MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a860b7f6787c55f457249bf722d6ce93034391889c05f6ec0c9e10befe8c8c03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HawkEye

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	a860b7f6787c55f457249bf722d6ce93034391889c05f6ec0c9e10befe8c8c03
SHA3-384 hash:	124e316341db93b5a675585dee6b3c53ffce4af0563d19de215cb089530da50524af88f15136f42d76bdd7394e77d1b3
SHA1 hash:	980d137b47dc5664a1a8a134b0030e4e79489408
MD5 hash:	d2c03864dcf6003537851a411452464d
humanhash:	connecticut-queen-ten-september
File name:	tool.exe
Download:	download sample
Signature	HawkEye Create hunting rule
File size:	867'840 bytes
First seen:	2020-04-10 15:38:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e0d4c6e04dd72cdba2ee496954fbe0a6 (2 x Loki, 2 x AgentTesla, 1 x FormBook)
ssdeep	12288:PyVwhFSGiJ6d7wTlqq0ymhTdst6l8YesE+HMsJUHLxwVJ4D/cBLgP:6GKX6d7Lq2h5HRE+HMseHLGkUG
Threatray	764 similar samples on MalwareBazaar
TLSH	DF058D32F2D65433D5732A7C9D2B67A4992ABE013D28988A3FF41C4C4F3964179352E7
Reporter	James_inthe_box
Tags:	exe HawkEye

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Adware.Generic4.BBFB.UNOFFICIAL

Win.Dropper.LokiBot-7662731-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

PUA.Win.Adware.Webalta-6854075-0

PUA.Win.Adware.Webalta-6862190-0

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-04-09 15:54:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

2/5

Verdict:

malicious

Label(s):

avemaria

azorult

hawkeyekeylogger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CreateStreamOnHGlobal
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	kernel32.dll::WinExec
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::GetFileAttributesA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_BASE_USER_API	Retrieves Account Information	kernel32.dll::GetComputerNameA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample