MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d98e18806cb0b478899854bf39ff2388225501a109405db1816066643224ce8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d98e18806cb0b478899854bf39ff2388225501a109405db1816066643224ce8
SHA3-384 hash: 84fc7adff2ee5cd40132b1ca3ecb81e418d7155e938a623216d2a675f112f88898db5922a322cab5451dcd87508cc314
SHA1 hash: 9f524eb8885d317554d7624ff55be70934b22e56
MD5 hash: 696095ddf9ccfeb0f5ae1ed6aac3ade7
humanhash: july-lima-quiet-papa
File name:59818 STS 939_pdf.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:243'712 bytes
First seen:2020-05-04 22:10:22 UTC
Last seen:2020-05-04 23:24:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:QgLrVx9ESrEMeN98UOWY7bdtwMbHz7WbSjDe8OuoQGTHW2BbLgAPY8/eAZVCegTM:QawSRfUOWkxtvz7R4d9bMA/eArY
Threatray 177 similar samples on MalwareBazaar
TLSH 9E34277C6DF8137BDEB8C5B94FE0C80BF260A16370859EADD8EB13858656A4635C113E
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: 049215.vps-10.com
Sending IP: 91.109.4.192
From: Amir <taremiha@hydropolymar.net>
Subject: Re: Invoice: Hydropolymer GmbH - CH-IR-0104-34-2019-V1.0
Attachment: 59818 STS 939_pdf.rar (contains "59818 STS 939_pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EJWG.12775.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 22:36:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
26 of 30 (86.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwmodcagzmfupcezqvf7hh7shcbckua2cckalwyycydgmqzcjtua._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
0722cedd5a2e4a5a4c94ac988f14800a6a83a8c7147f7ef52b47ae86571384e2
HawkEye
1feba709f7083e662329bd86c2058ed16e38b02334f315016a9cdd27d7775734
HawkEye
2098570ad2409972b98272b9022cbe4b732973431e74302b95fd2918157ce23f
HawkEye
35cca711eeab74520897fa7d78a5228861e9eb0bd2f66e1aa3810784acf4f11c
HawkEye
512081dd7ccc20821c4407ad3bf16a38a0ac1168515f45e34417a353b9044293
HawkEye
517d8b2852f709db4e9899576e5e1b1b848427b7e0829a7f918a6dc8875772b9
HawkEye
5918e30cb966887490edeff33dfd08eee8bc3e0e5221a7c20ef1378bd813cc10
HawkEye
b0ffdd919be61a2c5329c7321a3beb4bbbd0a9a2d413e6a11d7f6803c662d04d
HawkEye
e4319ba20af83dd8ba6041fd70c3c27dc2c79c648de642487fc1a217e0549fc8
HawkEye
facf028923bb080f70fa54f8c547679651df7d1dbb618cdeda7b16f8fb0f4005
HawkEye
+ 167 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:m00nd3v_logger rezer0 spyware stealer
Link:
https://tria.ge/reports/201109-sh2tl6y5ve/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
M00nD3v Logger Payload
rezer0
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

rar eb08d9bc0e2c38804f199a05797f1cc9e9dbf813e73a8f751a6a0cad5bf50192

HawkEye

Executable exe 1d98e18806cb0b478899854bf39ff2388225501a109405db1816066643224ce8

(this sample)

  
Dropped by
MD5 ed841ad45e31efb16983de6164e3519e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 eb08d9bc0e2c38804f199a05797f1cc9e9dbf813e73a8f751a6a0cad5bf50192

Comments