MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fcf4d1528f2945b751c3d9035e17f7143fdbc94ef687f5c9e4e35d892c5922b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 7


Intelligence 7 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fcf4d1528f2945b751c3d9035e17f7143fdbc94ef687f5c9e4e35d892c5922b
SHA3-384 hash: 673d36da9d4a0277e9530cb01602ebee464484817ae93cd075fc25f42a174a18908fc9fbbd9a3d1e4c9cea1f02a09133
SHA1 hash: a1dccb7bbff29079830ad9b57eb1a842aee970a3
MD5 hash: 2309696d1d8614a83a0dc72b8bfbab6b
humanhash: august-california-delta-stairway
File name:NKF20205 LIST.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:482'816 bytes
First seen:2020-08-03 13:11:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ff2dc860b3be78716db0209b9220e29 (4 x AgentTesla, 3 x HawkEye, 2 x NetWire)
ssdeep 6144:N7PtltXAYzC3t3Ez4OaRankg1LJX0HUBza6SmFqHD8oLleBoIgyHILagQI+nQW:N75XAYMt3Q4vRqvX0Uz8lePgSqdi
Threatray 1'548 similar samples on MalwareBazaar
TLSH 5AA423FAC1958782D5E47B35823BE991E7426CED982F178DC843D05E28B6FC18B1721B
Reporter abuse_ch
Tags:exe GoDaddy HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: p3plwbeout05-06.prod.phx3.secureserver.net
Sending IP: 97.74.135.51
From: Jamie Somasundar <lnlbeachy@agoodwave.com>
Subject: Technical & Your Financial offer]
Attachment: NKF20205 LIST.zip (contains "NKF20205 LIST.exe")

HawkEye SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Creating a file in the Program Files subdirectories
Sending a UDP request
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Deleting a recently created file
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
HawkEye MailPassView Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/407952
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Creates autostart registry keys with suspicious names
Delayed program exit found
Detected HawkEye Rat
Drops VBS files to the startup folder
Early bird code injection technique detected
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Quasar RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256211 Sample: NKF20205 LIST.exe Startdate: 03/08/2020 Architecture: WINDOWS Score: 100 99 Found malware configuration 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Detected HawkEye Rat 2->103 105 14 other signatures 2->105 11 NKF20205 LIST.exe 2->11         started        14 wscript.exe 1 2->14         started        16 NKF20205 LIST.exe 2->16         started        18 2 other processes 2->18 process3 signatures4 133 Early bird code injection technique detected 11->133 135 Writes to foreign memory regions 11->135 137 Allocates memory in foreign processes 11->137 139 Queues an APC in another process (thread injection) 11->139 20 NKF20205 LIST.exe 15 5 11->20         started        25 notepad.exe 1 11->25         started        27 NKF20205 LIST.exe 14->27         started        141 Maps a DLL or memory area into another process 16->141 29 notepad.exe 1 16->29         started        31 NKF20205 LIST.exe 16->31         started        33 notepad.exe 18->33         started        35 chrom.exe 18->35         started        37 notepad.exe 18->37         started        39 chrom.exe 18->39         started        process5 dnsIp6 87 ip-api.com 208.95.112.1, 49729, 49730, 80 TUT-ASUS United States 20->87 79 C:\Program Files (x86)\SubDir\chrom.exe, PE32 20->79 dropped 81 C:\Users\user\...81KF20205 LIST.exe.log, ASCII 20->81 dropped 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->115 41 chrom.exe 20->41         started        44 schtasks.exe 1 20->44         started        117 Drops VBS files to the startup folder 25->117 119 Delayed program exit found 25->119 121 Writes to foreign memory regions 27->121 123 Allocates memory in foreign processes 27->123 125 Maps a DLL or memory area into another process 27->125 46 notepad.exe 27->46         started        48 NKF20205 LIST.exe 27->48         started        file7 signatures8 process9 signatures10 127 Writes to foreign memory regions 41->127 129 Allocates memory in foreign processes 41->129 131 Maps a DLL or memory area into another process 41->131 50 chrom.exe 16 17 41->50         started        55 notepad.exe 1 41->55         started        57 conhost.exe 44->57         started        process11 dnsIp12 83 faithovercome.myftp.biz 79.134.225.105, 1983, 49731 FINK-TELECOM-SERVICESCH Switzerland 50->83 85 ip-api.com 50->85 75 C:\Users\user\AppData\...\KxSmdYnuMCrR.exe, PE32 50->75 dropped 107 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 50->107 109 Creates autostart registry keys with suspicious names 50->109 111 Hides that the sample has been downloaded from the Internet (zone.identifier) 50->111 113 Installs a global keyboard hook 50->113 59 KxSmdYnuMCrR.exe 50->59         started        62 schtasks.exe 50->62         started        file13 signatures14 process15 signatures16 143 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 59->143 145 Machine Learning detection for dropped file 59->145 147 Writes to foreign memory regions 59->147 149 3 other signatures 59->149 64 KxSmdYnuMCrR.exe 59->64         started        67 notepad.exe 59->67         started        70 conhost.exe 62->70         started        process17 file18 91 Writes to foreign memory regions 64->91 93 Allocates memory in foreign processes 64->93 95 Sample uses process hollowing technique 64->95 97 Injects a PE file into a foreign processes 64->97 72 vbc.exe 64->72         started        77 C:\Users\user\AppData\Roaming\...\chrom.vbs, ASCII 67->77 dropped signatures19 process20 dnsIp21 89 192.168.2.1 unknown unknown 72->89
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fcf4d1528f2945b751c3d9035e17f7143fdbc94ef687f5c9e4e35d892c5922b/
Threat name:
Win32.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 13:13:05 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7hu2fji6kkfw5i4hwidlyl7ofb73peu55uh6xe6jy25rewfsivq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
1f39ddbeb7fb355469a2ccc2cffda9006ca641562dc8dd300e855bb2fe2e33de
HawkEye
2fd0f9d77de102d8b53f3d38eb559d2cd0d0e9f4ba3cfbc042f952367b5ca65e
HawkEye
588eb55b57e118fbee66a6d0586de453ea4e0ae1a781c73e1bbe10e8e24641fc
HawkEye
5c711e224f09cfe6b651f58e3a075c54e7ad2d3a677cc71835bc37d8f21ad4b2
HawkEye
5eb26eb056480f6083f7565a572b2dd6ebc992a99d8220dbf0d736c7b4a12077
HawkEye
749cf44e03a021f01f3604fd54781103ab897a69db71229f9319888be7a8bcd2
HawkEye
960ee0a08a3b542c30baa19546f38f1eeeab56543997dc338e79273b0dcecc23
HawkEye
9dfc0d127c1129cd943b1c6ea494a01b40b6b29656db9a44f3dc3231db127a0e
HawkEye
a4e79d826cc13a421a5b3b785413d92254992bceb6d392c72de16b61653b346f
HawkEye
b23274e47a003476681da8925f2c15ff1c7ef988cabf76dbf1e5799a914a3ab1
HawkEye
+ 1'538 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/200803-8b25sy1kqj/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fcf4d1528f2945b751c3d9035e17f7143fdbc94ef687f5c9e4e35d892c5922b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip 0237ae8c63b4a1a61583984fa5091f3f7e095454a86187551de27aa9c8877b89

HawkEye

Executable exe 8fcf4d1528f2945b751c3d9035e17f7143fdbc94ef687f5c9e4e35d892c5922b

(this sample)

  
Dropped by
MD5 8c85fabe0eaabdeff8ce011bbcb9cc0f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37842/
  
Dropped by
SHA256 0237ae8c63b4a1a61583984fa5091f3f7e095454a86187551de27aa9c8877b89

Comments