MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e8a194ddc0f62c7c1cefa317877c8fb66f793c943c83e85265c2c6f86391145. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e8a194ddc0f62c7c1cefa317877c8fb66f793c943c83e85265c2c6f86391145
SHA3-384 hash: 2f34389bf5da69a086cbfa4e016a18af0dbb457e85011a0e0918318c008c7a8e8e6c10b3cce3a9bdac50ed3a22391f06
SHA1 hash: 41327f0b7c9f69d45483813eef1d5c6f037ad3f5
MD5 hash: 15367ca46cabe7ffb925400809e9f4ac
humanhash: single-wisconsin-xray-spring
File name:Payment_PO.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:601'600 bytes
First seen:2020-07-02 17:43:01 UTC
Last seen:2020-07-06 06:44:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:NpgRC883aijjoSAZQ8+owKrcHn+Bnys0TTmjClWTyiXEEVgGh8XgOgB4XK32wypx:DgRCda+1eU9H+hyV3mW82jLp6GjPF71
Threatray 349 similar samples on MalwareBazaar
TLSH 50D4CE1259AB1567C06B5F33F0E727A0C270072B17B69F2E397D9E8E1D932429523B4E
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: linux1587.grserver.gr
Sending IP: 185.138.42.100
From: Deutsche Bank <payment@db.com>
Reply-To: s.peters.edur@bk.ru
Subject: Re: PAYMENT.
Attachment: Payment_PO.zip (contains "Payment_PO.exe")

HawkEye SMTP exfil server:
server165.web-hosting.com:26

Intelligence

File Origin
# of uploads :
3
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection:
HawkEye
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18528/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WOX.29185.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e8a194ddc0f62c7c1cefa317877c8fb66f793c943c83e85265c2c6f86391145/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-02 17:44:08 UTC
File Type:
PE (.Net Exe)
AV detection:
30 of 48 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n2fbsto4b5rmpqoo7iyxq56i7ntppe6jiped5bjglqwg7brzcfcq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
24fe76a4e6cd5623f2326d2f43de09b9b6f4de236e80ea5aca50b76da888c0af
HawkEye
44b551b9810f2337cb67961cf3f3473d3c707bca3ceba083fd8dcca54a7cc750
HawkEye
648c45f4fd75ed8f4cd95520ea62803e7ee475daec97c217886c8f06fb1da0c6
HawkEye
a837374ed66cc50cb5760f0f948db288657fd0891687f43df9b9260dfb71449c
HawkEye
ad2a788b199dbb72ff808e2421f5663ad9553bc6bf144c2461993e13962d34d9
HawkEye
b69edb31667b041c81590e2eca6f768ff10aded76936192b517789dd1556e1be
HawkEye
e1bf95bd96a59075ac24eec7c47b3142361ea79c1fb68e2b6039212fba523449
HawkEye
ecc40ecb741be3a9d47f12ce79a322d6bbeb7b5ef3279bf167cd4fa9fde2d6aa
HawkEye
fa718d4b3b40365a1b8c2f88bdeed0314584aded478027b1ada83803dbda263d
HawkEye
fbe8accd8dd56e3e16dffca14dbb53a0fc1d810c7bb0ffb5b618f3bd57dde9c3
HawkEye
+ 339 additional samples on MalwareBazaar
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:hawkeye
Link:
https://tria.ge/reports/200702-57c892m8cj/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Uses the VBS compiler for execution
HawkEye
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Hawkeye
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:RAT_HawkEye
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:win_hawkeye_keylogger_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip bc96b57a65868a4107e25d173e62987ed9bf12c040c2c8e92fd753f7ba3959b1

HawkEye

Executable exe 6e8a194ddc0f62c7c1cefa317877c8fb66f793c943c83e85265c2c6f86391145

(this sample)

  
Dropped by
MD5 9cf8918b1a43f1aa57314dc5e0b92774
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bc96b57a65868a4107e25d173e62987ed9bf12c040c2c8e92fd753f7ba3959b1
Cape
Cape
https://www.capesandbox.com/analysis/18528/

Comments