MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e59193170ad7a1da7d91bea0028bb8107a3a305cd91a353822e23924ceda25b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e59193170ad7a1da7d91bea0028bb8107a3a305cd91a353822e23924ceda25b
SHA3-384 hash: 9e2812e9daa95dc99f1dd6ad4c136b06757c557578c3b73fe75fc4f61b910ac0b0a2a927d9de9acc43a61f9fbfd60104
SHA1 hash: 95224949b0bce614207e39eb20f8482f130227e1
MD5 hash: 36b2c67a3f05c5cee99aeac1a1fe577e
humanhash: maryland-nitrogen-pennsylvania-finch
File name:AMSONS BROCHURE.pif
Download: download sample
Signature HawkEye
Create hunting rule
File size:555'520 bytes
First seen:2020-05-04 20:53:13 UTC
Last seen:2020-05-04 21:51:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:uhtJNI27b67ilj6OnYPh5s69mV2asy3i3kDUp1folwmg2Jb9la9b5aI/2eoADT+g:uhtJ37bFnkhf
Threatray 124 similar samples on MalwareBazaar
TLSH EFC4A6AC722072EFC857D462DEA81C74EA5074BBA71F8213902715EDEA4D997CF244F2
Reporter abuse_ch
Tags:HawkEye pif


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: shark.dnsracks.com
Sending IP: 69.175.7.173
From: AMSONS metal products coating LLC <Sales@amsons.ae> <info@conceptgroups.com>
Reply-To: info@conceptgroups.com
Subject: INTRODUCTION - ELECTROPLATING & METAL COATING
Attachment: AMSONS BROCHURE.zip (contains "AMSONS BROCHURE.pif")

HawkEye SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.44270.18099.16188.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 19:00:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 30 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jzmrsmlqvv5b3j6zdpvaakf3qed2hiyfzwi2gu4cfyrzethnujnq._file
Verdict:
malicious
Similar samples:
0b0537b9f976c4a49f1105bc03d252c0cac7a99b9abdb1a020d2966b6a0b1285
HawkEye
2aa941b7340367ad780683ac45b75f8e63b4df7913b4ca6f95e794fd75b36b03
HawkEye
34ea4b1bf96a120fd6f9969babeae255483e42a496cdba637c6ef1f44c2b4287
HawkEye
389875d4c35ff8da276f122cb6b4ebd1b1d65ce5da5c05defefaf40c2609dbaf
HawkEye
57322806d9dc1437a2491cac599aa2df5028184e3deec9d9c45c6b4d003b0132
HawkEye
608a80fead8047545beea311f70ac37dcc5c97fceb2961b9cbea9fb6940dc3eb
HawkEye
6ad2831339a2a6fc8d140c8718cf38fabef9915409bd32cd86221b515b4be629
HawkEye
92276f87f48836d141ee02c8b6f75398ded9a3e4b12b84441e3125933af6c755
HawkEye
b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3
HawkEye
e5caa150b119335b8b2fe8c999f8e801c1e74b010ceb58b794804ea6b4b07c61
HawkEye
+ 114 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:m00nd3v_logger spyware stealer
Link:
https://tria.ge/reports/201109-ex6l79lbws/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
M00nD3v Logger Payload
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip ec7398900295d52aae5d2756cb459df7e4835f4973b2f8c636393285aa1a5320

HawkEye

Executable exe 4e59193170ad7a1da7d91bea0028bb8107a3a305cd91a353822e23924ceda25b

(this sample)

  
Dropped by
MD5 6aed911c2c4dec9fac5c36799e6635bc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ec7398900295d52aae5d2756cb459df7e4835f4973b2f8c636393285aa1a5320

Comments