MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5304e6da1ccd4a9dd899b87427d0d2e7bd51aee364cb79bb30774d0eb262b24a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5304e6da1ccd4a9dd899b87427d0d2e7bd51aee364cb79bb30774d0eb262b24a
SHA3-384 hash: cac4f029fea4e0ea4703120307c79bb79e6175b55af76cee09254d95ab956d65f60d5be877778d8c4bfd14f40d21aff1
SHA1 hash: 31395bcc1e65b94941043bb67c0ce547b39b502d
MD5 hash: cb7e0d4bf541ed65c8dde7f3cbc50859
humanhash: july-freddie-social-connecticut
File name:ttest.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:774'144 bytes
First seen:2020-10-02 04:15:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:gVQtqB5urTIoYWBQk1E+VF9mOx9qVIEcG+4djJSHcHySiNnF:gVQtqBorTlYWBhE+V3mOCCZQ8cHyJnF
Threatray 355 similar samples on MalwareBazaar
TLSH 67F4E003B3E04436E4FF0630557797329ABAB9701635CA0B97D81C8A6FB6391EA36347
Reporter vm001cn
Tags:HawkEye

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Detection:
PredatorPain
Create hunting rule
Link:
https://www.capesandbox.com/analysis/67622/
Detection(s):
Win.Malware.Unsafe-6623001-0
Create hunting rule

Win.Packed.Passwordstealera-6765350-0
Create hunting rule

Win.Virus.Sality-6832669-0
Create hunting rule

Win.Packed.Pswtool-6840731-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Launching a process
Reading critical registry keys
Deleting a recently created file
Unauthorized injection to a recently created process
Stealing user critical data
Deleting of the original file
Enabling a "Do not show hidden files" option
Unauthorized injection to a system process
Result
Threat name:
MailPassView PredatorPainRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/479918
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Yara detected MailPassView
Yara detected PredatorPainRAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5304e6da1ccd4a9dd899b87427d0d2e7bd51aee364cb79bb30774d0eb262b24a/
Threat name:
ByteCode-MSIL.Trojan.Golroted
Create hunting rule
Status:
Malicious
First seen:
2020-10-02 04:17:06 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kmconwq4zvfj3wezxb2cpugs466vdlxdmtfxtozqo5gq5mtcwjfa._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
05e7bf43e209ba607601f4c8f638c128537a7a48f5519f1192dac74a25b506c3
HawkEye
0be2fd26cdd52bc071b076fc7350077db4962173366192cbc9870df8b3cb234c
HawkEye
82ffa88d2b058317fcbc1af1c6fe06d7927be41ee28c7473a397f3db42670ca5
HawkEye
9ab98e8d67aa054c7d860cb54100954bfc5429cce7b4fb9bb1d69ddc3f43d2ce
HawkEye
a837374ed66cc50cb5760f0f948db288657fd0891687f43df9b9260dfb71449c
HawkEye
a8adfc7cca5bc0c9c90aae50e72e92122ac2efeb9307d38fc82c349f4ef5efcd
HawkEye
c708333db7d412d29df106d7ee49279876dc382a22f889fa942416844cdf5b58
HawkEye
d5886c42f7b8f77d036091616f0314f37e2db5c117aaa769ede368027fe7d43a
HawkEye
d88b00afe502517f9415ac41667410acfc0bdbd7d74389de73256aafd8f7d5eb
HawkEye
f644429ae879d41b7edfc6eed05d575b0b616c70327955e32d15875dcc3d5c49
HawkEye
+ 345 additional samples on MalwareBazaar
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:hawkeye
Link:
https://tria.ge/reports/201002-adjx8er2tx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Executes dropped EXE
HawkEye
Unpacked files
SH256 hash:
5304e6da1ccd4a9dd899b87427d0d2e7bd51aee364cb79bb30774d0eb262b24a
MD5 hash:
cb7e0d4bf541ed65c8dde7f3cbc50859
SHA1 hash:
31395bcc1e65b94941043bb67c0ce547b39b502d
Detections:
win_hawkeye_keylogger_auto
Create hunting rule
Link:
https://www.unpac.me/results/f8fceaa6-7a68-4f99-97eb-b7bd98128cab/
SH256 hash:
9f2d8507d23e9dfea8317f366ae968063e332c93635d1f6d1c75a6d7e5552f52
MD5 hash:
50ee178f951ab99681606ddc324f447e
SHA1 hash:
9134d7233daffdf68a0e148c50208027f7537b0d
Link:
https://www.unpac.me/results/f8fceaa6-7a68-4f99-97eb-b7bd98128cab/
Parent samples :
b8025d9ec1c56eef774e90a448c30efbeea547ff60cee57169680d832b76b7f4
5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f
aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331
db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06
91107f4a383ddb76d6fd153077d57c528551ace7385fb10db1bb3e46c3603b62
a9da341d9091c55b477f05cab496d006a58fec6e80eb9e8e86f6bff3d2c3b371
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
FakeMS
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5304e6da1ccd4a9dd899b87427d0d2e7bd51aee364cb79bb30774d0eb262b24a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RAT_PredatorPain
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects PredatorPain RAT
Reference:http://malwareconfig.com/stats/PredatorPain
Rule name:win_hawkeye_keylogger_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/67622/

Comments