MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b926b9c322ee16dc0ea54330428658cda75dc84a1a58ef88ebec2572d87d850b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HawkEye

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	b926b9c322ee16dc0ea54330428658cda75dc84a1a58ef88ebec2572d87d850b
SHA3-384 hash:	2b3754d4067cf5df7e5bb69f037fb171405902173ab73081f03584675a0f4bfa359bf0df31f091c83eaac3e16d5d3276
SHA1 hash:	b62fcb923c4a606334bd9fbfc2f68b7f3c054bd7
MD5 hash:	b284fb9677d876f59a2ea95541208b7c
humanhash:	twenty-michigan-high-lithium
File name:	b926b9c322ee16dc0ea54330428658cda75dc84a1a58ef88ebec2572d87d850b
Download:	download sample
Signature	HawkEye Create hunting rule
File size:	2'134'528 bytes
First seen:	2020-11-12 13:52:05 UTC
Last seen:	2024-07-24 20:46:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	49152:eXfDV3AdJdxeWadqVhne3UPN7ylJvJF1k8wdd9EEUJkGa1MY:MhQdJTe0VVzCvJ/pU9E/Jkt1M
TLSH	63A5D022639DCA60FA6EB032BA2577016E67E8653560FCF72E54097CE9501E01E3C76F
Reporter	seifreed
Tags:	HawkEye

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Autoit-9790147-0

Win.Trojan.Autoit-9790152-0

Win.Trojan.Autoit-9790155-0

Win.Trojan.Autoit-9790166-0

Win.Trojan.Autoit-9790168-0

Win.Trojan.Autoit-9790176-0

Win.Trojan.Autoit-9790232-0

Win.Trojan.Autoit-9790239-0

Win.Trojan.Autoit-9790240-0

Win.Trojan.Autoit-9790242-0

Win.Trojan.Autoit-9790245-0

Win.Trojan.Autoit-9790251-0

Win.Trojan.Autoit-9790262-0

Win.Trojan.Autoit-9790267-0

Win.Trojan.Autoit-9790695-0

Win.Trojan.Autoit-9791035-0

Win.Trojan.Autoit-9791037-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b926b9c322ee16dc0ea54330428658cda75dc84a1a58ef88ebec2572d87d850b/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-12 13:53:07 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xetltqzc5ylnydvfimyefbsyzwtv3sckdjmo7chl5qsxfwd5qufq._file

Result

Malware family:

hawkeye_reborn

Score:

10/10

Tags:

family:hawkeye_reborn keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201112-qtahcgklvs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Looks up external IP address via web service

Drops startup file

Reads user/profile data of web browsers

Uses the VBS compiler for execution

HawkEye Reborn

Unpacked files

SH256 hash:

b926b9c322ee16dc0ea54330428658cda75dc84a1a58ef88ebec2572d87d850b

MD5 hash:

b284fb9677d876f59a2ea95541208b7c

SHA1 hash:

b62fcb923c4a606334bd9fbfc2f68b7f3c054bd7

Link:

https://www.unpac.me/results/9ce908cd-19cf-4b08-8411-42642c428d44/

SH256 hash:

2c5c6737315e1231daae3c559b9d0d2e275b555f5ea90a41cb47a9eed4b0e83e

MD5 hash:

5e8d81b745d1de9196f69f71b8929fad

SHA1 hash:

d2547f681e3b80a8d2a1d78e118bd2c7e0c992ac

Detections:

win_hawkeye_keylogger_g0

Link:

https://www.unpac.me/results/9ce908cd-19cf-4b08-8411-42642c428d44/

Parent samples :

ef24fa91dc24e348f6ef60f53e36cb53150950aa1301469b7ee747523bc43f65
b926b9c322ee16dc0ea54330428658cda75dc84a1a58ef88ebec2572d87d850b
c5845be19adb4e49adb11f5c276835d1f2d11c2d277da2dc265968bb6edb4c2d
a1416f15382642c1bcf6fafac052bcd38900409be007f54414942e405c18ff73

SH256 hash:

ce5ddb4d00a5e331a897130c9cee1e1b4d541e043bb35a983e8d06b5ce261b94

MD5 hash:

0a3eb3b92256654546fcb3ea713b47e9

SHA1 hash:

51e3bde402afc2fa70bc7c0b678634289be7e474

Detections:

win_hawkeye_keylogger_auto

Link:

https://www.unpac.me/results/9ce908cd-19cf-4b08-8411-42642c428d44/

Parent samples :

SH256 hash:

400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342

MD5 hash:

54e8ded7b148a13d3363ac7b33f6eb06

SHA1 hash:

63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9

Link:

https://www.unpac.me/results/9ce908cd-19cf-4b08-8411-42642c428d44/

Parent samples :

e6b3160e17f1c4c0ce9136d7e19089f9e7e759bbd2989c27f8eb6083a627bfb9
c0498d7a70e78c236241d0e91b3bb599c1961ea62a10bd76a16fe7b18824f646
c2d23332a28fd0f2f0b404e53d9820ba0f5f8070043cfa0b2fbb18a4a33466b6

SH256 hash:

54241d67c33e245742af873dc6e61558b837618a3c03eb055695587e3ddf8740

MD5 hash:

b15ffed0dc3932b66ab628d422b18f70

SHA1 hash:

99e0ea3021640282792f2914a4d7e6626fca9df8

Detections:

win_hawkeye_keylogger_auto

Link:

https://www.unpac.me/results/9ce908cd-19cf-4b08-8411-42642c428d44/

Parent samples :

76f4037b2878a1f9d902b58becabe775f8f99df45b2c5c80ac9eb61a8da4a255
c944ec2c1c332672384769d2abfbb4f298f9fcaa63b18b4094e1d9779fa82fe0
c2689bc7e035365f3aad0880c3f2526da7e6934882be23bef2b7fa20f4b04513
aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676
7dfdce0a99eabe706a8f617d20f54ab7c933fd0e702dffed576ea3d5d74aea9d
44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095
32a1d99c12d4bbbf6b20ee43a25cf4dccf34ba30d8d40dc68d9c59d4c7ba25d5
39ae83af1cd715dadb50a266b91587dab04fffa94d2aa923c03cff634265f9ec
ef24fa91dc24e348f6ef60f53e36cb53150950aa1301469b7ee747523bc43f65
b926b9c322ee16dc0ea54330428658cda75dc84a1a58ef88ebec2572d87d850b
c5845be19adb4e49adb11f5c276835d1f2d11c2d277da2dc265968bb6edb4c2d
a1416f15382642c1bcf6fafac052bcd38900409be007f54414942e405c18ff73

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b926b9c322ee16dc0ea54330428658cda75dc84a1a58ef88ebec2572d87d850b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	MAL_HawkEye_Keylogger_Gen_Dec18 Create hunting rule
Author:	Florian Roth
Description:	Detects HawkEye Keylogger Reborn
Reference:	https://twitter.com/James_inthe_box/status/1072116224652324870

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample