MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ab199282785da53b5d473ab89af264ae67dda695946890c76a8266a7d80352c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ab199282785da53b5d473ab89af264ae67dda695946890c76a8266a7d80352c
SHA3-384 hash: c6354d2f52e4e52b5c065ffd8735ae27b14978d724344306ca6be3ed973aca5ec25ee5939fe592875b716388f964b5ba
SHA1 hash: f7c3e5621cbcae809610624593465fb1d2addddb
MD5 hash: 96b39508ca6c74a94638bf4bbb825e8e
humanhash: delaware-whiskey-potato-lamp
File name:Drawings.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:804'864 bytes
First seen:2020-07-24 10:47:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:x/rVMVT9gPZy/jC13NiyOdbbVo2iNHUJU7PPAd7m8aWkd16cd5Wjzg5D24sck5gj:x14dNo11H7HYm8gX6dzg5DfplXv
Threatray 432 similar samples on MalwareBazaar
TLSH FE05BE412A985A8FF96C77BD33A3501467B8BD151A76DF2D3DC6F0EC29323209902B67
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: slot0.fundscript.xyz
Sending IP: 45.95.169.179
From: info@fundscript.xyz
Reply-To: info@fundscript.xyz
Subject: Quote#CON-071720-EB
Attachment: New and old Lists.img (contains "Drawings.exe")

HawkEye SMTP exfil server:
smtp.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32160/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/397267
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ab199282785da53b5d473ab89af264ae67dda695946890c76a8266a7d80352c/
Threat name:
ByteCode-MSIL.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-24 10:49:08 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dkyzskbhqxnfhnouoovytlzgjlth3wtjlfdisddwvatgu7maguwa._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
06b3325ecfca6773b75ff8d9829cdb9139914c2cf55c5734e8ee315857c5ed9c
HawkEye
1471e8e6ac0fc93f251e6cc084c631818c2ca56f8acd22c0513d6bc7a5bff6e2
HawkEye
1cff19685b36b678ecd8a9d4bd7a5fe366bd3340de67528b2b444f6c9fd841d1
HawkEye
3420bb201817ff2ceb811a81d43faf881e961ca1a0e6d578ffaab466ab22c9f4
HawkEye
6bea7ce2131569b667bc699c65c26bedf04d57844c6fd0ada025a9c5e0282f43
HawkEye
8062bfd89bed5bf003bb7cbeb5caf6b9136158dcc499e60ea161b896b2d78ce5
HawkEye
94604c2e73f692b1c67cece78f153633ee7b011bba198cfc5d92923cc2267a05
HawkEye
a7b27af3279848802a012fad89ce6f0543e80e54b28b02360bb416e39a55bbf3
HawkEye
baa0b105bc19ddaf3c0303f8e7dcaab546e64a4ed340fe3271d9169a2c9cee46
HawkEye
fa7942a25cea90d890bca23298576191b75723375e2106d8ada228a85bfcfa7f
HawkEye
+ 422 additional samples on MalwareBazaar
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
evasion spyware keylogger trojan stealer family:hawkeye
Link:
https://tria.ge/reports/200724-kpr57vlz2j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Looks up external IP address via web service
Maps connected drives based on registry
Uses the VBS compiler for execution
Checks BIOS information in registry
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
HawkEye
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ab199282785da53b5d473ab89af264ae67dda695946890c76a8266a7d80352c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Hawkeye
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:RAT_HawkEye
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:win_hawkeye_keylogger_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_hawkeye_keylogger_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 41ecb3f14383b96d91d21bba29fbb17f0620b739c893cdc608c71a1c75584280

HawkEye

Executable exe 1ab199282785da53b5d473ab89af264ae67dda695946890c76a8266a7d80352c

(this sample)

  
Dropped by
MD5 766de73e722d81b7a2ce549611f0af36
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/32160/
  
Dropped by
SHA256 41ecb3f14383b96d91d21bba29fbb17f0620b739c893cdc608c71a1c75584280

Comments