MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f371c17a23b2d2ce7d515476798aa61418232c74d7412b07a8473cde26d3a7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f371c17a23b2d2ce7d515476798aa61418232c74d7412b07a8473cde26d3a7b
SHA3-384 hash: da504d7a9850aa54e857f37b71c7e2a883d895e68f17078d94e572dae6ffec884771e2e4edab1695cdca511fa8afe797
SHA1 hash: 6fe184a0d6a6e926fb4ac6fdbda9064dfc053611
MD5 hash: ab385c6275ab31c216f2e95a8b7d4fb8
humanhash: papa-glucose-pasta-missouri
File name:Order_RFQ.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:793'600 bytes
First seen:2020-05-01 11:08:25 UTC
Last seen:2020-05-01 11:56:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:dXR30fs2hSqhdclDL07ip0rK/dqe9PR+5Xpbw/7jwjGdQqV5CwgI4wGHmbMilYF:ryB5mai+rxeT+5Xp8/7kj27g/bIK
Threatray 429 similar samples on MalwareBazaar
TLSH 6CF4E08CFBD68827DE524639C967BD804B37AEF0594EA2CE15E274618F73BA05D005BC
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: ira.com
Sending IP: 173.82.119.46
From:  C.S. Kim (김창식 부장) <ianchoi@daelimcorp.co.kr>
Subject: Request for NDA prior to RFQ / CpChem USGC II project.
Attachment: Order_RFQ.img (contains "Order_RFQ.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.43642.32129.10006.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 02:18:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b43ryf5chmwszz6vcvdwpgfkmfayemwhjv2bfmd2qrz43ytnhj5q._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
32b216961b29c869c5ca73a22988e6a6a289f268dfbd18c7c58e9b65ec27f9a1
HawkEye
3465a87f7c026e390a862f5d4b638745f80fa24a5ef94998e2f5c1818dd0bc15
HawkEye
3e87da458341b4cc27da064631812c1e07d70234571a40f3a6d12c7e7b54961c
HawkEye
4d0aea3c86fee5ae6722f98e65e622017f16725ede141d7ee95c20262080c61a
HawkEye
75952934e5ef6bb74f29c3320ef112e219cc953dc5ed8c351d742448f61161ff
HawkEye
8aadc9eae1964c2fa5d3ba8f6816a239db391f4cfb38785367eee5f2923b5f9b
HawkEye
8c1d117e9f7e5ade2de844bffdf2aa17368c95342f0a9ee0746f10e5982dede6
HawkEye
9efa06e1e51881862d5c07970aac24aae3e6e6628dada0af5dadd665b7ed2d77
HawkEye
afa01ac749d07add64b68dbeb19d3723fe9a11f9fd5e55deb803949837e3e936
HawkEye
b4a60a5fdddebf1351aa77b5ae1b850c8f53312cbe7e3792a0adbd3a458c70ba
HawkEye
+ 419 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Hawkeye
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:RAT_HawkEye
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:win_hawkeye_keylogger_g0
Create hunting rule
Author:Various authors / Slavo Greminger, SWITCH-CERT
Rule name:win_hawkeye_keylogger_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

img 91b3241c870de07301b5980edb287ae54c57651c4b91bf8f0cb5fcb5113c3f4d

HawkEye

Executable exe 0f371c17a23b2d2ce7d515476798aa61418232c74d7412b07a8473cde26d3a7b

(this sample)

  
Dropped by
MD5 43cc132c9a9bfa077416a85721112061
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 91b3241c870de07301b5980edb287ae54c57651c4b91bf8f0cb5fcb5113c3f4d

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments