MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82ffa88d2b058317fcbc1af1c6fe06d7927be41ee28c7473a397f3db42670ca5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 4 Comments

SHA256 hash: 82ffa88d2b058317fcbc1af1c6fe06d7927be41ee28c7473a397f3db42670ca5
SHA3-384 hash: 75a72d2a5daa1cf24171341fa8f0cae51137b4e8ebbe5b6658c4f6d7dc1528c921044992bdd4ffa21d59de8405232f9e
SHA1 hash: 0937747b83e0624bec024daadeaf5c7effdbcb36
MD5 hash: cc5e307e68ccb5b363a1d8125e0edfb1
humanhash: twelve-fanta-lion-mockingbird
File name:Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.EXE
Download: download sample
Signature HawkEye
File size:1'881'088 bytes
First seen:2020-06-19 06:36:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091
ssdeep 49152:8Vg5tQ7aGA8beG3cO1HnlylBPehgeKA5:Gg56bBrMmHSwhPK
TLSH 2595D0A2638DC264C6735173B936B713AE77741D4DA4B45F2F946E2EBD30322011BAA3
Reporter @abuse_ch
Tags:exe HawkEye Yahoo


Twitter
@abuse_ch
Malspam distributing HawkEye:

HELO: sonic304-56.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.128.31
From: Chandigarh Hydraulics Company <chd_hyb@yahoo.com>
Subject: Fw: ADITYA PO.
Attachment: Purchase Order_23011008_PDF.zip (contains "Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.EXE")

HawkEye SMTP exfil server:
outback.websitewelcome.com:587

Intelligence


File Origin
# of uploads :
1
# of downloads :
40
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Ransomware.WannaCry
Status:
Malicious
First seen:
2020-06-18 07:17:43 UTC
AV detection:
28 of 31 (90.32%)
Threat level
  5/5
Result
Malware family:
hawkeye
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:hawkeye persistence evasion
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetThreadContext
Modifies system certificate store
Adds Run entry to start application
Looks up external IP address via web service
Uses the VBS compiler for execution
Drops startup file
Reads user/profile data of web browsers
HawkEye

Yara Signatures


Rule name:Hawkeye
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:RAT_HawkEye
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:win_hawkeye_keylogger_w0
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

Executable exe 82ffa88d2b058317fcbc1af1c6fe06d7927be41ee28c7473a397f3db42670ca5

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments