MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a223f3097e572a00aa6f1029bbbb6d71d66bb5bbf239177d232dca3c7f9bf33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a223f3097e572a00aa6f1029bbbb6d71d66bb5bbf239177d232dca3c7f9bf33
SHA3-384 hash: 2794db61f082a05b80a1014619a96da1eab2c7981c0a16369ddf374167e925de65d856e8ed0a38b026cdbd9255eba4aa
SHA1 hash: 5e28c29f740842a5eee6f2717d25f86dd3b0f752
MD5 hash: 32ffae9524a6321051248e4313c91852
humanhash: uniform-california-triple-crazy
File name:SecuriteInfo.com.Trojan.MulDrop.1161.895.14575
Download: download sample
Signature HawkEye
Create hunting rule
File size:516'096 bytes
First seen:2020-08-01 19:36:35 UTC
Last seen:2020-08-02 07:34:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:wiC+3hdq+/6qpONWtWrnngnnnKnanxbY:wiC+xdq66NNWtWrnngnnnKnanxb
Threatray 1'507 similar samples on MalwareBazaar
TLSH FDB4E590A8535838CA244778BA7396B01DF9ECB0C907E67167207EF6F13BA20ED75572
Reporter SecuriteInfoCom
Tags:HawkEye

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/37120/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop.1161.23117.15469.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Connection attempt
Creating a window
Changing a file
Replacing files
DNS request
Sending an HTTP POST request
Deleting a recently created file
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun
Result
Threat name:
Lokibot Netwire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/406976
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes
Creates an undocumented autostart registry key
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255718 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 02/08/2020 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Yara detected Lokibot 2->45 47 4 other signatures 2->47 8 SecuriteInfo.com.Trojan.MulDrop.1161.895.exe 5 2->8         started        11 Host.exe 2->11         started        13 Host.exe 2->13         started        process3 file4 31 SecuriteInfo.com.T...op.1161.895.exe.log, ASCII 8->31 dropped 15 RegAsm.exe 12 8->15         started        process5 file6 33 C:\Users\user\AppData\Local\Temp\build.exe, PE32 15->33 dropped 35 C:\Users\user\AppData\...\StartUpHost.exe, PE32 15->35 dropped 18 StartUpHost.exe 2 15->18         started        22 build.exe 54 15->22         started        process7 dnsIp8 29 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 18->29 dropped 49 Contains functionality to log keystrokes 18->49 51 Machine Learning detection for dropped file 18->51 25 Host.exe 2 18->25         started        37 dresson1.com 204.11.56.48, 49717, 49719, 49720 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 22->37 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->53 55 Tries to steal Mail credentials (via file registry) 22->55 57 Tries to steal Mail credentials (via file access) 22->57 59 Tries to harvest and steal ftp login credentials 22->59 file9 signatures10 process11 dnsIp12 39 91.192.100.3, 1199, 49715, 49716 AS-SOFTPLUSCH Switzerland 25->39 61 Contains functionality to log keystrokes 25->61 63 Creates an undocumented autostart registry key 25->63 65 Machine Learning detection for dropped file 25->65 signatures13
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6a223f3097e572a00aa6f1029bbbb6d71d66bb5bbf239177d232dca3c7f9bf33/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2018-10-28 22:14:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
4300bf267e8d21ee9c7b0d906b2da7545cb5b670bc2506edc6ea97132eefe10e
HawkEye
6eb767d15a657e7d39c9534bbd4b24bcc9fb7d72b100b5456ac975a002ef93a9
HawkEye
70d991e7c073c8d0706a8daa9b78aa7684c8c856989b66b53f2a3b79dfa1f814
HawkEye
822551723b7ae035394003750ee9cd16e1c12af0e07067f7d0760bd99c110898
HawkEye
8d3c18b852f38c03b74ec7de7771a9f93e6f5e3aa44d3863567d984fed0c6d88
HawkEye
9a8b855058e1d8a31a302dfa49caa68baec7940553466f303a65c5eb032fb4e3
HawkEye
9e1de81ecb080a9d970953a62de72b6a83cc61776409098f1429c11032cbfa14
HawkEye
9eb4147d9fa5bdb1ad291e70ba7ff90fd005c2aa21ceaf4af8effbebc5cf4621
HawkEye
d206e433247d3a30148ee2232772dd5c0cbf958c079000f76aeadc43e03bddc2
HawkEye
e216062353c8bafbbed3e1fa3cd7d154aae43eec2011234f4e20ceb578237f69
HawkEye
+ 1'497 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:lokibot persistence
Link:
https://tria.ge/reports/200801-98s75eftva/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Lokibot
Malware Config
C2 Extraction:
http://dresson1.com/wip-admin/js/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HawkEye

Executable exe 6a223f3097e572a00aa6f1029bbbb6d71d66bb5bbf239177d232dca3c7f9bf33

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/118417/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/420130/
Cape
Cape
https://www.capesandbox.com/analysis/37120/

Comments