MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e2ac9d4b75c33626c14197dc15c3e92552952cb32c69014bb1b7424e37a758b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e2ac9d4b75c33626c14197dc15c3e92552952cb32c69014bb1b7424e37a758b
SHA3-384 hash: ec0acbeae14b5112a884d641fa158043e9aa213aef5b183183ce9faca09d74a32a364399c809f79802faa6857942c6b9
SHA1 hash: 6567dedafcf07f6cfde622c5fe374eb698ff087e
MD5 hash: 417dacc972315bf2a6995646670e78db
humanhash: oklahoma-crazy-muppet-nebraska
File name:Required Delivery Quotation.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:728'064 bytes
First seen:2020-06-08 06:30:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:+NrHsSDn9mZ+cqKFT1xUojqCFVJjHFIBqo+uZggvAp:sdn+LHFsqFVJGBqo0gvAp
Threatray 2'819 similar samples on MalwareBazaar
TLSH 19F4231163EE8B26E37A07F17872A84047BA46073632EBAD4DD772D75A92B0583D0F53
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: anatoliantrade.com
Sending IP: 103.151.124.21
From: info@anatoliantrade.com
Subject: Quotation Needed
Attachment: Required Delivery Quotation.pdf.gz (contains "Required Delivery Quotation.exe")

HawkEye SMTP exfil server:
mail.gajrias.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 06:32:05 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fyvmtvfxlqzwe3audf64cxb6sjkssuwlgldjaff3dn2cjy32owfq._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0a375c52851b79c5d3be0d18025940bee5f68501c8e18334264f116775e57fa7
HawkEye
2b595bebceff46c9b833e8780fce9bcbc7aace47dfffbb89fca8e42606b5e281
HawkEye
3a2adcac20af82cdb882ab9bd9a1a78ca30f833a488cd13a55daf8ff743271a3
HawkEye
56b02707b5f12fd4e8f79fdd9dd9f7eb82394798317a76e499c7d0d659b2d759
HawkEye
99098b282b5a2190cdb362bd92f8ce2b42dc70121c91680b318fe5aa2443c815
HawkEye
a4b07204b33173093041072e00e88d0083c88b88f634561aabe46ec8992f9332
HawkEye
c0a5e2237ef1901c7a3ee2c15290c8db625a1cb9659e99a86ee474460533aa32
HawkEye
c730e6287aa786e04d22daa4e6c77b504cdf80dc4f09877a15bc79bac84403f6
HawkEye
e140db160590e9d59bcba114a517f2478eac1f730f639487029f2df1bc8d8cc6
HawkEye
f9aa404e6b892570fa59a968eb1e6f2069cb6e6105632e323ae91d7c8005fe57
HawkEye
+ 2'809 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye_reborn family:m00nd3v_logger keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-rtxagr1q6x/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Uses the VBS compiler for execution
M00nD3v Logger Payload
HawkEye Reborn
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

gz 4bc3200dfed9ba07ccce8e1bf9a6320e3aea6276c6a258b224c9b4c8a3eaa731

HawkEye

Executable exe 2e2ac9d4b75c33626c14197dc15c3e92552952cb32c69014bb1b7424e37a758b

(this sample)

  
Dropped by
MD5 c23852aefed4de7bd32bb45ef54cc59b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4bc3200dfed9ba07ccce8e1bf9a6320e3aea6276c6a258b224c9b4c8a3eaa731

Comments