MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15c7c3a3e619c5db49470198804b7a3a6cf925daceeea180fd0b9cc91bb2e4d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15c7c3a3e619c5db49470198804b7a3a6cf925daceeea180fd0b9cc91bb2e4d1
SHA3-384 hash: d3eb0a1f766d437391ab23aa190da41ee3fbaab560fa64ab210d05663d5cd950172e46d23d25abdcb0d46dceb8b6c17b
SHA1 hash: 92433522129ad461a913a9b93375b77ec0cfbe1b
MD5 hash: 71edcf18af1984f6164e817f01901be8
humanhash: georgia-burger-johnny-enemy
File name:DOC131020-13102020161809.pdf.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:836'096 bytes
First seen:2020-11-09 19:31:02 UTC
Last seen:2020-11-15 22:49:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:VgqwEHlsnrrsZNQvt8LFizCkSBFmnYsI2vvCSyQCE/0S+hEPn4KjS8G3PtIm5yCW:a8msmnYsLy7HqPZ7G3PF5yCsNiPQ2
Threatray 442 similar samples on MalwareBazaar
TLSH 6905F131516DEFC3D73D4BF980A522482FF9252B9160FA9CECC520E32557B0A4A64EB7
Reporter abuse_ch
Tags:exe HawkEye Yahoo


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: sonic305-20.consmr.mail.gq1.yahoo.com
Sending IP: 98.137.64.83
From: Nick Tsoi <nick_tsoi@yahoo.com.hk>
Subject: Shipping Documents
Attachment: DOC131020-13102020161809.pdf.rar (contains "DOC131020-13102020161809.pdf.exe")

Intelligence

File Origin
# of uploads :
5
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.11076.9396.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
HawkEye M00nD3v Logger MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/527082
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Detected HawkEye Rat
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected M00nD3v Logger
Yara detected MailPassView
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 312634 Sample: DOC131020-13102020161809.pdf.exe Startdate: 09/11/2020 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 18 other signatures 2->50 7 DOC131020-13102020161809.pdf.exe 6 2->7         started        process3 file4 26 C:\Users\user\AppData\Roaming\XHBTWTBD.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\Local\...\tmp1340.tmp, XML 7->28 dropped 30 C:\...\DOC131020-13102020161809.pdf.exe.log, ASCII 7->30 dropped 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->52 54 Injects a PE file into a foreign processes 7->54 11 DOC131020-13102020161809.pdf.exe 15 18 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 32 pomf.cat 69.39.225.3, 443, 49730, 49734 ASN-GIGENETUS United States 11->32 34 smtp.yandex.ru 77.88.21.158, 49723, 49725, 49727 YANDEXRU Russian Federation 11->34 36 2 other IPs or domains 11->36 56 Tries to harvest and steal browser information (history, passwords, etc) 11->56 58 Writes to foreign memory regions 11->58 60 Sample uses process hollowing technique 11->60 62 Injects a PE file into a foreign processes 11->62 17 vbc.exe 11->17         started        20 vbc.exe 11->20         started        22 vbc.exe 11->22         started        24 conhost.exe 15->24         started        signatures8 process9 signatures10 38 Tries to steal Mail credentials (via file registry) 17->38 40 Tries to steal Instant Messenger accounts or passwords 17->40 42 Tries to steal Mail credentials (via file access) 17->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15c7c3a3e619c5db49470198804b7a3a6cf925daceeea180fd0b9cc91bb2e4d1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-09 15:20:53 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cxd4hi7gdhc5wskhagmias32hjwpsjo2z3xkdah5boomsg5s4tiq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
0846f6019d7fe774dc75d2f35a88769fdd49f99fad217283287f24c1bb54c45e
HawkEye
18f1f0cd31212210131834c74f816f2c7fa78f50019257f714b616dbcb2e2320
HawkEye
56b02707b5f12fd4e8f79fdd9dd9f7eb82394798317a76e499c7d0d659b2d759
HawkEye
5e19889ca24913c6ae660e416467cd2f90f15806d2b1492993874e3d17ebd101
HawkEye
93d92806cff2c0d375bf2fcc33e9c6ebb1697fefa8f25a7d481a639b8159da2d
HawkEye
95acc9e5d834d2fbd969547ccac5209bb66cffe2fcf772ba33267423961d3fd9
HawkEye
bf15b6d8ed1637598fd2d08ae5f619a4c08c6b03372fddfa8f68f6380e735083
HawkEye
d12d7f07071e59df09d70cae377fc3e41b35a098d5096f7437ce17b59f74fd64
HawkEye
e83be3e4db904d9f9896cd039170dc3fba0f316b6be60affea209aae96da71b8
HawkEye
ffb4e1b5e6ac64c969e3f90351eb0d401146f266b6678dfbff611faaf15a311f
HawkEye
+ 432 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye_reborn family:m00nd3v_logger keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-zbs3ml13sa/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
M00nD3v Logger Payload
HawkEye Reborn
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/15c7c3a3e619c5db49470198804b7a3a6cf925daceeea180fd0b9cc91bb2e4d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

rar 93d37fdcaadcb36470aa67483e05fd43b37cd0aa52bc7829b194634ea7f295f6

HawkEye

Executable exe 15c7c3a3e619c5db49470198804b7a3a6cf925daceeea180fd0b9cc91bb2e4d1

(this sample)

  
Dropped by
MD5 2630f7dc3d57762d5344552115ab8746
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 93d37fdcaadcb36470aa67483e05fd43b37cd0aa52bc7829b194634ea7f295f6

Comments