MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fcc8cbe6ed3a2a12ba1c1ebf6fab95099fb6cd7c2822cad3423d80d0fc38c03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 8


Intelligence 8 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9fcc8cbe6ed3a2a12ba1c1ebf6fab95099fb6cd7c2822cad3423d80d0fc38c03
SHA3-384 hash: 441a727486f425e8ba90bd82a55cc6778620e98bd15c847d37a090c1b35dfbfdf6df5cacdf89237e3c4ec935ae29a025
SHA1 hash: e8fbb7e25820053afeb552b85e6d04a9e21506f9
MD5 hash: e662c90579b66184755aad154440abbf
humanhash: three-finch-blue-maine
File name:Prueba de pago.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:1'168'384 bytes
First seen:2020-11-09 19:30:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f1bfea1a0acd218f447e52c5e95f0206 (14 x HawkEye, 7 x Loki, 1 x MassLogger)
ssdeep 24576:K7K3CWIucmgOLPQVfHrwx9GRMQPohBQYp0h0Xts/7p:KmjcdNfHaGloHQYah09gd
Threatray 424 similar samples on MalwareBazaar
TLSH 7E459E52ADA0C833C1661634FF17DAF45926BD10AAE465872BF83D4A7F3A2C1383D197
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: imscp.swebians.com
Sending IP: 144.76.175.181
From: Carles Llorens <support@rieth-kg.de>
Reply-To: dh_derhawk@126.com
Subject: justificante de la transferencia
Attachment: Prueba de pago.zip (contains "Prueba de pago.exe")

HawkEye SMTP exfil server:
smtp.casalsmd.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Zusy.334505.17226.20270.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% directory
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Launching a process
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling a "Do not show hidden files" option
Unauthorized injection to a system process
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/527094
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 312637 Sample: Prueba de pago.exe Startdate: 09/11/2020 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 14 other signatures 2->58 7 Prueba de pago.exe 2->7         started        10 WindowsUpdate.exe 2->10         started        12 WindowsUpdate.exe 2->12         started        process3 signatures4 60 Maps a DLL or memory area into another process 7->60 14 Prueba de pago.exe 16 8 7->14         started        62 Multi AV Scanner detection for dropped file 10->62 64 Detected unpacking (changes PE section rights) 10->64 66 Detected unpacking (creates a PE file in dynamic memory) 10->66 68 3 other signatures 10->68 19 WindowsUpdate.exe 5 10->19         started        21 WindowsUpdate.exe 12->21         started        process5 dnsIp6 36 smtp.casalsmd.com 217.116.0.228, 49753, 587 ACENS_ASSpainHostinghousingandVPNservicesES Spain 14->36 38 35.37.15.0.in-addr.arpa 14->38 42 2 other IPs or domains 14->42 32 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 14->32 dropped 34 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 14->34 dropped 44 Changes the view of files in windows explorer (hidden files and folders) 14->44 46 Writes to foreign memory regions 14->46 48 Allocates memory in foreign processes 14->48 50 3 other signatures 14->50 23 vbc.exe 1 14->23         started        26 vbc.exe 13 14->26         started        28 WerFault.exe 3 9 14->28         started        30 dw20.exe 22 6 14->30         started        40 127.0.0.1 unknown unknown 19->40 file7 signatures8 process9 signatures10 70 Tries to steal Mail credentials (via file registry) 23->70 72 Tries to steal Instant Messenger accounts or passwords 23->72 74 Tries to steal Mail credentials (via file access) 23->74 76 Tries to harvest and steal browser information (history, passwords, etc) 26->76
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9fcc8cbe6ed3a2a12ba1c1ebf6fab95099fb6cd7c2822cad3423d80d0fc38c03/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-09 15:30:18 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t7gizpto2orkck5byhv7n6vzkcm7w3gxykbczljuepma2d6drqbq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
012a8b58a7e5e04737ee8c5c004e1272b98e0dcf8bcb025f1573e63de8b2f7e9
HawkEye
0d6437a1e212ba6c8b651098ae5863a45b1e81d201d3722bd52e0c6559898db8
HawkEye
0edc6218dec611e4dd00d3251ba2b3361d512f09dde595a8489639b9aa250ec9
HawkEye
1e12aa307b7de55683eaf19ccee90d5dfdbe6332da9c5ddfa6996489a66890fc
HawkEye
2e6d01252c1c1469683b9412b4f2eefcd05bd8b433c8811b72ea0ab717cd1615
HawkEye
372d7ad682638210ae549422e43a44e7cff293013f6dfaf340c401384a7f03a5
HawkEye
664fc60c57caf8b106386e657f48991b8d77921c233c2135d1796def851524dd
HawkEye
7e6dc9928e049d75cd726d8542b39cf46afef0cfd37c8dcb968ea618aedbb696
HawkEye
8f4dce7ad41fd654a99038ce4b52b7b276795fd56a6c376eb58e40e4600ebe52
HawkEye
a46a4d49d8497c6cf8560c708fc6cf68c6901f2762938caa3be46b47a62d3ea6
HawkEye
+ 414 additional samples on MalwareBazaar
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-cwqy1plk3n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads user/profile data of web browsers
Uses the VBS compiler for execution
UPX packed file
HawkEye
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9fcc8cbe6ed3a2a12ba1c1ebf6fab95099fb6cd7c2822cad3423d80d0fc38c03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Hawkeye
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:RAT_HawkEye
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:win_hawkeye_keylogger_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_hawkeye_keylogger_g0
Create hunting rule
Author:Various authors / Slavo Greminger, SWITCH-CERT
Rule name:win_hawkeye_keylogger_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip 240a926af43b47b1888f789cff11ac3f2fb7e29d471723d416865492bd499ced

HawkEye

Executable exe 9fcc8cbe6ed3a2a12ba1c1ebf6fab95099fb6cd7c2822cad3423d80d0fc38c03

(this sample)

  
Dropped by
MD5 ba7bc777742560070833b647b2391740
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 240a926af43b47b1888f789cff11ac3f2fb7e29d471723d416865492bd499ced

Comments