MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3eddaec4219ad7d3565593b9f3b28f4196b38d3c739a389683983add08ce48a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3eddaec4219ad7d3565593b9f3b28f4196b38d3c739a389683983add08ce48a
SHA3-384 hash: fd65f56655e126652bc6207f375ccad5eb0b1b16eac27f175206b6d37211d9df44ffcb65459d9e70cfa7d22f44b22c68
SHA1 hash: 6afb1983395d0b649a2d8fac24c15b4614718f98
MD5 hash: a3da0b0e3968b650fcbcd868107e6e0a
humanhash: oklahoma-florida-fourteen-fourteen
File name:PO-n19877.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:1'105'920 bytes
First seen:2020-07-20 08:52:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:YODBudWYrE3oDY97VKQ83GTQfust8xhn6bgVdVxL:XBu/ruo097VKQe7GIgVdV
Threatray 492 similar samples on MalwareBazaar
TLSH 573501C96BA44541D9EDBFF69E628AB44B30AC00F5F1971F1FD0A89F297A793C404722
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: vps.daneielcom.com
Sending IP: 45.95.169.86
From: info@daneielcom.com
Subject: Re: ORDER(RFQ)
Attachment: PO-n19877.001 (contains "PO-n19877.exe")

HawkEye SMTP exfil server:
smtp.mail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
HawkEye
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28831/
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391112
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247903 Sample: PO-n19877.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Sigma detected: Scheduled temp file as task from temp location 2->45 47 11 other signatures 2->47 7 PO-n19877.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\...\WIuOUjRVWRm.exe, PE32 7->27 dropped 29 C:\Users\...\WIuOUjRVWRm.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp29C9.tmp, XML 7->31 dropped 33 C:\Users\user\AppData\...\PO-n19877.exe.log, ASCII 7->33 dropped 10 RegSvcs.exe 15 6 7->10         started        14 schtasks.exe 1 7->14         started        16 RegSvcs.exe 7->16         started        18 RegSvcs.exe 7->18         started        process5 dnsIp6 35 35.56.3.0.in-addr.arpa 10->35 37 smtp.mail.com 74.208.5.15, 49740, 587 ONEANDONE-ASBrauerstrasse48DE United States 10->37 39 whatismyipaddress.com 104.16.155.36, 443, 49737, 49738 CLOUDFLARENETUS United States 10->39 57 Changes the view of files in windows explorer (hidden files and folders) 10->57 59 Sample uses process hollowing technique 10->59 20 vbc.exe 1 10->20         started        23 vbc.exe 13 10->23         started        25 conhost.exe 14->25         started        signatures7 process8 signatures9 49 Tries to steal Mail credentials (via file registry) 20->49 51 Tries to steal Instant Messenger accounts or passwords 20->51 53 Tries to steal Mail credentials (via file access) 20->53 55 Tries to harvest and steal browser information (history, passwords, etc) 23->55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3eddaec4219ad7d3565593b9f3b28f4196b38d3c739a389683983add08ce48a/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 08:54:08 UTC
AV detection:
34 of 48 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6pw5v3ccdgwx2nlfle5z6ozi6qmwwogty442hclihgb23uem4sfa._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
032f594e26c4a20fc56b06210d294f7134f6c9a51cf30b7125db4683465a6643
HawkEye
0698cbff335f16544c0a97a71df4f0e52ee4dbddf3cadad2ee0ac52103ea8ed2
HawkEye
662e6858fb2067c38af99173b7a3201a148bd9104771badd96868bccc20ec687
HawkEye
7ffbd591d72f33b826c40da82f5f72195ca4af6a311bb934862f3cd190d4fdad
HawkEye
880bba3fa9d2e255ad00cc35d53aa361bcdf739d16064d669a4b21b9a8034f73
HawkEye
9c33a1f6a337e39a99c4480f19e63fbaeee191defcd51c8a908e9af9da8e115c
HawkEye
aed6c9d200b86186575d13e40ed7231c61bba34c0159c19ca6428168019da4f9
HawkEye
c8d4a30dc6aa1224dd98bbb384b54e90ee845cbb0e0e591964868a0be5657897
HawkEye
d4f9f7cd2d03cd2a1ede00200777caac9bd3ca5c337ce6bf6e15a3ff8e53f844
HawkEye
ebd23b0402ce1f9f8d45a37ec77fc89381869a3399aa2d405830e7eb05299ad3
HawkEye
+ 482 additional samples on MalwareBazaar
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:hawkeye
Link:
https://tria.ge/reports/200720-brbmtxm7t6/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Looks up external IP address via web service
Uses the VBS compiler for execution
Reads user/profile data of web browsers
HawkEye
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3eddaec4219ad7d3565593b9f3b28f4196b38d3c739a389683983add08ce48a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Hawkeye
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect HawkEye in memory
Reference:internal research
Rule name:RAT_HawkEye
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects HawkEye RAT
Reference:http://malwareconfig.com/stats/HawkEye
Rule name:win_hawkeye_keylogger_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

rar 041c0094827037ddee70c1fca832fe21bc156ebb406797e8438f416fbf03af78

HawkEye

Executable exe f3eddaec4219ad7d3565593b9f3b28f4196b38d3c739a389683983add08ce48a

(this sample)

  
Dropped by
MD5 93b406725d88832d492a41500a1d1819
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28831/
  
Dropped by
SHA256 041c0094827037ddee70c1fca832fe21bc156ebb406797e8438f416fbf03af78

Comments