MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528
SHA3-384 hash: 6749d277b597d9f1c270d50040b69ba0a6da0559c7cf7b0df3947d834b63774f6eec007ef8c1397bd25ed296d4436b91
SHA1 hash: e7de8b81872b571e9e0fe6dcc48c94dfe8d50318
MD5 hash: 357b5f06e0a084f8c37e6a38afa29c76
humanhash: xray-cup-sodium-delta
File name:357b5f06e0a084f8c37e6a38afa29c76.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:44'288'632 bytes
First seen:2025-03-08 01:35:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c6dbb131782e0c263801e98caff36788 (1 x NanoCore, 1 x HawkEye)
ssdeep 786432:M129ofpkXbsydPnpeWjrqBqe4k51vJ8EhsI14StdNoIvTe3HzuREJgIkH5:Y29AwsydPnpXqBq4pmEhh4Sj9Te3TGEk
TLSH T1D2A733825EC0ABC5F1DEF2B7CCE6CBDB708030D55D4992A66A30D509F5A6B590B38B13
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
HawkEye C2:
http://www.orway.bplaced.net/pony/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://www.orway.bplaced.net/pony/gate.php https://threatfox.abuse.ch/ioc/1443935/

Intelligence

File Origin
# of uploads :
1
# of downloads :
540
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
pony
Create hunting rule
ID:
1
File name:
357b5f06e0a084f8c37e6a38afa29c76.exe
Verdict:
Malicious activity
Analysis date:
2025-03-08 01:38:21 UTC
Tags:
delphi inno installer fareit pony stealer trojan
Link:
https://app.any.run/tasks/082ee721-f557-47df-a727-12f2374f43b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cb9fc6c8d04e92a4bff53f
Tags:
autorun autoit lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
explorer installer lolbin microsoft_visual_cc packed packer_detected rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/67cb9f1eb32a56d0c2cef366/reports/d2f7cb03-a627-4ca2-81bd-5bdb74f952c0/overview
Verdict:
Malicious
Labled as:
QD:Trojan.GenericQ
Link:
https://www.hybrid-analysis.com/sample/72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
30 / 100
Link:
https://www.joesandbox.com/analysis/1632488
Signature
Antivirus / Scanner detection for submitted sample
Creates an undocumented autostart registry key
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1632488 Sample: l3I8bTTmUM.exe Startdate: 08/03/2025 Architecture: WINDOWS Score: 30 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 9 l3I8bTTmUM.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        process3 file4 46 C:\Users\user\AppData\Local\Temp\...\divx.exe, PE32 9->46 dropped 48 C:\Users\user\AppData\Local\...\CODECP~1.EXE, PE32+ 9->48 dropped 14 divx.exe 2 9->14         started        process5 file6 50 C:\Users\user\AppData\Local\Temp\...\divx.tmp, PE32 14->50 dropped 17 divx.tmp 511 284 14->17         started        process7 file8 38 C:\Windows\system32\xvidvfw.dll (copy), PE32+ 17->38 dropped 40 C:\Windows\system32\xvidcore.dll (copy), PE32+ 17->40 dropped 42 C:\Windows\system32\x264vfw64.dll (copy), PE32+ 17->42 dropped 44 290 other files (none is malicious) 17->44 dropped 56 Creates an undocumented autostart registry key 17->56 21 regsvr32.exe 33 17->21         started        24 regsvr32.exe 17->24         started        26 regsvr32.exe 17->26         started        28 17 other processes 17->28 signatures9 process10 signatures11 58 Creates an undocumented autostart registry key 21->58 30 conhost.exe 28->30         started        32 conhost.exe 28->32         started        34 conhost.exe 28->34         started        36 conhost.exe 28->36         started        process12
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528
Gathering data
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-03 04:20:08 UTC
File Type:
PE+ (Exe)
Extracted files:
778
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=okspqavaqgahn4ap356kc4ipvuhtkjcoi4vhjbc7tt3mezcmyuua._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
autoit
Create hunting rule
admintool_powerrun
Create hunting rule
admintool_mailpassview
Create hunting rule
nirsoft
Create hunting rule
pony
Create hunting rule
Similar samples:
error
HawkEye
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet family:hawkeye family:pony botnet:spreadddd collection credential_access defense_evasion discovery keylogger persistence privilege_escalation rat spyware stealer trojan upx
Link:
https://tria.ge/reports/250308-bzvg7azrs9/
Behaviour
Checks processor information in registry
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
AutoIT Executable
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Indicator Removal: File Deletion
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Uses the VBS compiler for execution
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Darkcomet
Darkcomet family
HawkEye
Hawkeye family
Pony family
Pony,Fareit
Malware Config
C2 Extraction:
http://www.orway.bplaced.net/pony/gate.php
http://www.socialnetwork-toolbase.de/ucs/pny/gate.php
http://btcminer.ddns.net/pony/gate.php
852000.ddns.net:1604
btcminer.ddns.net:1604
p2k15.ddns.net:1604
Verdict:
Malicious
Tags:
stealer redline
YARA:
detect_Redline_Stealer win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/2ba502e6-a7e8-4e85-b46e-1a305cfceefa
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/72a4f802a081/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
HawkEye Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments