MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51987a10ca5f5fbb1a0c7c9bef9a657471a7757b42a79d19e3a5aacc284593e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 6


Intelligence 6 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51987a10ca5f5fbb1a0c7c9bef9a657471a7757b42a79d19e3a5aacc284593e4
SHA3-384 hash: 3c066fd4433207ba8d4974cba316f4e440e875947f3443aa834c65f163079f969205b7bac434ff7750cf563c7c2d1857
SHA1 hash: 8258a52903466c7927b95fa150cbe0c771814887
MD5 hash: 06b6f8ad36896f1e84cc7866ca67549f
humanhash: spring-muppet-river-edward
File name:51987a10ca5f5fbb1a0c7c9bef9a657471a7757b42a79d19e3a5aacc284593e4
Download: download sample
Signature HawkEye
Create hunting rule
File size:1'208'320 bytes
First seen:2020-11-10 11:43:09 UTC
Last seen:2024-07-24 14:14:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 252cfd8922d6fe4778b93cd5e22bb630 (3 x HawkEye)
ssdeep 24576:/qw+OWj0jqihst0reonN/lhv2O9oWfZYENqYjiE:/qwFWj0jNU0reonNNnZ1m
Threatray 361 similar samples on MalwareBazaar
TLSH 7445025EEA14A6EDE09318BF102955F613FBBCAB6042FFD37913B2650432486B66CF41
Reporter seifreed
Tags:HawkEye

Intelligence

File Origin
# of uploads :
2
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Genkryptik-7115908-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/528395
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Changes the view of files in windows explorer (hidden files and folders)
Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected Generic Dropper
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313297 Sample: mtq4WgX12m Startdate: 10/11/2020 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 9 other signatures 2->38 7 mtq4WgX12m.exe 1 2->7         started        process3 signatures4 40 Detected unpacking (changes PE section rights) 7->40 42 Detected unpacking (overwrites its own PE header) 7->42 10 mtq4WgX12m.exe 15 6 7->10         started        process5 dnsIp6 26 72.245.12.0.in-addr.arpa 10->26 28 whatismyipaddress.com 104.16.154.36, 49760, 80 CLOUDFLARENETUS United States 10->28 30 5 other IPs or domains 10->30 44 Changes the view of files in windows explorer (hidden files and folders) 10->44 46 Writes to foreign memory regions 10->46 48 Allocates memory in foreign processes 10->48 50 3 other signatures 10->50 14 vbc.exe 1 10->14         started        17 vbc.exe 13 10->17         started        19 WerFault.exe 3 9 10->19         started        22 dw20.exe 22 6 10->22         started        signatures7 process8 file9 52 Tries to steal Mail credentials (via file registry) 14->52 54 Tries to steal Instant Messenger accounts or passwords 14->54 56 Tries to steal Mail credentials (via file access) 14->56 58 Tries to harvest and steal browser information (history, passwords, etc) 17->58 24 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->24 dropped signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51987a10ca5f5fbb1a0c7c9bef9a657471a7757b42a79d19e3a5aacc284593e4/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 12:38:38 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kgmhuegkl5p3wgqmpsn67gtfory2o5l3iktz2gpduwvmykcfspsa._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
1ab199282785da53b5d473ab89af264ae67dda695946890c76a8266a7d80352c
HawkEye
1d9d111f29910cc58f11b12919aa47d952a8dc6487f72d1b97fa7d38c36d5635
HawkEye
3437d274a51cf6848efb90c098c6593745aa40c04810541b0fff6260f41c847d
HawkEye
517a83a2bab64041edfcba42d9f2e407f50e8beaca0cbde44a250a790cf0c9c0
HawkEye
555028b1ee606e6d75d849940ceb77d3205fa196cf414370facdbce575f99d85
HawkEye
68101d145825fc980210f1f56638011d98eeaf5c53fb734b62a80dac6489f2e3
HawkEye
82ffa88d2b058317fcbc1af1c6fe06d7927be41ee28c7473a397f3db42670ca5
HawkEye
89ceb49c67e4f8f715b9eef4ad2b1fcac135da2560072c5f3449273f08a7f7bb
HawkEye
c708333db7d412d29df106d7ee49279876dc382a22f889fa942416844cdf5b58
HawkEye
f3eddaec4219ad7d3565593b9f3b28f4196b38d3c739a389683983add08ce48a
HawkEye
+ 351 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201110-qwydfc268j/
Behaviour
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Hawkeye
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:RAT_HawkEye
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:win_hawkeye_keylogger_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_hawkeye_keylogger_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments