MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3afef2476572d24d320f6d9b0aea76022bbc6690826544a69a0f3409d904e76a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: 3afef2476572d24d320f6d9b0aea76022bbc6690826544a69a0f3409d904e76a
SHA3-384 hash: a6bbd0df0eaa97235bb6a26e476e366aa3940276cf4c6e05b29fe34b11ce0fbff812942f8cfc6e39c10fadda85731a89
SHA1 hash: 271a2e64eee0d7c2ef11e941408e0dfc1221f3cf
MD5 hash: 2cb9093f20d6541f7cf7286f697ab0d2
humanhash: wolfram-hotel-indigo-wisconsin
File name:NEW ROM 01-002361_PDF.exe
Download: download sample
Signature HawkEye
File size:714'240 bytes
First seen:2020-07-31 10:18:40 UTC
Last seen:2020-07-31 11:09:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:ZTd0FbUoOoq+VVsu71g5M9EwtDXoKt4BH0YNIHTfw66EXaGcbN6Uggc5gnAJRkHA:ZsOoqU2u7e0F9t450garpalbQUg3aOb
TLSH B6E412553250F69FCA5BCF378C142D50EBA0A4225B07E74BAC9722EE958D59BCF102B3
Reporter @abuse_ch
Tags:exe HawkEye


Twitter
@abuse_ch
Malspam distributing HawkEye:

HELO: de.uitn.com
Sending IP: 148.251.248.181
From: Mohamed shaban <oa05438@mellitahog.ly>
Reply-To: Mohamed shaban <soomla6384@yahoo.com>
Subject: TOP URGENT_NEW ROM: 01-002361
Attachment: NEW ROM 01-002361_PDF.rar (contains "NEW ROM 01-002361_PDF.exe")

HawkEye SMTP exfil server:
smtp.yandex.com:587

Intelligence


File Origin
# of uploads :
2
# of downloads :
29
Origin country :
US US
Mail intelligence
Geo location:
CH Switzerland
Volume:
Low
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Threat name:
HawkEye MailPassView
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Signature
.NET source code references suspicious native API functions
Detected HawkEye Rat
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Status:
Malicious
First seen:
2020-07-31 01:37:00 UTC
AV detection:
19 of 31 (61.29%)
Threat level
  5/5
Result
Malware family:
hawkeye_reborn
Score:
  10/10
Tags:
spyware stealer family:m00nd3v_logger keylogger trojan family:hawkeye_reborn
Behaviour
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Reads user/profile data of web browsers
M00nD3v Logger Payload
HawkEye Reborn
M00nd3v_Logger
Threat name:
Trojan
Score:
1.00

Yara Signatures


Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870
Rule name:win_hawkeye_keylogger_g0
Author:Various authors / Slavo Greminger, SWITCH-CERT

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

Executable exe 3afef2476572d24d320f6d9b0aea76022bbc6690826544a69a0f3409d904e76a

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments