MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 536aabc78e3dd5a4577cdbacacb57fb38984e125393c4f3e6d11ae40e5a1bbf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 536aabc78e3dd5a4577cdbacacb57fb38984e125393c4f3e6d11ae40e5a1bbf7
SHA3-384 hash: d7a0e5774c9f905a80946ec81230e233d3fd706d0e795f392e043f6f3af6a5635dc3252fe5b7c1571a0c36a7a67e69a6
SHA1 hash: 02ee790415992ecc24a38057f8007be2738492b8
MD5 hash: 4bc018a505cbe56b05f093a268cf5614
humanhash: nebraska-michigan-rugby-nevada
File name:order30JUN2020.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:939'008 bytes
First seen:2020-06-30 13:02:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24f26e153c9b6068c0a4770547eb6d9e (14 x Loki, 7 x AgentTesla, 2 x Formbook)
ssdeep 12288:XCbpcLhilrm7G8oclWEAroCo3DQmTSaL9M68LkHkQztXbcSsGVVS5/mFQoMSeCyL:ouLhi80Jro7txGLkHkEtXjsEJ3MXC+
Threatray 349 similar samples on MalwareBazaar
TLSH 4D155A15EEE0CC3EF06E7639D82F56F8652DED10E82858479E97FC487B386422536362
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: mgit.mgit.me
Sending IP: 198.57.188.152
From: Purchasing Manager <junu@archtsqatar.com>
Reply-To: dh_derhawk@126.com
Subject: Re:ORDER-04350316//4183000102292563
Attachment: order30JUN2020.zip (contains "order30JUN2020.exe")

HawkEye SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17179/
Detection(s):
SecuriteInfo.com.Win32.Herz.B.23927.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Variant.Zusy.307895.13627.19246.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/536aabc78e3dd5a4577cdbacacb57fb38984e125393c4f3e6d11ae40e5a1bbf7/
Threat name:
Win32.Trojan.DelfFareIt
Create hunting rule
Status:
Malicious
First seen:
2020-06-30 13:04:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=knvkxr4ohxk2iv343owkznl7woeyjyjfhe6e6ptncgxebznbxp3q._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
18b5e8b21a0feba19538fd26046557f1b5ae22e93cf99adb92122254b8c72f3e
HawkEye
3dbc13f74f3ce33aad9985eb2cd06a636e09c1f4581c1d59dcdebfd7efb4e9fd
HawkEye
488c81c6de7f2f8d5b81e8089d08bb84c9e61e1914edceb10a9349b31e15c93c
HawkEye
60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771
HawkEye
79b1e929f10bf44515921941df55c5d98f5cf82b2be8727c2ebb4291e664de81
HawkEye
84684c3af14bee4d80ffe6ef27ac50f3e36d94212019810e4aed70fe0717c098
HawkEye
9af42638628323098b6873eee65103c97fa1ff971d6640323ab4a5290edc71c2
HawkEye
a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
HawkEye
da2e87ff6e505f0e64c3804f5355d693d9fd69e71916812f75bcd43b6cd445ec
HawkEye
eecbe758a692cc70ab127dc524c1b63d687c875795ebc6a62145f58686da0c71
HawkEye
+ 339 additional samples on MalwareBazaar
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:hawkeye persistence evasion
Link:
https://tria.ge/reports/200630-sgf89n7h8a/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Modifies system certificate store
Adds Run entry to start application
Looks up external IP address via web service
Uses the VBS compiler for execution
Deletes itself
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
UPX packed file
HawkEye
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Hawkeye
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:RAT_HawkEye
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:win_hawkeye_keylogger_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

fd30f42f058fc1ef0acadbef45c12f00

HawkEye

Executable exe 536aabc78e3dd5a4577cdbacacb57fb38984e125393c4f3e6d11ae40e5a1bbf7

(this sample)

  
Dropped by
MD5 fd30f42f058fc1ef0acadbef45c12f00
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/17179/

Comments