MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 536aabc78e3dd5a4577cdbacacb57fb38984e125393c4f3e6d11ae40e5a1bbf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 3 Yara 4 Comments

SHA256 hash: 536aabc78e3dd5a4577cdbacacb57fb38984e125393c4f3e6d11ae40e5a1bbf7
SHA3-384 hash: d7a0e5774c9f905a80946ec81230e233d3fd706d0e795f392e043f6f3af6a5635dc3252fe5b7c1571a0c36a7a67e69a6
SHA1 hash: 02ee790415992ecc24a38057f8007be2738492b8
MD5 hash: 4bc018a505cbe56b05f093a268cf5614
humanhash: nebraska-michigan-rugby-nevada
File name:order30JUN2020.exe
Download: download sample
Signature HawkEye
File size:939'008 bytes
First seen:2020-06-30 13:02:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24f26e153c9b6068c0a4770547eb6d9e
ssdeep 12288:XCbpcLhilrm7G8oclWEAroCo3DQmTSaL9M68LkHkQztXbcSsGVVS5/mFQoMSeCyL:ouLhi80Jro7txGLkHkEtXjsEJ3MXC+
TLSH 4D155A15EEE0CC3EF06E7639D82F56F8652DED10E82858479E97FC487B386422536362
Reporter @abuse_ch
Tags:exe HawkEye


Twitter
@abuse_ch
Malspam distributing HawkEye:

HELO: mgit.mgit.me
Sending IP: 198.57.188.152
From: Purchasing Manager <junu@archtsqatar.com>
Reply-To: dh_derhawk@126.com
Subject: Re:ORDER-04350316//4183000102292563
Attachment: order30JUN2020.zip (contains "order30JUN2020.exe")

HawkEye SMTP exfil server:
smtp.yandex.com:587

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 27
Origin country US US
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/17179/
ClamAV SecuriteInfo.com.Win32.Herz.B.23927.UNOFFICIAL
PUA.Win.Adware.Slugin-6803969-0
PUA.Win.Adware.Slugin-6840354-0
SecuriteInfo.com.Variant.Zusy.307895.13627.19246.UNOFFICIAL
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/536aabc78e3dd5a4577cdbacacb57fb38984e125393c4f3e6d11ae40e5a1bbf7/
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Injector
First seen:2020-06-30 13:04:07 UTC
AV detection:23 of 31 (74.19%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:hawkeye
Link: https://tria.ge/reports/200630-sgf89n7h8a/
Tags:keylogger trojan stealer spyware family:hawkeye persistence evasion
VirusTotal:Virustotal results 52.05%

Yara Signatures


Rule name:Hawkeye
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:RAT_HawkEye
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:win_hawkeye_keylogger_w0
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

fd30f42f058fc1ef0acadbef45c12f00

HawkEye

Executable exe 536aabc78e3dd5a4577cdbacacb57fb38984e125393c4f3e6d11ae40e5a1bbf7

(this sample)

  
Dropped by
MD5 fd30f42f058fc1ef0acadbef45c12f00
  
Delivery method
Distributed via e-mail attachment

Comments