MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c18ca5bda44004c45e35e8224736bac8da9c64e901a5d3342a9834cb43d93ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c18ca5bda44004c45e35e8224736bac8da9c64e901a5d3342a9834cb43d93ae
SHA3-384 hash: cce803d0cd1505bc7b421ac7362f192c930a133d55740e52262622633e37a6dc4c2c15d0289db49119123ec0d7b993c9
SHA1 hash: 6ba26c288fffc99c52398e263e674be81dfd1369
MD5 hash: 547223749b48c3f000614ee2d8a6cf1d
humanhash: earth-vegan-fix-mockingbird
File name:STOCK LIST.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:661'504 bytes
First seen:2020-05-19 14:24:33 UTC
Last seen:2020-05-19 14:54:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:N2ntpFIZ3YeO/kCPCRRs5QdzKFrcfLtGAXfS8J8:sYo9/kCP95CzKI4ka8
Threatray 7'247 similar samples on MalwareBazaar
TLSH AFE42344279E2BB1C0795FF42C31241997F6F1B8B662EF8C4ED1B0F61A72B44A560DA3
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: mx01.00gate.com
Sending IP: 81.208.42.115
From: 참비 <tlswls1101@hanmail.net>
Subject: FW: FW: New purchase order Y189655 2x40
Attachment: STOCK LIST.exe.img (contains "STOCK LIST.exe")

HawkEye FTP exfil server:
ftp.anuarul-sanatatii.ro:21

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.49052.857.1285.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 14:37:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
25 of 48 (52.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nqmmuw62iqaeyrpdl2bci43lvsg2trsosanf2m2cvgbuznb5soxa._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
13f51d450568dc6ee7223eb76584d17417a2ef85141e74720445cfba0b10ad5d
HawkEye
1de91436b3674fb28cbbfb0a16ccc2f428598b3eff15bafefbe82939cd423835
HawkEye
3dd0e88a93b6d4fa561f0ece77fee607262c53a5ecb7164b64c29505b88083a8
HawkEye
87577cf9a668390b93b9fe82794b21cd0579d4b1a7b4f0a4d0b841d03d046daa
HawkEye
a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e
HawkEye
ad89c1a605bbc657714b5c70d3fe0311875cfe7b5730b5b2a2012e177f989890
HawkEye
bbf613ce1f6850b2b62c6f55082ab7b9bcc7f92db0a8ec8f0b495e29cb4988ae
HawkEye
e842dbdc4b41d7516d87ccc21fa365b93c4c94ce5a75dc6f06321f90efa19e29
HawkEye
f46f7af124b25fff7a984b802bfa9f1f01f1efcc3416221aa9b6254150ac9667
HawkEye
fbdf3aed799b476ec4a89b100195efd05bcbc7d51728dd2415ce2c506b4b72cf
HawkEye
+ 7'237 additional samples on MalwareBazaar
Result
Malware family:
hawkeye_reborn
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye_reborn keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-pspm61dm5n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Uses the VBS compiler for execution
HawkEye Reborn
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

img d0bf951c0f9284f24615c8fd5f3a1f867516c1322ea618fe9b83ed45a90d63d9

HawkEye

Executable exe 6c18ca5bda44004c45e35e8224736bac8da9c64e901a5d3342a9834cb43d93ae

(this sample)

  
Dropped by
MD5 c73cabbded52931d966a8cc16e5a7350
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d0bf951c0f9284f24615c8fd5f3a1f867516c1322ea618fe9b83ed45a90d63d9

Comments