MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 14


Intelligence 14 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a
SHA3-384 hash: b03e8fd6e7ca938ccf655303eb3b74e4d62c3b2a87a5d17dc9f870e6c5a99aedb2e36827cdb5c23eb8ab6e36a77232a1
SHA1 hash: 129a58d2c6c4de7fcead562f9729a28e517fb6d4
MD5 hash: c7043b9b65e252b5305634da4f5515f1
humanhash: lemon-carpet-bravo-minnesota
File name:Shitstain.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:78'524'416 bytes
First seen:2025-03-25 15:52:13 UTC
Last seen:2025-04-28 20:46:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (35 x CoinMiner, 17 x AsyncRAT, 17 x BlankGrabber)
ssdeep 1572864:Z6x3bF0F9U7b7ewHkli+ouzl1IBMrGZHdk/6eSDFb:UBF0Fsb7ewHkliN4km+91xb
Threatray 1 similar samples on MalwareBazaar
TLSH T18B089F8EC7870766F5BEAAE61E47773735F56E121928C89FCA141A31304F0A2E59313E
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.4% (.EXE) Win32 Executable (generic) (4504/4/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 60e9d8dc9cf8e4c4 (1 x HawkEye)
Reporter BastianHein
Tags:exe HawkEye

Intelligence

File Origin
# of uploads :
2
# of downloads :
533
Origin country :
CL CL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e2d171bb84e066269f14c9
Tags:
infosteal danabot autorun proxy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file
Searching for synchronization primitives
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Reading critical registry keys
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Enabling a "Do not show hidden files" option
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypt packed packed packer_detected
Link:
https://www.filescan.io/uploads/67e2d168f274bf2d8e20d683/reports/1c03b76c-2c07-4ede-9fdf-22f27dfe6e68/overview
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a
Result
Verdict:
MALICIOUS
Result
Threat name:
AnarchyGrabber, AsyncRAT, DBatLoader, Di
Create hunting rule
Detection:
malicious
Classification:
spre.phis.troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1648216
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to capture screen (.Net source)
Creates autorun.inf (USB autostart)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Overwrites Windows DLL code with PUSH RET codes
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AllatoriJARObfuscator
Yara detected AnarchyGrabber
Yara detected aPLib compressed binary
Yara detected AsyncRAT
Yara detected BatToExe compiled binary
Yara detected DBatLoader
Yara detected Discord Token Stealer
Yara detected FritzFrog
Yara detected HawkEye Keylogger
Yara detected Lokibot
Yara detected MailPassView
Yara detected Quasar RAT
Yara detected Remcos RAT
Yara detected ReverseRat
Yara detected SHARPIL RAT
Yara detected SilverRat
Yara detected Telegram Recon
Yara detected TroubleGrabber
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Yara detected Xmrig cryptocurrency miner
Yara detected XRed
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648216 Sample: Shitstain.exe Startdate: 25/03/2025 Architecture: WINDOWS Score: 100 96 freedns.afraid.org 2->96 98 api.telegram.org 2->98 100 49 other IPs or domains 2->100 118 Suricata IDS alerts for network traffic 2->118 120 Found malware configuration 2->120 122 Malicious sample detected (through community Yara rule) 2->122 128 37 other signatures 2->128 9 Shitstain.exe 45 2->9         started        13 sysifdy.exe 2->13         started        15 svchost.exe 2->15         started        17 5 other processes 2->17 signatures3 124 Uses dynamic DNS services 96->124 126 Uses the Telegram API (likely for C&C communication) 98->126 process4 dnsIp5 84 C:\Users\user\AppData\Local\Temp\putty.exe, PE32 9->84 dropped 86 C:\Users\user\...\psychosomatic.RAT.exe, PE32+ 9->86 dropped 88 C:\Users\user\AppData\Local\Temp\nigga.exe, PE32 9->88 dropped 90 41 other malicious files 9->90 dropped 162 Encrypted powershell cmdline option found 9->162 164 Drops PE files with a suspicious file extension 9->164 20 0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe 3 9->20         started        23 0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe 9->23         started        26 DanaBot.exe 9->26         started        36 11 other processes 9->36 166 Multi AV Scanner detection for dropped file 13->166 168 Found evasive API chain (may stop execution after checking mutex) 13->168 28 WerFault.exe 15->28         started        30 WerFault.exe 15->30         started        32 WerFault.exe 15->32         started        34 WerFault.exe 15->34         started        94 127.0.0.1 unknown unknown 17->94 file6 signatures7 process8 dnsIp9 130 Multi AV Scanner detection for dropped file 20->130 132 Injects a PE file into a foreign processes 20->132 39 0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe 15 6 20->39         started        70 C:\Users\user\AppData\Local\...\svchost.exe, PE32 23->70 dropped 72 C:\Users\user\AppData\Local\Temp\proxyt.exe, PE32 23->72 dropped 134 Drops PE files with benign system names 23->134 43 svchost.exe 23->43         started        45 proxyt.exe 23->45         started        74 C:\Users\user\AppData\Local\...\DanaBot.dll, PE32 26->74 dropped 136 Detected unpacking (changes PE section rights) 26->136 138 Detected unpacking (overwrites its own PE header) 26->138 48 regsvr32.exe 26->48         started        56 2 other processes 26->56 108 api.telegram.org 149.154.167.220, 443, 49720, 49722 TELEGRAMRU United Kingdom 36->108 110 5555.kl.com.ua 5.79.66.145, 49711, 49713, 80 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 36->110 112 cdn.discordapp.com 162.159.130.233, 443, 49732 CLOUDFLARENETUS United States 36->112 76 C:\Users\user\dane\0a-PORNOSKI.exe, PE32 36->76 dropped 78 C:\Users\user\AppData\...\cGEDpDSLzj.exe, PE32 36->78 dropped 80 C:\Users\user\AppData\Roaming\Installer.exe, PE32 36->80 dropped 82 3 other malicious files 36->82 dropped 140 Found evasive API chain (may stop execution after checking mutex) 36->140 142 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->142 144 Creates autorun.inf (USB autostart) 36->144 146 6 other signatures 36->146 50 Installer.exe 36->50         started        52 conhost.exe 36->52         started        54 WerFault.exe 36->54         started        58 3 other processes 36->58 file10 signatures11 process12 dnsIp13 114 smtp.gmail.com 172.253.122.109, 49721, 587 GOOGLEUS United States 39->114 116 whatismyipaddress.com 104.19.223.79, 49718, 80 CLOUDFLARENETUS United States 39->116 148 Changes the view of files in windows explorer (hidden files and folders) 39->148 150 Tries to harvest and steal browser information (history, passwords, etc) 39->150 152 Writes to foreign memory regions 39->152 160 4 other signatures 39->160 60 vbc.exe 39->60         started        63 vbc.exe 39->63         started        65 dw20.exe 39->65         started        154 Multi AV Scanner detection for dropped file 43->154 156 Found evasive API chain (may stop execution after checking mutex) 43->156 158 Found stalling execution ending in API Sleep call 43->158 92 C:\Windows\SysWOW64\sysifdy.exe, PE32 45->92 dropped 67 rundll32.exe 48->67         started        file14 signatures15 process16 dnsIp17 170 Tries to steal Mail credentials (via file registry) 60->170 172 Tries to steal Instant Messenger accounts or passwords 60->172 174 Tries to steal Mail credentials (via file / registry access) 60->174 176 Tries to harvest and steal browser information (history, passwords, etc) 63->176 102 rottot.shop 67->102 104 51.178.195.151, 443, 49737, 49766 OVHFR France 67->104 106 4 other IPs or domains 67->106 178 System process connects to network (likely due to code injection or exploit) 67->178 180 Overwrites Windows DLL code with PUSH RET codes 67->180 182 Overwrites code with function prologues 67->182 signatures18
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a
Gathering data
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2025-03-25 09:58:13 UTC
AV detection:
19 of 24 (79.17%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6ebmzyejnzli6uqnwm4unjc4ewgzowwfnpc43nxsmcqj5qegzva._file
Verdict:
malicious
Label(s):
shellcode_loader_002
Create hunting rule
lokipasswordstealer(pws)
Create hunting rule
asyncrat
Create hunting rule
ta505_packer
Create hunting rule
sharpilrat
Create hunting rule
venomrat
Create hunting rule
Similar samples:
error
HawkEye
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:amadey family:asyncrat family:crimsonrat family:danabot family:gh0strat family:lokibot family:lumma family:modiloader family:quasar family:sality family:sharpstealer family:silverrat family:xmrig family:xworm botnet:092155 botnet:216cb1 botnet:default botnet:march-25 botnet:nigga botnet:null botnet:runtime broker agilenet backdoor banker bootkit collection defense_evasion discovery execution keylogger miner persistence privilege_escalation pyinstaller rat spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/250325-tbnzlsskz2/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
outlook_office_path
outlook_win_path
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
NTFS ADS
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Accessibility Features
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Drops autorun.inf file
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Uses the VBS compiler for execution
VMProtect packed file
Windows security modification
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets file to hidden
Async RAT payload
ModiLoader First Stage
AgentTesla
Agenttesla family
Amadey
Amadey family
AsyncRat
Asyncrat family
CrimsonRAT main payload
CrimsonRat
Crimsonrat family
Danabot
Danabot family
Detect Xworm Payload
Gh0st RAT payload
Gh0strat
Gh0strat family
Lokibot
Lokibot family
Lumma Stealer, LummaC
Lumma family
ModiLoader, DBatLoader
Modifies firewall policy service
Modiloader family
Quasar RAT
Quasar family
Quasar payload
Sality
Sality family
Sharp Stealer
Sharpstealer family
SilverRat
Silverrat family
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
XMRig Miner payload
Xmrig family
Xworm
Xworm family
xmrig
Malware Config
C2 Extraction:
https://api.telegram.org/bot7057429288:AAHYl5_27YU1Yjmuj33WKOqLVSgYtq3n-8k/getUpdates
clear-spice.gl.at.ply.gg:62042
niggahunter-28633.portmap.io:28633
dropout-37757.portmap.host:55554
dropout-37757.portmap.host:37757
https://t5impactsupport.world/api
https://nestlecompany.world/api
https://mercharena.biz/api
https://stormlegue.com/api
https://blast-hubs.com/api
https://blastikcn.com/api
https://lestagames.world/api
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
rootedkrypto-29674.portmap.host:29674
185.136.161.124
http://176.113.115.6
5.tcp.ngrok.io:20448
https://rottot.shop/Devil/PWS/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
chongmei33.publicvm.com:2703
chongmei33.publicvm.com:7031
umarmira055.duckdns.org:2703
umarmira055.duckdns.org:7031
senoc43726-29929.portmap.host:29929
Dropper Extraction:
http://176.113.115.7/mine/random.exe
Verdict:
Malicious
Tags:
Win.Trojan.Fakesec-895 external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/9f1b5aa8-654c-4401-b289-6d7c91511814
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/07881667044b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Hawkeye
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:HKTL_NET_GUID_Stealer
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects c# red/black-team tools via typelibguid
Reference:https://github.com/malwares/Stealer
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:malware_Hawkeye_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:nirsoft_v1
Create hunting rule
Author:RandomMalware
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RAT_HawkEye
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_hawkeye_keylogger_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_hawkeye_keylogger_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments