MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76db811bca515b8c2f782394e24b4bbce6269211f6e8971b4897bdffd554303b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76db811bca515b8c2f782394e24b4bbce6269211f6e8971b4897bdffd554303b
SHA3-384 hash: 8aa72b8115ccb00da211d3eb6109ac80e666e578f14dce8207aeaa333b0cbcdf9828af635545a644a04739cac8cc82d9
SHA1 hash: 83407c5d075e7a8664bd50b1cfe6d82eb936342e
MD5 hash: 134bf4ddd2a72c5c396647f7037af0e1
humanhash: lithium-sad-speaker-blossom
File name:PO 2010029_pdf Quotation from Alibaba Ale.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:1'086'464 bytes
First seen:2021-01-19 07:38:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f85ebb67bac58f72de974a91d40889a (5 x Formbook, 3 x RemcosRAT, 2 x AgentTesla)
ssdeep 24576:S8W4T17vgKzzHA3VJTMrxwpO7GAa18XjX:SU7JAlJTUmej
Threatray 412 similar samples on MalwareBazaar
TLSH D535BFE1BA40C031C4636535487AD6B3187BA12D9E68098F7BD4BE3B7F71382512B96F
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: connectto.com
Sending IP: 104.152.185.194
From: keith collins Bunn services <karenn@connectto.com>
Subject: New Order_PO#060317_007
Attachment: PO 2010029_pdf Quotation from Alibaba Ale.z (contains "PO 2010029_pdf Quotation from Alibaba Ale.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO 2010029_pdf Quotation from Alibaba Ale.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 08:13:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1b2108dd-c3cc-4a00-ad20-c3426a494109

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112812/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling autorun by creating a file
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584581
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Detected HawkEye Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341324 Sample: PO 2010029_pdf    Quotation... Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for dropped file 2->59 61 15 other signatures 2->61 7 PO 2010029_pdf    Quotation  from Alibaba Ale.exe 16 12 2->7         started        12 WindowsUpdate.exe 6 2->12         started        14 WindowsUpdate.exe 5 2->14         started        process3 dnsIp4 39 35.37.15.0.in-addr.arpa 7->39 41 outback.websitewelcome.com 192.185.81.127, 49733, 587 UNIFIEDLAYER-AS-1US United States 7->41 45 2 other IPs or domains 7->45 29 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 7->31 dropped 33 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\...\c7156b3839fe4b43a6263c28516d097c.xml, XML 7->35 dropped 63 Changes the view of files in windows explorer (hidden files and folders) 7->63 65 Writes to foreign memory regions 7->65 67 Allocates memory in foreign processes 7->67 73 3 other signatures 7->73 16 vbc.exe 1 7->16         started        19 vbc.exe 13 7->19         started        21 cmd.exe 1 7->21         started        23 dw20.exe 22 6 7->23         started        43 127.0.0.1 unknown unknown 12->43 37 C:\Users\user\...\WindowsUpdate.exe.log, ASCII 12->37 dropped 69 Multi AV Scanner detection for dropped file 12->69 71 Machine Learning detection for dropped file 12->71 file5 signatures6 process7 signatures8 47 Tries to steal Mail credentials (via file registry) 16->47 49 Tries to steal Instant Messenger accounts or passwords 16->49 51 Tries to steal Mail credentials (via file access) 16->51 53 Tries to harvest and steal browser information (history, passwords, etc) 19->53 25 conhost.exe 21->25         started        27 schtasks.exe 1 21->27         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76db811bca515b8c2f782394e24b4bbce6269211f6e8971b4897bdffd554303b/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 06:32:31 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3nycg6kkfnyyl3yeokoes2lxttcneqr63ujog2is6677vkuga5q._file
Verdict:
unknown
Similar samples:
0b813805cdf296dc50f3336dcbf6e41f4dc119e753be9511634857eba90a7b0f
HawkEye
1c55b3c97920d56dddbc38e6ba3c5dcbc7f3072792915b51e146b3dd92b3f392
HawkEye
321be1554d0c8aaf169078b16f29bac61f923485fcc124499a6886c4ecadb552
HawkEye
35f2d31f591a7850c05f86c1124aef7193bdd2f2ad7421d1fb09e1144b3fc3d3
HawkEye
4179d8fb0428a4de8a32d90e394f34540e2003b397523a062e27ed37902dafa5
HawkEye
4630139561d13a1b777368972765fb04cf0b237a850bc94d59ba7d2445d32019
HawkEye
6fbc3e54a04aeadf268907b5041bdaf5af8980d76eafce3bc5d995c0fa779fd8
HawkEye
c363769d3d6ae833d71203a5a678ad04349404eae3788865fcdb706c3c7543b0
HawkEye
ccd9176d26caf90647653816162ea4622ae24e253b7da139fdfacd74a555a8a1
HawkEye
e2da0284dd6560f4fdfc2a2ec9eafb0c791ebebc7b0ebcc0d792cc791412145e
HawkEye
+ 402 additional samples on MalwareBazaar
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210119-ct1yds4qbe/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Uses the VBS compiler for execution
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
HawkEye
Unpacked files
SH256 hash:
76db811bca515b8c2f782394e24b4bbce6269211f6e8971b4897bdffd554303b
MD5 hash:
134bf4ddd2a72c5c396647f7037af0e1
SHA1 hash:
83407c5d075e7a8664bd50b1cfe6d82eb936342e
Link:
https://www.unpac.me/results/8d06f73a-c865-45d4-974c-7bd3c951e228/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76db811bca515b8c2f782394e24b4bbce6269211f6e8971b4897bdffd554303b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip 1574ff8e68265e9612dfc18a0420bb9b30c875fc1902fcafd4a1a8f425dbe44c

HawkEye

Executable exe 76db811bca515b8c2f782394e24b4bbce6269211f6e8971b4897bdffd554303b

(this sample)

  
Dropped by
MD5 0c31b6e37bf20e388ab4038c90c61112
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1574ff8e68265e9612dfc18a0420bb9b30c875fc1902fcafd4a1a8f425dbe44c
Cape
Cape
https://www.capesandbox.com/analysis/112812/

Comments