MalwareBazaar | SHA256 44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095 (HawkEye)

SHA256 hash:	44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095
SHA3-384 hash:	cd665826b49f3b167704d2b137611d7fce31dfbe91fd3654ca3c40203c2aa5b57979a0b11133aa1d53b76a5bddd577ed
SHA1 hash:	b0cdfe5a254ef6d13e83461b6a04c91cc0c88d13
MD5 hash:	2eedf37ed7d943d6a255912e7e14ae49
humanhash:	five-summer-twenty-bulldog
File name:	CF.exe
Download:	download sample
Signature	HawkEye Create hunting rule
File size:	1'052'672 bytes
First seen:	2020-10-12 12:59:11 UTC
Last seen:	2020-10-12 13:45:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f99213dd506afd8076aebedd67ac780d (1 x HawkEye)
ssdeep	12288:HFCn/OHU3LQCIkq06XPZ2rlgbSepAKEkNHgvr2PzKH9k78m1gYZW1DSaTppPinI7:HiBbQCIkqQrIvpmqui79WFE69wIgY8S
Threatray	2'038 similar samples on MalwareBazaar
TLSH	4525D062E2A14837C1B32A7C9D1B56B49835BE103E2868C76BF5DC4C9F396913D1E387
Reporter	James_inthe_box
Tags:	exe HawkEye

Detection:

HawkEyev9

Link:

https://www.capesandbox.com/analysis/70082/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

DNS request

Sending an HTTP GET request

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Reading critical registry keys

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Result

Threat name:

HawkEye MailPassView

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/488412

Signature

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Detected HawkEye Rat

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected AntiVM_3

Yara detected HawkEye Keylogger

Yara detected Keylogger Generic

Yara detected MailPassView

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-10-10 01:06:13 UTC

File Type:

PE (Exe)

Extracted files:

39

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=it4i6fkrmivhrz7aznwlas4bbtsmlcq5xvqdtmpxesfvphupsckq._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

Result

Malware family:

hawkeye_reborn

Score:

10/10

Tags:

upx spyware stealer family:m00nd3v_logger keylogger trojan family:hawkeye_reborn

Link:

https://tria.ge/reports/201012-qre3hh3pxs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

Uses the VBS compiler for execution

UPX packed file

M00nD3v Logger Payload

HawkEye Reborn

M00nd3v_Logger

Unpacked files

SH256 hash:

44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095

MD5 hash:

2eedf37ed7d943d6a255912e7e14ae49

SHA1 hash:

b0cdfe5a254ef6d13e83461b6a04c91cc0c88d13

Link:

https://www.unpac.me/results/827b7bcf-8ca6-4596-8c49-6ada1c89e9d8/

SH256 hash:

414f642cc634c8f9fe744110f2add77ed0bb2251a8e73c586803ae943f7aeeef

MD5 hash:

dddc5f4656eb88cdcfb211481cb8fe93

SHA1 hash:

de141904a38bb42fd37e9a6a67646c2190e9e998

Detections:

win_hawkeye_keylogger_g0

Link:

https://www.unpac.me/results/827b7bcf-8ca6-4596-8c49-6ada1c89e9d8/

Parent samples :

76f4037b2878a1f9d902b58becabe775f8f99df45b2c5c80ac9eb61a8da4a255
c944ec2c1c332672384769d2abfbb4f298f9fcaa63b18b4094e1d9779fa82fe0
c2689bc7e035365f3aad0880c3f2526da7e6934882be23bef2b7fa20f4b04513
aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676
7dfdce0a99eabe706a8f617d20f54ab7c933fd0e702dffed576ea3d5d74aea9d
44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095
32a1d99c12d4bbbf6b20ee43a25cf4dccf34ba30d8d40dc68d9c59d4c7ba25d5
39ae83af1cd715dadb50a266b91587dab04fffa94d2aa923c03cff634265f9ec

SH256 hash:

400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342

MD5 hash:

54e8ded7b148a13d3363ac7b33f6eb06

SHA1 hash:

63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9

Link:

https://www.unpac.me/results/827b7bcf-8ca6-4596-8c49-6ada1c89e9d8/

Parent samples :

e6b3160e17f1c4c0ce9136d7e19089f9e7e759bbd2989c27f8eb6083a627bfb9
c0498d7a70e78c236241d0e91b3bb599c1961ea62a10bd76a16fe7b18824f646
c2d23332a28fd0f2f0b404e53d9820ba0f5f8070043cfa0b2fbb18a4a33466b6

SH256 hash:

54241d67c33e245742af873dc6e61558b837618a3c03eb055695587e3ddf8740

MD5 hash:

b15ffed0dc3932b66ab628d422b18f70

SHA1 hash:

99e0ea3021640282792f2914a4d7e6626fca9df8

Detections:

win_hawkeye_keylogger_auto

Link:

https://www.unpac.me/results/827b7bcf-8ca6-4596-8c49-6ada1c89e9d8/

Parent samples :

76f4037b2878a1f9d902b58becabe775f8f99df45b2c5c80ac9eb61a8da4a255
c944ec2c1c332672384769d2abfbb4f298f9fcaa63b18b4094e1d9779fa82fe0
c2689bc7e035365f3aad0880c3f2526da7e6934882be23bef2b7fa20f4b04513
aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676
7dfdce0a99eabe706a8f617d20f54ab7c933fd0e702dffed576ea3d5d74aea9d
44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095
32a1d99c12d4bbbf6b20ee43a25cf4dccf34ba30d8d40dc68d9c59d4c7ba25d5
39ae83af1cd715dadb50a266b91587dab04fffa94d2aa923c03cff634265f9ec
ef24fa91dc24e348f6ef60f53e36cb53150950aa1301469b7ee747523bc43f65
b926b9c322ee16dc0ea54330428658cda75dc84a1a58ef88ebec2572d87d850b
c5845be19adb4e49adb11f5c276835d1f2d11c2d277da2dc265968bb6edb4c2d
a1416f15382642c1bcf6fafac052bcd38900409be007f54414942e405c18ff73

SH256 hash:

e6ad1a92f06a4ec4847d2d40623131fdd237b1c013f93f77d4d28d568edcad06

MD5 hash:

1001f375be22e77a232e8836ea3721ed

SHA1 hash:

d7e960a487023fac393aa6f5943ef473fdcaa6ae

Detections:

win_hawkeye_keylogger_auto

Link:

https://www.unpac.me/results/827b7bcf-8ca6-4596-8c49-6ada1c89e9d8/

Parent samples :

76f4037b2878a1f9d902b58becabe775f8f99df45b2c5c80ac9eb61a8da4a255
c944ec2c1c332672384769d2abfbb4f298f9fcaa63b18b4094e1d9779fa82fe0
c2689bc7e035365f3aad0880c3f2526da7e6934882be23bef2b7fa20f4b04513
aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676
7dfdce0a99eabe706a8f617d20f54ab7c933fd0e702dffed576ea3d5d74aea9d
44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095
32a1d99c12d4bbbf6b20ee43a25cf4dccf34ba30d8d40dc68d9c59d4c7ba25d5
39ae83af1cd715dadb50a266b91587dab04fffa94d2aa923c03cff634265f9ec

SH256 hash:

4924e0c81fdb47ac113b81db0fbd01c3bb63ec066e86fdc1adf3667e7eac6590

MD5 hash:

8538307d9843dde06fbb3700770538ff

SHA1 hash:

85d7ea52f71c2d1f0fb3da8b5c9f1ddeb41d5159

Detections:

win_hawkeye_keylogger_g0

Link:

https://www.unpac.me/results/827b7bcf-8ca6-4596-8c49-6ada1c89e9d8/

Parent samples :

76f4037b2878a1f9d902b58becabe775f8f99df45b2c5c80ac9eb61a8da4a255
c944ec2c1c332672384769d2abfbb4f298f9fcaa63b18b4094e1d9779fa82fe0
c2689bc7e035365f3aad0880c3f2526da7e6934882be23bef2b7fa20f4b04513
aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676
7dfdce0a99eabe706a8f617d20f54ab7c933fd0e702dffed576ea3d5d74aea9d
44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095
32a1d99c12d4bbbf6b20ee43a25cf4dccf34ba30d8d40dc68d9c59d4c7ba25d5
39ae83af1cd715dadb50a266b91587dab04fffa94d2aa923c03cff634265f9ec

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095

MalwareBazaar Database

Database Entry

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Signature

Behaviour

Result

Behaviour

Unpacked files

File information

Comments

Login required