords, etc) 27->55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/047d3bebe340180add07832e734233f7aa762de34f1eca2b5059d48a2daca6bc/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-03-11 09:05:43 UTC
AV detection:
22 of 47 (46.81%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ar6tx27diamavxihqmxhgqrt66vhmlpdj4pmuk2qlhkiulnmu26a._file
Verdict:
malicious
Similar samples:
23b46a12d6b6a703b8e588d24f3c0018cf749556b021b514b963587e7adaa25b
HawkEye
29800b7d8e8c3c60918a37c992a2890b4ccf9e4e0c949accd48821302d0f2891
HawkEye
33d2ce58e713daa6aeae2d712dfbdac9e7f431df73c969f0c70afa75b56f1ab9
HawkEye
41617ac4431c229ba27bf94617b465309e7f502ae5088cd12ee571a0428ea120
HawkEye
4f0035201ba7a3a536727862b8ac8dbf389038c5af1674ff7a982190fed1e30b
HawkEye
5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
HawkEye
d6dd125366422144fd21e2281699aeb71fddd1680d2b73c968558a3e68408f60
HawkEye
dffa4b4cf6fc7f869229acf3c1f5b1cce1f9b29913f1cc19ae47a4aeff580c49
HawkEye
ec446e3da134c103fc81582cf5c43d8f55f7e44297a9839ab2989c1ff1de54d6
HawkEye
f9b0f5609812ef0b9d258fec8b6830021c488d5516c845cf03561b7e74bf3d89
HawkEye
+ 590 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210312-84qrdwwxqx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
da3a99534824255ff1ec7683cc02bb4de7086b7ac0d4b69205434638c50510b3
MD5 hash:
ca7979e7723dfb802f49395076754b11
SHA1 hash:
3143a40ad67116cba11d167dc1eaffed6fce4b07
Link:
https://www.unpac.me/results/bf9b66dd-8680-4356-ad72-c38083a3ee69/
SH256 hash:
047d3bebe340180add07832e734233f7aa762de34f1eca2b5059d48a2daca6bc
MD5 hash:
4f0fdcac715b3d952ffab9e7d3ee86ac
SHA1 hash:
1079108984d0587302e2576c6e72c18a1021154b
Link:
https://www.unpac.me/results/bf9b66dd-8680-4356-ad72-c38083a3ee69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/047d3bebe340180add07832e734233f7aa762de34f1eca2b5059d48a2daca6bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Hawkeye
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:HKTL_NET_GUID_Stealer
Create hunting rule
Author:Arnim Rupp
Description:Detects c# red/black-team tools via typelibguid
Reference:https://github.com/malwares/Stealer
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:RAT_HawkEye
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:win_hawkeye_keylogger_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_hawkeye_keylogger_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/123885/

Comments