MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ff9969b0b9d452a37be71de3c3cb1773a4ce604068bdb715ee3f2742d0e3898. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ff9969b0b9d452a37be71de3c3cb1773a4ce604068bdb715ee3f2742d0e3898
SHA3-384 hash: a82d5c1bd8b4486ece35cc7b00004da41bb2be32c4ab28ffe3a9408df256779e67da72f5b552f97ccfd8dc45e1fe2b37
SHA1 hash: 0ce882a3d14e5871978ccf00df6fd371516c7a0d
MD5 hash: a122075e75961b8fa89da61dbc1056a6
humanhash: illinois-timing-princess-red
File name:REQUEST FOR QUOTATION #13032020_pdf.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:759'808 bytes
First seen:2020-05-04 21:47:12 UTC
Last seen:2020-05-04 23:24:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Reb6EgxE4XnMVRWst2Q/mrbk/ALMFR3APMzblvE7utws5ybNamW4TqaVtKu5AmgM:Ib6EQLnMVZGro/A+wPUe5suamW4TGmgM
Threatray 1'203 similar samples on MalwareBazaar
TLSH 8DF401396AE8D917CAAE85B8FC44150457B1C2F69D81F7C989E0F178CC4BBD2294278F
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: mail.apartacel.com
Sending IP: 200.52.172.106
From: karen@choimesse.com
Subject: FW: URGENT REQUEST FOR QUOTATION
Attachment: REQUEST FOR QUOTATION 13032020_pdf.zip (contains "REQUEST FOR QUOTATION #13032020_pdf.exe")

HawkEye SMTP exfil server:
mail.crdd.mx:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject3.39524.21222.12214.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 12:04:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n74zngyltvcsun56ohpdypfro45ezzqea2f5w4k64pzhiliohcma._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
1275be780e28778f4db9b08b70b14d2d2ca9cecac94085c704c9ba4083ec9b6f
HawkEye
50a0367e0dc806e22c71c7bfcfe9c2446b47dbb7dbba35d0de812e2803d33461
HawkEye
57f4a2e59ddbdae494c86f258f57973b041c55c4a54ca2631153de0fdf6a0c05
HawkEye
6266401f72539a6707cd55f3e277f6f878e8826af0f2944f7538319c08adc9e7
HawkEye
6c5cbab985bdb5d892675422a21b49c7a364961ca01141bb45ab98d3847d5a5d
HawkEye
b74b3eed1ddcdea79f040a30597fd87e5ed33cc6b4a5082f42680dc4d48d0082
HawkEye
b97c07956f3a215d26bd24049ede64222b5395669ee81aee5e50e21ea708c6c0
HawkEye
bee806a6597b32462f0911d193fa873c14e453f9dd0a7dda050fcb0e03c44bb3
HawkEye
ca2ced5097fc534170c8820bc307d3daa6b1a4c1677dfd945571af6a9ac7df08
HawkEye
efae5ec231c8b0480b191a116e802f713d2a48721d51dea33a904e38d323faa1
HawkEye
+ 1'193 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye_reborn family:m00nd3v_logger keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-35xd64x5ya/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Uses the VBS compiler for execution
M00nD3v Logger Payload
rezer0
HawkEye Reborn
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip 2708fc82b7aeaf97947e437736fe3f1023911d8cdcd45663ed3cb22ffd0a53b7

HawkEye

Executable exe 6ff9969b0b9d452a37be71de3c3cb1773a4ce604068bdb715ee3f2742d0e3898

(this sample)

  
Dropped by
MD5 2424855b0e3f8acefa093d03f808c4fd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2708fc82b7aeaf97947e437736fe3f1023911d8cdcd45663ed3cb22ffd0a53b7

Comments