MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa228078490ab490d0990eade1bf3900837b83db09ac9b245d932106ba565e48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa228078490ab490d0990eade1bf3900837b83db09ac9b245d932106ba565e48
SHA3-384 hash: 85fdea8e5554f26e0864dc97731bb4e579b4ee9970073af1c9af3643261c1d5fd00d7efd0c0bb979178b163b8623613a
SHA1 hash: 265b8fb5a4d43c1b4e4730845db8613fb8950902
MD5 hash: e20ff757a8a3e61cd78528c83d8dc796
humanhash: five-mississippi-robert-beer
File name:SecuriteInfo.com.Trojan.AutoIt.449.29642.1194
Download: download sample
Signature HawkEye
Create hunting rule
File size:1'771'008 bytes
First seen:2021-12-10 12:36:06 UTC
Last seen:2025-04-26 17:40:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 49152:wh+ZkldoPK8YaAhtlDzYRGEqO64glOTRu:x2cPK8CPzCYOalUR
Threatray 2'156 similar samples on MalwareBazaar
TLSH T1DB85D0027391C025FEAEA1735B55B24186BCED25073384FF12A4AE79AA711E11F3D36E
File icon (PE):PE icon
dhash icon 9b9d876321393b2f (1 x HawkEye)
Reporter SecuriteInfoCom
Tags:exe HawkEye

Intelligence

File Origin
# of uploads :
2
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.AutoIt.449.29642.1194
Verdict:
Malicious activity
Analysis date:
2021-12-10 12:44:48 UTC
Tags:
keylogger hawkeye stealer trojan
Link:
https://app.any.run/tasks/e68d9cce-5147-4011-a841-e8a2e9fee7c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
HawkEyev9
Create hunting rule
Link:
https://www.capesandbox.com/analysis/213181/
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a process with a hidden window
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1559/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckNumberOfProcessor
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit greyware hacktool keylogger packed
Link:
https://www.filescan.io/uploads/61b349ef4d8e6f3a5e1f5f9e/reports/49979e50-097c-4733-bf3a-af110ff1f26a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/708b975a-f97c-45c8-80fc-a8fd74ef19ab
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/905326
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Contains functionality to inject code into remote processes
Detected HawkEye Rat
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa228078490ab490d0990eade1bf3900837b83db09ac9b245d932106ba565e48/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2019-06-03 08:24:01 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
26 of 45 (57.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7iria6cjbk2jbuezb2w6dpzzacbxxa63bgwjwjc5smqqnoswlzea._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
05b449bf4042b771a25d8d1b850e942325516196b73aba7a70e99f80b996ab2c
HawkEye
1275be780e28778f4db9b08b70b14d2d2ca9cecac94085c704c9ba4083ec9b6f
HawkEye
32fb7194d5178f901a6ff8687084d7d1875690c4a8bcab1051d3565646aa760e
HawkEye
3b2850cd8a54bfdb4c52c45f541c4d97047a28b19d034bbec609389b19019094
HawkEye
6810169d25d00430652e3ee482cfd4a9f84318dff9500153ff5612c3bffc5312
HawkEye
6c5a6f6633d4de0bb04b962dc15cf213760b7914967809c18bfbbf48355941a2
HawkEye
815ce26a2608e755bb5d9d029bd9f4f7dffe8fc1ea2105ab3b1fb1d92fc45198
HawkEye
83aed4ae8d1c8c859858f028fb69c8ded9f06538bbf46b4909ee04c4e7cf838f
HawkEye
bfdee56be2464c574a71e8997b896de7841dbd9bb473219edd52c3c5ce2ceeab
HawkEye
e9b0b404b2f45022b5df9bb813d9340bf54dde24d353d7020cca6ca5d40a91cf
HawkEye
+ 2'146 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye_reborn family:m00nd3v_logger collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211210-ptf99shgel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Looks up external IP address via web service
Uses the VBS compiler for execution
M00nD3v Logger Payload
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
HawkEye Reborn
M00nd3v_Logger
Unpacked files
SH256 hash:
97f2530a630b01d98296aeee294376529c01de43afeda606e7f348175f978f2e
MD5 hash:
d6c5a866cb7194a7dc466ce183d284f5
SHA1 hash:
96dfc618745b47d2f9f5b0bfae8169db02f52b98
Detections:
win_hawkeye_keylogger_auto
Create hunting rule
Link:
https://www.unpac.me/results/cad10777-b9a6-4bc3-acce-d436022cf9c9/
Parent samples :
6810169d25d00430652e3ee482cfd4a9f84318dff9500153ff5612c3bffc5312
14396bfa106633749adc71005e510fa870dd635d0f1465775d56939b8fabc895
6e576c6aee1a0e3adf5e36c0ae52d1eda0ec0171fe8163bb0983f62a0e23c0da
e773f60aeb241f884b4f932d7ddd4e31c87f31781d5bd53d8583b3d54807a449
fa38ec9464602a1727813004fc616d9d0359c37da01b7d07c3e38784c0b2a46d
de1730eddefee2b8d8193d92b02fc5a3fd1bf6d54c6f55eff53c85c8a2501a79
691cb999c6be0f430c14a9411abf6796f174c8d8f3c3edc4b819b3b35972d832
0a0e7c81912b02e6ec1c7fbb338f4ef200e23d441d57c692cc88fef616593f0d
752efe9ad078a9be4a82b6f7c2123d58c90a1456287390b50df9e9c3292bc490
70ef3c88a90dd590de9a0ac4634b5017f35ea6dedec14f3cc3b5d9eeb3ca84a2
fa228078490ab490d0990eade1bf3900837b83db09ac9b245d932106ba565e48
c2d23332a28fd0f2f0b404e53d9820ba0f5f8070043cfa0b2fbb18a4a33466b6
SH256 hash:
54c39ec66c7b3abc097343d81496deda1d41299f321abe7af9797fdd9e9ca922
MD5 hash:
479d634b8cdc46beddfcb661074c0b5b
SHA1 hash:
7f372306cf0993805f47811c5a9eedff623a5a93
Detections:
win_hawkeye_keylogger_auto
Create hunting rule
Link:
https://www.unpac.me/results/cad10777-b9a6-4bc3-acce-d436022cf9c9/
Parent samples :
6810169d25d00430652e3ee482cfd4a9f84318dff9500153ff5612c3bffc5312
14396bfa106633749adc71005e510fa870dd635d0f1465775d56939b8fabc895
6e576c6aee1a0e3adf5e36c0ae52d1eda0ec0171fe8163bb0983f62a0e23c0da
e773f60aeb241f884b4f932d7ddd4e31c87f31781d5bd53d8583b3d54807a449
fa38ec9464602a1727813004fc616d9d0359c37da01b7d07c3e38784c0b2a46d
de1730eddefee2b8d8193d92b02fc5a3fd1bf6d54c6f55eff53c85c8a2501a79
691cb999c6be0f430c14a9411abf6796f174c8d8f3c3edc4b819b3b35972d832
0a0e7c81912b02e6ec1c7fbb338f4ef200e23d441d57c692cc88fef616593f0d
752efe9ad078a9be4a82b6f7c2123d58c90a1456287390b50df9e9c3292bc490
70ef3c88a90dd590de9a0ac4634b5017f35ea6dedec14f3cc3b5d9eeb3ca84a2
fa228078490ab490d0990eade1bf3900837b83db09ac9b245d932106ba565e48
c0498d7a70e78c236241d0e91b3bb599c1961ea62a10bd76a16fe7b18824f646
c2d23332a28fd0f2f0b404e53d9820ba0f5f8070043cfa0b2fbb18a4a33466b6
SH256 hash:
400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
MD5 hash:
54e8ded7b148a13d3363ac7b33f6eb06
SHA1 hash:
63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
Link:
https://www.unpac.me/results/cad10777-b9a6-4bc3-acce-d436022cf9c9/
Parent samples :
e6b3160e17f1c4c0ce9136d7e19089f9e7e759bbd2989c27f8eb6083a627bfb9
c0498d7a70e78c236241d0e91b3bb599c1961ea62a10bd76a16fe7b18824f646
c2d23332a28fd0f2f0b404e53d9820ba0f5f8070043cfa0b2fbb18a4a33466b6
SH256 hash:
81153da7d40df8826b88c8748b90a69a9034c758e4b89c90230abafc17ed5216
MD5 hash:
40d2402aed5e4e951f7ff76fed5a2c80
SHA1 hash:
b4549a68d852f3ef4b7bff04f90208e0d90b24d4
Detections:
win_hawkeye_keylogger_g0
Create hunting rule
Link:
https://www.unpac.me/results/cad10777-b9a6-4bc3-acce-d436022cf9c9/
SH256 hash:
fa228078490ab490d0990eade1bf3900837b83db09ac9b245d932106ba565e48
MD5 hash:
e20ff757a8a3e61cd78528c83d8dc796
SHA1 hash:
265b8fb5a4d43c1b4e4730845db8613fb8950902
Link:
https://www.unpac.me/results/cad10777-b9a6-4bc3-acce-d436022cf9c9/
Malware family:
MailPassView
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fa228078490a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa228078490ab490d0990eade1bf3900837b83db09ac9b245d932106ba565e48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_HawkEyeV9
Create hunting rule
Author:ditekshen
Description:Detects HawkEyeV9 payload
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18_RID324D
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_NAME_ConfuserEx
Create hunting rule
Author:Arnim Rupp
Description:Detects ConfuserEx packed file
Reference:https://github.com/yck1509/ConfuserEx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/213181/

Comments