MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1275be780e28778f4db9b08b70b14d2d2ca9cecac94085c704c9ba4083ec9b6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1275be780e28778f4db9b08b70b14d2d2ca9cecac94085c704c9ba4083ec9b6f
SHA3-384 hash: f89ad92db75f11cea7dbd3ccfd296c8185be4e58af03da4e28e6adfa24eb202df3096d46185216317b916b34fe17b0e9
SHA1 hash: eca2240fad8b39f684ed94037be8368265bcc467
MD5 hash: 738770a68cfda3e6e1561d06e5190b44
humanhash: magazine-jupiter-florida-paris
File name:ΑΠΟΔΕΙΞΗ ΠΛΗΡΩΜΗΣ-pdf.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:1'880'064 bytes
First seen:2020-05-01 12:19:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 49152:+h+ZkldoPK8Yac4W6px6YpXM4ChqMn0ega:X2cPK8JW6px6YpXehqQK
Threatray 2'283 similar samples on MalwareBazaar
TLSH 2295E00273D6C036FFAA92739B6AF24156BD79654123852F13981DB9BC701B2233E763
Reporter abuse_ch
Tags:exe geo GRC HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: cldedicado01.duonet.es
Sending IP: 89.17.204.215
From: Ofichem <cs@ofichem.com>
Reply-To: Ofichem <dustiutd12@hotmail.com>
Subject: ΑΠΟΔΕΙΞΗ ΠΛΗΡΩΜΗΣ
Attachment: ΑΠΟΔΕΙΞΗ ΠΛΗΡΩΜΗΣ-pdf.7z (contains "ΑΠΟΔΕΙΞΗ ΠΛΗΡΩΜΗΣ-pdf.exe")

HawkEye FTP exfil server:
ftp.kassohome.com.tr:21

HawkEye FTP exfil user name:
bringlogs@kassohome.com.tr

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 13:07:02 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
26 of 30 (86.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cj2346aofb3y6tnzwcfxbmknfuwkttwkzfailryezg5eba7mtnxq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
005149b4a8d817af2e11f4aa505878fcb9e7ea38ce96364734ebdc6109fb544b
HawkEye
05b449bf4042b771a25d8d1b850e942325516196b73aba7a70e99f80b996ab2c
HawkEye
0927a3a49404b9de1a120157dc89f931ac98f765a0a452d2c71a7d8daf7a42ff
HawkEye
15d7912a32b51aa783aa0aa7d0098415531f649e441ad9abf15ece3f0baf52ab
HawkEye
18a40f97d649fd2106faeddba94fc124beff44f69b713dbf4b88614f151b6f25
HawkEye
1c8e7015a2423c7a1ca5e7c5cdbb0b7eaf175e2b5983269281bfe9d1c8ee9985
HawkEye
3b2850cd8a54bfdb4c52c45f541c4d97047a28b19d034bbec609389b19019094
HawkEye
c49423c0fce4c71e3bef5bc92441e9510c7f46d54207446df6496128f9780924
HawkEye
c9880b54eff052551b910427ebe39f02e2af781c99336b9f5bbb1a9ba41e0e19
HawkEye
ed52c4fe2b99c0b09a3452a624d8a2b3e10b99063ecfe97492f5d75401526561
HawkEye
+ 2'273 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip 549b54a0c55920c6207de1746a4b724437f6692c085e4f8942fd55086ee32d89

HawkEye

Executable exe 1275be780e28778f4db9b08b70b14d2d2ca9cecac94085c704c9ba4083ec9b6f

(this sample)

  
Dropped by
MD5 6c2d8391fa4cc02ef0b4b883ce587a33
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 549b54a0c55920c6207de1746a4b724437f6692c085e4f8942fd55086ee32d89

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments