MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54fa4651e925e0fd845ca5652d57a010c26e4ab799211b8d3299cbb7dec35ae8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54fa4651e925e0fd845ca5652d57a010c26e4ab799211b8d3299cbb7dec35ae8
SHA3-384 hash: 72c253f61c86241a793419ff192a14a8b5c788d07cb49bdc7d98006ecac558173dd5c3b31b70b00be97e88368898bcfd
SHA1 hash: 65f99e529982f1c1a5cf9eb59f60edfeecdf2eec
MD5 hash: 9b8ec9e094676d88b02f038f318afd86
humanhash: item-spring-magazine-leopard
File name:9b8ec9e094676d88b02f038f318afd86
Download: download sample
Signature HawkEye
Create hunting rule
File size:663'994 bytes
First seen:2022-03-11 10:54:50 UTC
Last seen:2022-03-11 12:56:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:GQJXYVHSW04C0lbXeur5Du1R3biE7h/j5F2Tpt/nGw:sVHVC0lbXUGEBjn27n
Threatray 879 similar samples on MalwareBazaar
TLSH T176E423D759A63E7FD4C0A63795721B21AF38E38461E527C76B6C3F2F352230264A84E1
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:exe HawkEye

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
hawkeye
Create hunting rule
ID:
1
File name:
9b8ec9e094676d88b02f038f318afd86
Verdict:
Suspicious activity
Analysis date:
2022-03-11 10:54:32 UTC
Tags:
installer keylogger hawkeye stealer
Link:
https://app.any.run/tasks/98e8ab8f-1263-445d-b66f-e78a6aa354f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
HawkEye
Create hunting rule
Link:
https://www.capesandbox.com/analysis/249375/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.23110.11852.772.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Enabling a "Do not show hidden files" option
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe formbook overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/622b2a8b0cd58dbd927d825a/reports/03bf8b1d-bda1-441c-a25b-16f0c934048d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
HawkEye
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d216b8b-bd5e-407d-83b3-57b2c7c0409a
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/954807
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Detected HawkEye Rat
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 587288 Sample: TGQfHfehsY Startdate: 11/03/2022 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 7 other signatures 2->37 8 TGQfHfehsY.exe 18 2->8         started        process3 file4 23 C:\Users\user\AppData\Local\Temp\pjavpo.exe, PE32 8->23 dropped 11 pjavpo.exe 8->11         started        process5 signatures6 47 May check the online IP address of the machine 11->47 14 pjavpo.exe 15 6 11->14         started        process7 dnsIp8 25 ftp.manchutimefashion.com 66.70.204.222, 21, 49782, 49783 OVHFR Canada 14->25 27 104.16.154.36, 443, 49772 CLOUDFLARENETUS United States 14->27 29 2 other IPs or domains 14->29 49 Changes the view of files in windows explorer (hidden files and folders) 14->49 51 Writes to foreign memory regions 14->51 53 Allocates memory in foreign processes 14->53 55 2 other signatures 14->55 18 vbc.exe 1 14->18         started        21 vbc.exe 2 14->21         started        signatures9 process10 signatures11 39 Tries to steal Mail credentials (via file registry) 18->39 41 Tries to steal Instant Messenger accounts or passwords 18->41 43 Tries to steal Mail credentials (via file / registry access) 18->43 45 Tries to harvest and steal browser information (history, passwords, etc) 21->45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54fa4651e925e0fd845ca5652d57a010c26e4ab799211b8d3299cbb7dec35ae8/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-11 10:55:12 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kt5emupjexqp3bc4uvss2v5acdbg4svxteqrxdjsthf3pxwdllua._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
047f33e6f83796d9fc056d7006a6e8ef69696d63eceb29fb1592bb13a62e79bf
HawkEye
1814342a47e6ea264ef34d80e36d9363a83d4a2d09a6eaf8fb2759f59697dd74
HawkEye
2c6df9a84b482c1dd1af8ee142ccdfeab23234a8507f3cc637aee9161a6c58b8
HawkEye
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
HawkEye
c1cd0692836798f5cb7e9335f4547a2650b77cf456193cbe7e384906a20c0603
HawkEye
ed133e3bc6f781c4a981f93c180e38c70572ad80e48c12294585767e583b9d0f
HawkEye
+ 869 additional samples on MalwareBazaar
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220311-mz476shbd2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Looks up external IP address via web service
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
HawkEye
Unpacked files
SH256 hash:
54fa4651e925e0fd845ca5652d57a010c26e4ab799211b8d3299cbb7dec35ae8
MD5 hash:
9b8ec9e094676d88b02f038f318afd86
SHA1 hash:
65f99e529982f1c1a5cf9eb59f60edfeecdf2eec
Link:
https://www.unpac.me/results/b5076028-f247-4eac-a755-c46f1f6d981f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54fa4651e925e0fd845ca5652d57a010c26e4ab799211b8d3299cbb7dec35ae8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

Executable exe 54fa4651e925e0fd845ca5652d57a010c26e4ab799211b8d3299cbb7dec35ae8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/249375/

Comments