MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 936ad4294125b52a7bbcbc1130128209932a3fbe505eb0fb539495c61205a5b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 936ad4294125b52a7bbcbc1130128209932a3fbe505eb0fb539495c61205a5b3
SHA3-384 hash: 810c1abd076b9f1cc3b327321dac49a49afe1e0b0c9c1fb8f19f6c0befa1cca2d101eef01acc5d46d8d8eef67424c11a
SHA1 hash: 32391147e6be36d06197d4e0641d5bf9e03dabdd
MD5 hash: 3e9b1cd7bea8e5aad8fd32355de2faeb
humanhash: zulu-seventeen-louisiana-muppet
File name:LisectAVT_2403002A_106.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:1'441'547 bytes
First seen:2024-07-24 23:39:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:rAOcZAh8BbGTd6g+HrTWCGMnuce4hXQoVUsywK6ULRrAPWcBfhNQXNmrK:taRov+LCuug7VU4KVrAPWLIrK
Threatray 509 similar samples on MalwareBazaar
TLSH T179651203E78444F7D0370B3116675B347EBAB9301B659B5BABA4453DAE72340BE34BA2
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f1f8ece470f0b0b2 (7 x NanoCore, 2 x RemcosRAT, 2 x HawkEye)
Reporter Anonymous
Tags:exe HawkEye


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
Win.Malware.Lisk-9886623-0
Create hunting rule

Win.Malware.Lisk-9886664-0
Create hunting rule

Win.Malware.Lisk-9891350-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a190e2ae21d7902eafdb66
Tags:
Encryption Static Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Adding an access-denied ACE
Launching a process
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc installer lolbin microsoft_visual_cc setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/66a190dd4c5c17942a7d27f4/reports/788851ed-5c86-4048-b5a1-1fa4aa7e93e7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
HawkEye
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b05324ff-7545-412d-9cac-88f0176ad57c
Result
Threat name:
HawkEye, MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1482519
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Detected HawkEye Rat
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482519 Sample: LisectAVT_2403002A_106.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 29 Malicious sample detected (through community Yara rule) 2->29 31 Yara detected MailPassView 2->31 33 Yara detected AntiVM3 2->33 35 6 other signatures 2->35 8 LisectAVT_2403002A_106.exe 26 2->8         started        process3 file4 27 C:\Users\user\AppData\Local\...\urdavsa.pif, PE32 8->27 dropped 45 Drops PE files with a suspicious file extension 8->45 12 urdavsa.pif 2 8->12         started        signatures5 process6 signatures7 47 Antivirus detection for dropped file 12->47 49 Detected HawkEye Rat 12->49 51 Machine Learning detection for dropped file 12->51 53 3 other signatures 12->53 15 RegSvcs.exe 10 12->15         started        process8 signatures9 55 Detected HawkEye Rat 15->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->59 61 Sample uses process hollowing technique 15->61 18 vbc.exe 15->18         started        21 vbc.exe 15->21         started        23 vbc.exe 15->23         started        25 4 other processes 15->25 process10 signatures11 37 Tries to steal Instant Messenger accounts or passwords 18->37 39 Tries to steal Mail credentials (via file / registry access) 18->39 41 Tries to steal Mail credentials (via file registry) 25->41 43 Tries to harvest and steal browser information (history, passwords, etc) 25->43
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/936ad4294125b52a7bbcbc1130128209932a3fbe505eb0fb539495c61205a5b3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/936ad4294125b52a7bbcbc1130128209932a3fbe505eb0fb539495c61205a5b3/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2024-03-30 07:07:00 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=snvnikkbew2su654xqitaeucbgjsup56kbplb62tssk4meqfuwzq._file
Verdict:
malicious
Similar samples:
02f864baf71847c5832c94f396bb14ba3fd5c1b7d96936427c358f37a6cfa105
HawkEye
13c9bc1d2ac60ca5abb5a235d7d27d8c6f06e497da360f391785044d413cc29e
HawkEye
3d10c53032ea46fb31e8b921c09466bf4a93347f5809c181a0d41ac8e423a153
HawkEye
69230008ebd4db702b501b5d35d6c5551ae5d1cc779d0bbcf4526f606f332650
HawkEye
8dda840eccb53427037b3a06dd5f886c78e6e55fe69d96b256b05176e85172db
HawkEye
aa005608adb8e7e3c775383f20f2608164056713bcbb92d0ec5c99994d8af750
HawkEye
c8a3afbe993a8c462856e72256e1ec0a251777a5d5bc6cac978e4349f8cb9ac2
HawkEye
f60bcc6d90d9415a7c3c8beebdeeed867df6681880b10e925cdbc767840793ea
HawkEye
+ 499 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye_reborn family:m00nd3v_logger collection credential_access discovery infostealer keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240724-3n195sthlj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
M00nD3v Logger payload
NirSoft MailPassView
NirSoft WebBrowserPassView
HawkEye Reborn
M00nd3v_Logger
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7abc65ce-1efa-4877-86c9-a67a29366d81
Unpacked files
SH256 hash:
2a289cb5244076d25da11b51cf8c32a92b9f43007884abf8351b202f1bcf6d43
MD5 hash:
8b8fb3685244f473f20a85b82ce7793f
SHA1 hash:
7e40788f7ab938061446fd1297fc15c21c6898db
Detections:
AutoIT_Compiled
Create hunting rule
Suspicious_AutoIt_by_Microsoft
Create hunting rule
Link:
https://www.unpac.me/results/bdcbbc97-eaa0-4e83-86ed-b7e37584aac1/
SH256 hash:
122ad262bebd39ce4215af76fbc5321d4c2da8e94d4e1f7667847d54856029f2
MD5 hash:
1d69003d6bb3ef8fa5580f7f97d09dd3
SHA1 hash:
b1a8ec5dbeeef683176720fbfa87688ed9d7a806
Detections:
win_hawkeye_keylogger_g0
Create hunting rule
MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
SUSP_NET_NAME_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/bdcbbc97-eaa0-4e83-86ed-b7e37584aac1/
Parent samples :
bdade907a458b6c9d2e87af5667c3b8a16aa7804535634ed662b0e07c34f64b1
e773f60aeb241f884b4f932d7ddd4e31c87f31781d5bd53d8583b3d54807a449
fa38ec9464602a1727813004fc616d9d0359c37da01b7d07c3e38784c0b2a46d
de1730eddefee2b8d8193d92b02fc5a3fd1bf6d54c6f55eff53c85c8a2501a79
691cb999c6be0f430c14a9411abf6796f174c8d8f3c3edc4b819b3b35972d832
0a0e7c81912b02e6ec1c7fbb338f4ef200e23d441d57c692cc88fef616593f0d
752efe9ad078a9be4a82b6f7c2123d58c90a1456287390b50df9e9c3292bc490
936ad4294125b52a7bbcbc1130128209932a3fbe505eb0fb539495c61205a5b3
c2d23332a28fd0f2f0b404e53d9820ba0f5f8070043cfa0b2fbb18a4a33466b6
SH256 hash:
936ad4294125b52a7bbcbc1130128209932a3fbe505eb0fb539495c61205a5b3
MD5 hash:
3e9b1cd7bea8e5aad8fd32355de2faeb
SHA1 hash:
32391147e6be36d06197d4e0641d5bf9e03dabdd
Link:
https://www.unpac.me/results/bdcbbc97-eaa0-4e83-86ed-b7e37584aac1/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

Executable exe 936ad4294125b52a7bbcbc1130128209932a3fbe505eb0fb539495c61205a5b3

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments