MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3822d27d679a8a6ed258783c32000566819f58779cdb911c36e122fe902950f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3822d27d679a8a6ed258783c32000566819f58779cdb911c36e122fe902950f2
SHA3-384 hash: 74e0bf3dfc4fe90361fa1b41477a8b85879ca3f52eaa75c381cbb19501de41a1d884366711be6e93229a1087ec76c567
SHA1 hash: e56d56fd478c8e74d81a74c8f15ca7ac3fc501c4
MD5 hash: b934fc6cc0c384172bebd09853d20bb5
humanhash: paris-november-xray-bacon
File name:company certificate.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:79'520 bytes
First seen:2020-10-10 07:01:38 UTC
Last seen:2020-10-10 08:04:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:XZfL2KjYGJ65MEOpk0w22DiKiiGmwlMwjKkt7gIsJUfY:XZfLbjdKrc+DNiiGmPG7gVf
Threatray 397 similar samples on MalwareBazaar
TLSH 9873C7076005FA1BCBBB1A301A97EC643BB1D6B18851D16D98E05ADCCF4256A3D9F8CF
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: gvg-redsun.com
Sending IP: 58.213.91.113
From: Johnason_Chen <ccp@chinaredsun.com>
Subject: ATTACHED FILE PRODUCTS NEEDED PLEASE
Attachment: Products_Pictures_logo_Designs_ pdf.zip (contains "company certificate.exe")

HawkEye SMTP exfil server:
smtp.hugeoutcome.com:587

HawkEye SMTP exfil email address:
no_reply@hugeoutcome.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Detection:
HawkEye
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69712/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487434
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected HawkEye Rat
Drops PE files to the startup folder
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 296160 Sample: company certificate.exe Startdate: 10/10/2020 Architecture: WINDOWS Score: 100 57 smtp.hugeoutcome.com 2->57 59 pastebin.com 2->59 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 16 other signatures 2->75 8 company certificate.exe 18 4 2->8         started        13 company certificate.exe 2 2->13         started        15 company certificate.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 65 pastebin.com 104.23.98.190, 443, 49747, 49772 CLOUDFLARENETUS United States 8->65 53 C:\Users\user\...\company certificate.exe, PE32 8->53 dropped 55 company certificate.exe:Zone.Identifier, ASCII 8->55 dropped 81 Creates an undocumented autostart registry key 8->81 83 Creates autostart registry keys with suspicious names 8->83 85 Creates multiple autostart registry keys 8->85 87 2 other signatures 8->87 19 company certificate.exe 4 8->19         started        23 timeout.exe 1 8->23         started        25 WerFault.exe 23 9 8->25         started        27 company certificate.exe 8->27         started        67 104.23.99.190, 443, 49768, 49769 CLOUDFLARENETUS United States 13->67 29 timeout.exe 13->29         started        31 timeout.exe 15->31         started        33 timeout.exe 17->33         started        35 timeout.exe 17->35         started        37 timeout.exe 17->37         started        file6 signatures7 process8 dnsIp9 61 9.96.11.0.in-addr.arpa 19->61 63 192.168.2.1 unknown unknown 19->63 77 Changes the view of files in windows explorer (hidden files and folders) 19->77 79 Installs a global keyboard hook 19->79 39 WerFault.exe 19->39         started        41 conhost.exe 23->41         started        43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        47 conhost.exe 33->47         started        49 conhost.exe 35->49         started        51 conhost.exe 37->51         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3822d27d679a8a6ed258783c32000566819f58779cdb911c36e122fe902950f2/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-10 01:03:29 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=harne7lhtkfg5usypa6deaafm2az6wdxttnzchbw4erp5ebjkdza._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
00a8e89cdd91a236a1e462ee34e090807a52af43cb41509b84685a06b40f3a5e
HawkEye
0be2fd26cdd52bc071b076fc7350077db4962173366192cbc9870df8b3cb234c
HawkEye
77728dc00d957e7c3a175b58f539ed1ce895595832f3ff527aac52a10b185565
HawkEye
866e522886833782a25f4c9cdb823a29f3a4d1e8b26eef03ed271af7b991eae5
HawkEye
9ab98e8d67aa054c7d860cb54100954bfc5429cce7b4fb9bb1d69ddc3f43d2ce
HawkEye
a837374ed66cc50cb5760f0f948db288657fd0891687f43df9b9260dfb71449c
HawkEye
ab4c9019f3f231fdedb61a280f15eb7cc83d76d6f1ee9a0ad2dc363386650016
HawkEye
d5886c42f7b8f77d036091616f0314f37e2db5c117aaa769ede368027fe7d43a
HawkEye
eccca8a3f4c7a1ec13665137759fe722aceef7a1688f92c8a4c7796f6d85237f
HawkEye
f1a630f7b8387dc08f1c516b7e79c2d7099fcc47ab529902807d471e683a909b
HawkEye
+ 387 additional samples on MalwareBazaar
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
evasion persistence keylogger trojan stealer spyware family:hawkeye
Link:
https://tria.ge/reports/201010-he8l6jw7ya/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
HawkEye
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
3822d27d679a8a6ed258783c32000566819f58779cdb911c36e122fe902950f2
MD5 hash:
b934fc6cc0c384172bebd09853d20bb5
SHA1 hash:
e56d56fd478c8e74d81a74c8f15ca7ac3fc501c4
Link:
https://www.unpac.me/results/abf17da3-24d7-43bf-b42c-d414cdad724d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3822d27d679a8a6ed258783c32000566819f58779cdb911c36e122fe902950f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip 58c3e15911b23e6a99e13616ceb07b43c682887d0b463806a44f789c8119e4fe

HawkEye

Executable exe 3822d27d679a8a6ed258783c32000566819f58779cdb911c36e122fe902950f2

(this sample)

  
Dropped by
MD5 796bb2c2fb582f0a0893313475df50be
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69712/
  
Dropped by
SHA256 58c3e15911b23e6a99e13616ceb07b43c682887d0b463806a44f789c8119e4fe

Comments