MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b74b3eed1ddcdea79f040a30597fd87e5ed33cc6b4a5082f42680dc4d48d0082. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b74b3eed1ddcdea79f040a30597fd87e5ed33cc6b4a5082f42680dc4d48d0082
SHA3-384 hash: 94332d577031b0646b06c8736c813bb76d8ead021806ef596fc60d8f4794544a097aead2a5b219cd6857cbdd52f9ffc2
SHA1 hash: 40e82373c0e37d705a91acf9abb77eeb09902eb3
MD5 hash: 718a11fc549480e5d31b89249dee8fc0
humanhash: nebraska-carolina-failed-east
File name:VP 17164 RAL 7030 in B Basis doc.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:910'336 bytes
First seen:2020-05-05 11:16:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:6BFidN9xwhmaKtyu/+Vo7Jju6QvKyXjcL2Hcx:qP7KtbB1KbvKyXjcy
Threatray 1'306 similar samples on MalwareBazaar
TLSH 5015BF9C762072EFC867D472DEA82CB8EA50747B931B4213902715ADDA0E997CF254F2
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: server.linux69.papaki.gr
Sending IP: 88.99.0.236
From: Petra Dunzweiler <petra.dunzweiler@rhenocoll.de>
Subject: WG: -Request and availability
Attachment: VP 17164 RAL 7030 in B Basis doc.zip (contains "VP 17164 RAL 7030 in B Basis doc.exe")

HawkEye SMTP exfil server:
mail.crdd.mx:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EJWW.32459.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 11:40:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w5ft53i53tpkphyebiyfs76ypzpngpggwssqql2cnag4jvenacba._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
1275be780e28778f4db9b08b70b14d2d2ca9cecac94085c704c9ba4083ec9b6f
HawkEye
50a0367e0dc806e22c71c7bfcfe9c2446b47dbb7dbba35d0de812e2803d33461
HawkEye
57f4a2e59ddbdae494c86f258f57973b041c55c4a54ca2631153de0fdf6a0c05
HawkEye
6266401f72539a6707cd55f3e277f6f878e8826af0f2944f7538319c08adc9e7
HawkEye
6c5cbab985bdb5d892675422a21b49c7a364961ca01141bb45ab98d3847d5a5d
HawkEye
6ff9969b0b9d452a37be71de3c3cb1773a4ce604068bdb715ee3f2742d0e3898
HawkEye
b97c07956f3a215d26bd24049ede64222b5395669ee81aee5e50e21ea708c6c0
HawkEye
bee806a6597b32462f0911d193fa873c14e453f9dd0a7dda050fcb0e03c44bb3
HawkEye
ca2ced5097fc534170c8820bc307d3daa6b1a4c1677dfd945571af6a9ac7df08
HawkEye
efae5ec231c8b0480b191a116e802f713d2a48721d51dea33a904e38d323faa1
HawkEye
+ 1'296 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye_reborn family:m00nd3v_logger keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-pxlejlzvr2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Uses the VBS compiler for execution
M00nD3v Logger Payload
rezer0
HawkEye Reborn
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip 5c689e51184bcd6919cf32c481db807153ebdd24bcc5f3641803000fd6b2eef1

HawkEye

Executable exe b74b3eed1ddcdea79f040a30597fd87e5ed33cc6b4a5082f42680dc4d48d0082

(this sample)

  
Dropped by
MD5 0c1fcb521493add24ed5c6680bba9f58
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5c689e51184bcd6919cf32c481db807153ebdd24bcc5f3641803000fd6b2eef1

Comments