MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bb034cbd16394a007729ff3099c124f7b39b696b5e1db3d5078def6f8437d82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bb034cbd16394a007729ff3099c124f7b39b696b5e1db3d5078def6f8437d82
SHA3-384 hash: fcb7c5e888a6ca130d3903de03741ab4ce1085f8599ea711247b8481b2528df80550c12bbff52a5da5676c5de92621e7
SHA1 hash: c9ed1cb1c822c444626f4252ec07813e08d18286
MD5 hash: 8a0a2bca0b3d798daf56d1e05a6ace87
humanhash: spring-speaker-spaghetti-fillet
File name:SWIFT.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:887'808 bytes
First seen:2020-06-25 13:25:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:sV9/UnOXcoFb0yvllE68tRcdnOh7s+8/FhhKOVxt3ggfX:sTcglzE68tRcdnWgLKOVv
Threatray 1'691 similar samples on MalwareBazaar
TLSH 4815AD2C02FA467CD1E8D677D1D3203193F4590FFD45A6D6A98838AC38BE6E1460ED9B
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: v12.techscape.info
Sending IP: 118.98.75.77
From: customerservice@demajors.com
Subject: SWIFT
Attachment: SWIFT COPY.arj (contains "SWIFT.exe")

HawkEye SMTP exfil email server:
mail.djindustries.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
HawkEyev9
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14334/
Detection(s):
SecuriteInfo.com.Generic.mg.181bf63f744587d9.5579.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1bb034cbd16394a007729ff3099c124f7b39b696b5e1db3d5078def6f8437d82/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-25 13:42:31 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=doydjs6rmokkab3st7zqthasj55ttnuwwxq5wpkqpdppn6cdpwba._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
1275be780e28778f4db9b08b70b14d2d2ca9cecac94085c704c9ba4083ec9b6f
HawkEye
50a0367e0dc806e22c71c7bfcfe9c2446b47dbb7dbba35d0de812e2803d33461
HawkEye
57f4a2e59ddbdae494c86f258f57973b041c55c4a54ca2631153de0fdf6a0c05
HawkEye
6266401f72539a6707cd55f3e277f6f878e8826af0f2944f7538319c08adc9e7
HawkEye
6c5cbab985bdb5d892675422a21b49c7a364961ca01141bb45ab98d3847d5a5d
HawkEye
6ff9969b0b9d452a37be71de3c3cb1773a4ce604068bdb715ee3f2742d0e3898
HawkEye
b97c07956f3a215d26bd24049ede64222b5395669ee81aee5e50e21ea708c6c0
HawkEye
bee806a6597b32462f0911d193fa873c14e453f9dd0a7dda050fcb0e03c44bb3
HawkEye
ca2ced5097fc534170c8820bc307d3daa6b1a4c1677dfd945571af6a9ac7df08
HawkEye
efae5ec231c8b0480b191a116e802f713d2a48721d51dea33a904e38d323faa1
HawkEye
+ 1'681 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware stealer family:m00nd3v_logger keylogger trojan family:hawkeye_reborn
Link:
https://tria.ge/reports/200625-wzfrd1whta/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Reads user/profile data of web browsers
M00nD3v Logger Payload
HawkEye Reborn
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip 60a4735f8cacc7d31be0d23d12b4a7cd70c6ba66b4fda9375049780b38e21e0c

HawkEye

Executable exe 1bb034cbd16394a007729ff3099c124f7b39b696b5e1db3d5078def6f8437d82

(this sample)

  
Dropped by
MD5 34bef04c9da31859332e9650243a149b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/14334/
  
Dropped by
SHA256 60a4735f8cacc7d31be0d23d12b4a7cd70c6ba66b4fda9375049780b38e21e0c

Comments