MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a03a01c5db256866b2caf92a988882d4fa2051d4ef401455e07794fb87a0042e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a03a01c5db256866b2caf92a988882d4fa2051d4ef401455e07794fb87a0042e
SHA3-384 hash: f7ca371e56f6af45c3ab00e6a56e8899f371ddea1df27f5a5834db59f994a623c6fe5bc9f815e1431a8ae01a78b91520
SHA1 hash: 9f7c5288999d83fe8220ba08d15d3eb8624c6aad
MD5 hash: 7b2aa392e7eaec9b73d7fb7de325f8d3
humanhash: pennsylvania-victor-pluto-william
File name:company certificate.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:129'624 bytes
First seen:2020-10-11 12:02:42 UTC
Last seen:2020-10-11 12:49:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 3072:llY1PtSgEk1QvHxssWxvMtDqxmwxR7jrM17:PY1tS6GPYHa
Threatray 401 similar samples on MalwareBazaar
TLSH 33C35F01B105F53ED1BAD6312B23C84126B4EA70175CF779A5C82E8DCE417662F2BEE6
Reporter abuse_ch
Tags:exe HawkEye Yahoo


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: sonic313-22.consmr.mail.ir2.yahoo.com
Sending IP: 77.238.179.189
From: optns_multechilink@yahoo.com
Reply-To: optns_multechilink@yahoo.com
Subject: Fw: Quote#CON-071720-EB
Attachment: Products_Pictures_logo_Designs_ pdf.z (contains "company certificate.exe")

HawkEye SMTP exfil server:
smtp.privateemail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Detection:
HawkEye
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69828/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487691
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected HawkEye Rat
Drops PE files to the startup folder
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296287 Sample: company certificate.exe Startdate: 11/10/2020 Architecture: WINDOWS Score: 100 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 15 other signatures 2->89 7 company certificate.exe 18 5 2->7         started        12 company certificate.exe 2 2->12         started        14 company certificate.exe 2->14         started        16 3 other processes 2->16 process3 dnsIp4 69 us-east-1.route-1.000webhost.awex.io 145.14.144.70, 443, 49733 AWEXUS Netherlands 7->69 71 dfewfwefwefwefwe.000webhostapp.com 7->71 57 C:\Users\user\...\company certificate.exe, PE32 7->57 dropped 59 company certificate.exe:Zone.Identifier, ASCII 7->59 dropped 61 C:\Users\user\...\company certificate.exe.log, ASCII 7->61 dropped 101 Creates an undocumented autostart registry key 7->101 103 Creates autostart registry keys with suspicious names 7->103 105 Creates multiple autostart registry keys 7->105 18 company certificate.exe 4 7->18         started        22 timeout.exe 1 7->22         started        77 2 other IPs or domains 12->77 107 Hides threads from debuggers 12->107 24 company certificate.exe 12->24         started        26 timeout.exe 1 12->26         started        28 WerFault.exe 12->28         started        79 2 other IPs or domains 14->79 30 timeout.exe 14->30         started        36 2 other processes 14->36 73 145.14.144.43, 443, 49763 AWEXUS Netherlands 16->73 75 145.14.145.191, 443, 49752 AWEXUS Netherlands 16->75 81 3 other IPs or domains 16->81 32 timeout.exe 16->32         started        34 timeout.exe 16->34         started        file5 signatures6 process7 dnsIp8 63 192.168.2.1 unknown unknown 18->63 65 84.102.13.0.in-addr.arpa 18->65 91 Changes the view of files in windows explorer (hidden files and folders) 18->91 93 Writes to foreign memory regions 18->93 95 Sample uses process hollowing technique 18->95 97 2 other signatures 18->97 38 vbc.exe 18->38         started        41 WerFault.exe 18->41         started        43 vbc.exe 18->43         started        45 conhost.exe 22->45         started        67 127.0.0.1 unknown unknown 24->67 47 WerFault.exe 24->47         started        49 conhost.exe 26->49         started        51 conhost.exe 30->51         started        53 conhost.exe 32->53         started        55 conhost.exe 34->55         started        signatures9 process10 signatures11 99 Tries to harvest and steal browser information (history, passwords, etc) 38->99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a03a01c5db256866b2caf92a988882d4fa2051d4ef401455e07794fb87a0042e/
Threat name:
ByteCode-MSIL.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-10-11 06:16:49 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ua5adro3evugnmwk7evjrcec2t5cauou55abivpao6kpxb5aaqxa._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
405b73ed2d211da9c63ded57666f5e74c429631bc94b396e42325d9980be375f
HawkEye
8414836a7a6d81327e207e5d693e250607704a2900f3e992195dbfc05305e10a
HawkEye
89960c6e0b1d193051322647448e48fe0c4a42fc103d2b19256c0e335da71189
HawkEye
a4d6c0a909365bd89fdf812fbb75f92edc06fcd2a9a7b3c6d9b553ffe124858f
HawkEye
d5886c42f7b8f77d036091616f0314f37e2db5c117aaa769ede368027fe7d43a
HawkEye
d88b00afe502517f9415ac41667410acfc0bdbd7d74389de73256aafd8f7d5eb
HawkEye
ea56daef74bb7280e915eb22485008a932d9a73345810f0fbf2861285dfb9bbc
HawkEye
f0e21d89e7d9763f14061fa57c4af1b209a7764c33a9fa05e5ca0bc83412d13e
HawkEye
f1a630f7b8387dc08f1c516b7e79c2d7099fcc47ab529902807d471e683a909b
HawkEye
faa44413487cb089e62e353866f10497b0311e9683baea0d50eae829e3f58e84
HawkEye
+ 391 additional samples on MalwareBazaar
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
persistence evasion keylogger trojan stealer spyware family:hawkeye
Link:
https://tria.ge/reports/201011-f8kgvb4kda/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
HawkEye
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
a03a01c5db256866b2caf92a988882d4fa2051d4ef401455e07794fb87a0042e
MD5 hash:
7b2aa392e7eaec9b73d7fb7de325f8d3
SHA1 hash:
9f7c5288999d83fe8220ba08d15d3eb8624c6aad
Link:
https://www.unpac.me/results/b3fbb291-dd12-42ed-ae73-a7076b56e468/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a03a01c5db256866b2caf92a988882d4fa2051d4ef401455e07794fb87a0042e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Hawkeye
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:RAT_HawkEye
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:win_hawkeye_keylogger_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_hawkeye_keylogger_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip 9c35ed199fcf933ec7556da78c9e96e96dd327af53bc221dd004f0417c21a81a

HawkEye

Executable exe a03a01c5db256866b2caf92a988882d4fa2051d4ef401455e07794fb87a0042e

(this sample)

  
Dropped by
MD5 7fde122d4fa09f705805541e0eac62c8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69828/
  
Dropped by
SHA256 9c35ed199fcf933ec7556da78c9e96e96dd327af53bc221dd004f0417c21a81a

Comments