MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea56daef74bb7280e915eb22485008a932d9a73345810f0fbf2861285dfb9bbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea56daef74bb7280e915eb22485008a932d9a73345810f0fbf2861285dfb9bbc
SHA3-384 hash: 40135f04e3c9abc9be43c0b23a4edb1396911ed7a3c98190bac1f3812792ae0c4c5290bede9d4f4262220ec8a633a091
SHA1 hash: 6f5304639920e71a09b1cdb23d73e0d7659fc68f
MD5 hash: e09d2ecf2d84113811490c66fdd49f3c
humanhash: purple-mirror-robin-hotel
File name:company certificate.bat
Download: download sample
Signature HawkEye
Create hunting rule
File size:683'888 bytes
First seen:2020-10-08 13:08:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:ir+SCgDM3XvIx4c7sZoGqPk+2kfeCpUcLfFAmIOlU27fPM2x3wSvpyOV:kCgDMHHZoGqPk+2IeCpUoFAM9fPfx3wU
Threatray 392 similar samples on MalwareBazaar
TLSH 86E4023CD6D72C5AECBDE2320A118D206BB267635AB3D2741CE45BC78648BD19B27CD4
Reporter abuse_ch
Tags:bat HawkEye


Avatar
abuse_ch
HawkEye SMTP exfil server:
smtp.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69245/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a window
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485470
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected HawkEye Rat
Drops PE files to the startup folder
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295276 Sample: company certificate.bat Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 15 other signatures 2->63 7 company certificate.exe 3 4 2->7         started        11 company certificate.exe 2 2->11         started        13 company certificate.exe 2->13         started        15 2 other processes 2->15 process3 file4 45 C:\Users\user\...\company certificate.exe, PE32 7->45 dropped 47 company certificate.exe:Zone.Identifier, ASCII 7->47 dropped 71 Creates an undocumented autostart registry key 7->71 73 Creates autostart registry keys with suspicious names 7->73 75 Creates multiple autostart registry keys 7->75 17 company certificate.exe 4 7->17         started        21 timeout.exe 1 7->21         started        23 WerFault.exe 23 9 7->23         started        77 Hides threads from debuggers 11->77 79 Injects a PE file into a foreign processes 11->79 25 timeout.exe 11->25         started        27 company certificate.exe 11->27         started        29 WerFault.exe 11->29         started        31 timeout.exe 13->31         started        33 timeout.exe 15->33         started        signatures5 process6 dnsIp7 49 40.78.5.0.in-addr.arpa 17->49 51 smtp.privateemail.com 199.193.7.228, 49757, 587 NAMECHEAP-NETUS United States 17->51 53 192.168.2.1 unknown unknown 17->53 65 Changes the view of files in windows explorer (hidden files and folders) 17->65 67 Installs a global keyboard hook 17->67 69 Injects a PE file into a foreign processes 17->69 35 WerFault.exe 17->35         started        37 conhost.exe 21->37         started        39 conhost.exe 25->39         started        55 127.0.0.1 unknown unknown 27->55 41 conhost.exe 31->41         started        43 conhost.exe 33->43         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea56daef74bb7280e915eb22485008a932d9a73345810f0fbf2861285dfb9bbc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 10:46:50 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5jlnv33uxnzib2iv5mrequaivezntjztiwaq6d57fbqsqxp3to6a._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
00a8e89cdd91a236a1e462ee34e090807a52af43cb41509b84685a06b40f3a5e
HawkEye
0be2fd26cdd52bc071b076fc7350077db4962173366192cbc9870df8b3cb234c
HawkEye
77728dc00d957e7c3a175b58f539ed1ce895595832f3ff527aac52a10b185565
HawkEye
866e522886833782a25f4c9cdb823a29f3a4d1e8b26eef03ed271af7b991eae5
HawkEye
9ab98e8d67aa054c7d860cb54100954bfc5429cce7b4fb9bb1d69ddc3f43d2ce
HawkEye
a837374ed66cc50cb5760f0f948db288657fd0891687f43df9b9260dfb71449c
HawkEye
ab4c9019f3f231fdedb61a280f15eb7cc83d76d6f1ee9a0ad2dc363386650016
HawkEye
d5886c42f7b8f77d036091616f0314f37e2db5c117aaa769ede368027fe7d43a
HawkEye
eccca8a3f4c7a1ec13665137759fe722aceef7a1688f92c8a4c7796f6d85237f
HawkEye
f1a630f7b8387dc08f1c516b7e79c2d7099fcc47ab529902807d471e683a909b
HawkEye
+ 382 additional samples on MalwareBazaar
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
evasion persistence keylogger trojan stealer spyware family:hawkeye
Link:
https://tria.ge/reports/201008-6n1vn2bg4s/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
HawkEye
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
ea56daef74bb7280e915eb22485008a932d9a73345810f0fbf2861285dfb9bbc
MD5 hash:
e09d2ecf2d84113811490c66fdd49f3c
SHA1 hash:
6f5304639920e71a09b1cdb23d73e0d7659fc68f
Link:
https://www.unpac.me/results/c9562970-0e8c-41c2-80ff-516e0b2459ba/
SH256 hash:
025bf6dcac637ad373058942f51b971a2785b274e2e3a84d0e9f3a387d2fa5a4
MD5 hash:
d7403eba7d26dcfaf64f7ab3b982bf43
SHA1 hash:
f3d7fcc0d23c328e82c7d74ef61284d211c6ee68
Link:
https://www.unpac.me/results/c9562970-0e8c-41c2-80ff-516e0b2459ba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea56daef74bb7280e915eb22485008a932d9a73345810f0fbf2861285dfb9bbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Hawkeye
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:RAT_HawkEye
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:win_hawkeye_keylogger_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_hawkeye_keylogger_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

Executable exe ea56daef74bb7280e915eb22485008a932d9a73345810f0fbf2861285dfb9bbc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69245/

Comments