MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c465e2bc55d216e37231efbfdfeed00eeb244c2f688716a1c9c9d45ca4cc0ac0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c465e2bc55d216e37231efbfdfeed00eeb244c2f688716a1c9c9d45ca4cc0ac0
SHA3-384 hash: c952d0b5ce5d1ab97f0af2213bc1d88969648f5e83f7cfc206fdcbe7d16be3f7b946d4f5f8d002d7634965e60e833f18
SHA1 hash: d75a0a5ae29371af17eca67e2d841368c22b12f4
MD5 hash: b7d182b52a2d9e1c06063c1102f02806
humanhash: mississippi-yankee-white-colorado
File name:Delivery Note - AWD 200038485852- 2349203968876.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:893'440 bytes
First seen:2020-05-04 21:10:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 226840561775b99befbf510bf424651d (8 x AgentTesla, 4 x Loki, 2 x NanoCore)
ssdeep 24576:hF/Ds4LoVX1hagvZVxFgKmPi1yO/6lBBpsnR:3JMbh9VxFgSUO/gunR
Threatray 2'695 similar samples on MalwareBazaar
TLSH E815BFE2B1904C3FC1A32A3D8C4B9754A92EFE512E2465813BF51D4C5F387A13AED197
Reporter abuse_ch
Tags:DHL exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: server.dz-techgroup.it
Sending IP: 217.61.37.47
From: DHL Express <katewright_dhl@gmail.com>
Subject: Failed DHL Delivery Notification
Attachment: Delivery Note - AWD 200038485852- 2349203968876.gz (contains "Delivery Note - AWD 200038485852- 2349203968876.exe")

HawkEye FTP exfil server:
ftp.southeating.com:21

HawkEye FTP exfil user name:
ddd@southeating.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Remcos-7759529-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 13:10:49 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yrs6fpcv2ilog4rr567573wqb3vsitbpncdrniojzhkfzjgmblaa._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
213be9dcf549c1f170df21b37fd93ac8174cae220dc21872bab3bdbfcdcce66e
HawkEye
4baf908e1965d8126d27be6eda11a4153c94ac0350e4d4856af65c60af4dfdcd
HawkEye
5b906f526f79a607ad3677bd9873c6a209a9952d93700629a4dd5b7b43ae347b
HawkEye
6bd0bafbf71604a763081677bfa46355b40bc53d66fd70d46ce65b9232a273e5
HawkEye
b9ea5f0f13a8c5d170bf1963a68020c3df25a9ad376e721accfcd96e83a81d08
HawkEye
c271672581636a2e9c2ee6f37539e943ec60988136a81a657f7ed07f4e21b45a
HawkEye
cc883ff2da665b29da191f3e5ada7da98810684658676f84dc6275d98f52f151
HawkEye
ea20eb1a2d508640fc12743bce90d5ce169ea87fd394a701359429498aef934c
HawkEye
f1cb5ac38489df6bd48129c7b483df8990d0dc8a104f0f49a85842dd1266d163
HawkEye
fa933a52aefddd4d8afc31c031c7e2e2fe18a8e64caec310b0ea1a7ea2fe744f
HawkEye
+ 2'685 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye_reborn family:m00nd3v_logger keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-d5zwnxc46j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
UPX packed file
M00nD3v Logger Payload
HawkEye Reborn
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

gz bf4f525ce506d9319790081b55769a928996569d65e9f8da6e4bdfebb4887e9a

HawkEye

Executable exe c465e2bc55d216e37231efbfdfeed00eeb244c2f688716a1c9c9d45ca4cc0ac0

(this sample)

  
Dropped by
MD5 d17be49e526972ecc3d59eabccbc4387
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bf4f525ce506d9319790081b55769a928996569d65e9f8da6e4bdfebb4887e9a

Comments