MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cc9a439b0ba13097ff33a8bb0af64130fec5c4f128c5cc4fcec7403e55ff50c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HawkEye

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	2cc9a439b0ba13097ff33a8bb0af64130fec5c4f128c5cc4fcec7403e55ff50c
SHA3-384 hash:	16862fa73ac1f80b8f19a58da578404aaefa450a48660f77f89d76a253bd998c9bdd88fb86bc9e68a48ab2daec737855
SHA1 hash:	c63c29aefc1245fb66f67d0049cc682c76d6287b
MD5 hash:	e132a0c2ded7c6dd950cc745862896b1
humanhash:	item-golf-winner-ceiling
File name:	PI_160420PDF ARJ005634420200429 ,pdf.exe
Download:	download sample
Signature	HawkEye Create hunting rule
File size:	799'744 bytes
First seen:	2020-04-29 11:09:53 UTC
Last seen:	2020-04-30 06:23:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:w6BJVteVna2zakEwk1OMD9NEMdAyE1aV95c+JNo7pyyfvqkLKuB1YHhs15wIjpS6:w6BJVt6Tn0iM8L30
Threatray	1'010 similar samples on MalwareBazaar
TLSH	C605D4C9333B739DF7B794F38C695F1CF86094EB6B017608C354B6A62D0A16C94B6628
Reporter	cocaman
Tags:	exe HawkEye

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.33744818.20408.26547.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Heye

Status:

Malicious

First seen:

2020-04-29 10:45:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 31 (77.42%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fte2ionqxijqs77thkf3bl3ecmh6yxcpckgfzrh45r2ahzk76uga._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	MAL_HawkEye_Keylogger_Gen_Dec18 Create hunting rule
Author:	Florian Roth
Description:	Detects HawkEye Keylogger Reborn
Reference:	https://twitter.com/James_inthe_box/status/1072116224652324870

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

rar 4b052753c4ac62ea2b88d0fcc74ef9f2bd1944d733ee603f1fefaa3d9d23171c

HawkEye

exe 2cc9a439b0ba13097ff33a8bb0af64130fec5c4f128c5cc4fcec7403e55ff50c

(this sample)

Delivery method

Other

Dropped by

SHA256 4b052753c4ac62ea2b88d0fcc74ef9f2bd1944d733ee603f1fefaa3d9d23171c

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample