MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 746d8f96f8153a4e45bb998ec885c82ffa1b4aaa18eb1381db2a2ed851e876cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 16


Intelligence 16 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 746d8f96f8153a4e45bb998ec885c82ffa1b4aaa18eb1381db2a2ed851e876cc
SHA3-384 hash: 9298a253b23e985589382d9935663588a700c395d78b507506633bf2cff227159c60ce6883d6f0e6051cc45956e6ca27
SHA1 hash: acd00215d93e8e81d32e10d0a88127da4133c1da
MD5 hash: 42975e59f70448efb621c1f9c4bca01b
humanhash: network-fifteen-hydrogen-alpha
File name:746d8f96f8153a4e45bb998ec885c82ffa1b4aaa18eb1381db2a2ed851e876cc
Download: download sample
Signature HawkEye
Create hunting rule
File size:532'992 bytes
First seen:2023-07-10 09:37:27 UTC
Last seen:2023-07-10 10:09:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:uuaqLk33bS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9v:y33QtqB5urTIoYWBQk1E+VF9mOx9Vi
Threatray 668 similar samples on MalwareBazaar
TLSH T10DB49D03B3D14436D4BF0530677757729BBABE301632C91B87E818896EB6291BA37387
TrID 40.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
23.8% (.EXE) InstallShield setup (43053/19/16)
9.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.2% (.SCR) Windows screen saver (13097/50/3)
5.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 414555c0d4d44503 (15 x njrat, 14 x BlackNET, 8 x Lucifer)
Reporter adrian__luca
Tags:exe HawkEye

Intelligence

File Origin
# of uploads :
2
# of downloads :
295
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
hawkeye
Create hunting rule
ID:
1
File name:
746d8f96f8153a4e45bb998ec885c82ffa1b4aaa18eb1381db2a2ed851e876cc
Verdict:
Malicious activity
Analysis date:
2023-07-10 10:42:29 UTC
Tags:
stealer installer evasion hawkeye keylogger trojan
Link:
https://app.any.run/tasks/630e10a9-7d53-4f84-b2e7-58c34ffb3e46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
HawkEye
Create hunting rule
Link:
https://www.capesandbox.com/analysis/413455/
Detection(s):
Win.Trojan.Ursu-9794867-0
Create hunting rule

Win.Tool.WebBrowserPassView-9831120-0
Create hunting rule

Win.Trojan.NirsoftStealer-9905975-1
Create hunting rule

Win.Trojan.Generic-9936184-0
Create hunting rule

Win.Virus.Sality-6832669-0
Create hunting rule

Win.Packed.Pswtool-6840731-0
Create hunting rule

Win.Packed.Passwordstealera-6765350-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %AppData% directory
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Launching a process
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling a "Do not show hidden files" option
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm control crypto fingerprint greyware hawkeye keylogger lolbin msconfig net packed packed rat regedit shell32 stealer update
Link:
https://www.filescan.io/uploads/64abd1804b573cca625dbddc/reports/2cef2b50-9597-492e-b887-a3b8d79a165e/overview
Verdict:
Malicious
Labled as:
TSPY_HAWEYE.SM
Link:
https://www.hybrid-analysis.com/sample/746d8f96f8153a4e45bb998ec885c82ffa1b4aaa18eb1381db2a2ed851e876cc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
HawkEye
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53221f9e-300a-4f80-a039-0f8f6b8f17ea
Result
Threat name:
HawkEye, MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1270245
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to modify clipboard data
Detected HawkEye Rat
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1270245 Sample: sRajOgHKr6.exe Startdate: 10/07/2023 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 10 other signatures 2->50 6 sRajOgHKr6.exe 16 8 2->6         started        11 WindowsUpdate.exe 4 2->11         started        13 WindowsUpdate.exe 14 6 2->13         started        process3 dnsIp4 32 104.16.155.36, 443, 49680, 49690 CLOUDFLARENETUS United States 6->32 34 whatismyipaddress.com 104.16.154.36, 443, 49679, 49691 CLOUDFLARENETUS United States 6->34 36 158.157.4.0.in-addr.arpa 6->36 28 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 6->28 dropped 30 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 6->30 dropped 52 May check the online IP address of the machine 6->52 54 Changes the view of files in windows explorer (hidden files and folders) 6->54 56 Writes to foreign memory regions 6->56 66 3 other signatures 6->66 15 vbc.exe 1 6->15         started        18 dw20.exe 19 6 6->18         started        20 WerFault.exe 6->20         started        22 vbc.exe 6->22         started        38 127.0.0.1 unknown unknown 11->38 58 Antivirus detection for dropped file 11->58 60 Multi AV Scanner detection for dropped file 11->60 62 Machine Learning detection for dropped file 11->62 24 dw20.exe 7 11->24         started        40 192.168.2.1 unknown unknown 13->40 42 158.157.4.0.in-addr.arpa 13->42 64 Installs a global keyboard hook 13->64 26 dw20.exe 13->26         started        file5 signatures6 process7 signatures8 68 Tries to steal Mail credentials (via file registry) 15->68 70 Tries to steal Instant Messenger accounts or passwords 15->70 72 Tries to steal Mail credentials (via file / registry access) 15->72 74 Contains functionality to modify clipboard data 15->74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/746d8f96f8153a4e45bb998ec885c82ffa1b4aaa18eb1381db2a2ed851e876cc/
Threat name:
ByteCode-MSIL.Trojan.Golroted
Create hunting rule
Status:
Malicious
First seen:
2023-07-10 09:38:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
57
AV detection:
34 of 38 (89.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=orwy7fxycu5e4rn3tghmrboif75bwsvkddvrhao3fixnqupio3ga._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
1f998c6032159b469178389d2cc6debf14c810bd11b3be86a374ee7608d11cac
HawkEye
4e08d3d7a3ecb630ccf016f97a79aab7f44b255484737d574599c25acf0952b2
HawkEye
50652d32574ff07ff24c14eacf1170e224d60c19dbd2752672bd2a90901a6667
HawkEye
54fa4651e925e0fd845ca5652d57a010c26e4ab799211b8d3299cbb7dec35ae8
HawkEye
647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712
HawkEye
f0e2be29b4f60291bb5e95eb8e23794502c74d7daff6754762ba486cf92f4c4f
HawkEye
+ 658 additional samples on MalwareBazaar
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230710-ll3lrahf59/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Looks up external IP address via web service
Uses the VBS compiler for execution
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
HawkEye
Unpacked files
SH256 hash:
746d8f96f8153a4e45bb998ec885c82ffa1b4aaa18eb1381db2a2ed851e876cc
MD5 hash:
42975e59f70448efb621c1f9c4bca01b
SHA1 hash:
acd00215d93e8e81d32e10d0a88127da4133c1da
Detections:
win_hawkeye_keylogger_w0
Create hunting rule
win_hawkeye_keylogger_auto
Create hunting rule
win_hawkeye_keylogger_g0
Create hunting rule
Link:
https://www.unpac.me/results/c470b9a5-9aac-4e00-bdc7-aa2a4813df5f/
Parent samples :
1f998c6032159b469178389d2cc6debf14c810bd11b3be86a374ee7608d11cac
746d8f96f8153a4e45bb998ec885c82ffa1b4aaa18eb1381db2a2ed851e876cc
Malware family:
HawkEye
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/746d8f96f815/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HKTL_NET_GUID_Stealer
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects c# red/black-team tools via typelibguid
Reference:https://github.com/malwares/Stealer
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:malware_Hawkeye_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RAT_HawkEye
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_hawkeye_keylogger_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_hawkeye_keylogger_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

Executable exe 746d8f96f8153a4e45bb998ec885c82ffa1b4aaa18eb1381db2a2ed851e876cc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/413455/

Comments