MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56b02707b5f12fd4e8f79fdd9dd9f7eb82394798317a76e499c7d0d659b2d759. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56b02707b5f12fd4e8f79fdd9dd9f7eb82394798317a76e499c7d0d659b2d759
SHA3-384 hash: 77bc77c0a3067b0234c137f30ea51bd5368e72f80fd8f1d833888c0860687207c9a77223c51bbefb9c54461976c098b8
SHA1 hash: 1d48c2c1bd87c68cdeeda3aee856833f10400ed4
MD5 hash: 779713e710d891c7de1bf69bb5557684
humanhash: lima-angel-rugby-eleven
File name:Po reference Details 00001.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:707'072 bytes
First seen:2020-05-22 07:11:16 UTC
Last seen:2020-05-22 08:02:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:5JZXx6Z3NU6up4dIXjIjCLFFC3Gp4B3GOdh00XtQtrfiHiFh2NC:pkZ3e0dIzEWAOZOn5OjiCFhqC
Threatray 2'758 similar samples on MalwareBazaar
TLSH 81E412257BF8AB31D53D0BF950F0502247F8942616A3E7EE4FC2A1D619A37108F95E8B
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: mail.ctree.com
Sending IP: 216.55.178.12
From: <priti@trezaexim.com>
Subject: Quotation reference Details 00001
Attachment: Po reference Details 00001.gz (contains "Po reference Details 00001.exe")

HawkEye SMTP exfil server:
mail.gajjarlaser.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48419.13923.12016.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 04:46:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
24 of 48 (50.00%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
emotet
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
2b595bebceff46c9b833e8780fce9bcbc7aace47dfffbb89fca8e42606b5e281
HawkEye
2e2ac9d4b75c33626c14197dc15c3e92552952cb32c69014bb1b7424e37a758b
HawkEye
5e19889ca24913c6ae660e416467cd2f90f15806d2b1492993874e3d17ebd101
HawkEye
95acc9e5d834d2fbd969547ccac5209bb66cffe2fcf772ba33267423961d3fd9
HawkEye
99098b282b5a2190cdb362bd92f8ce2b42dc70121c91680b318fe5aa2443c815
HawkEye
bf15b6d8ed1637598fd2d08ae5f619a4c08c6b03372fddfa8f68f6380e735083
HawkEye
d12d7f07071e59df09d70cae377fc3e41b35a098d5096f7437ce17b59f74fd64
HawkEye
e140db160590e9d59bcba114a517f2478eac1f730f639487029f2df1bc8d8cc6
HawkEye
e83be3e4db904d9f9896cd039170dc3fba0f316b6be60affea209aae96da71b8
HawkEye
ffb4e1b5e6ac64c969e3f90351eb0d401146f266b6678dfbff611faaf15a311f
HawkEye
+ 2'748 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye_reborn family:m00nd3v_logger keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-cyqy4wcwcn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Uses the VBS compiler for execution
M00nD3v Logger Payload
HawkEye Reborn
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

gz 29169cb386ecee24942139f291835dd8e3c1b9f1ac2bbc4b86678190b0ea5074

HawkEye

Executable exe 56b02707b5f12fd4e8f79fdd9dd9f7eb82394798317a76e499c7d0d659b2d759

(this sample)

  
Dropped by
MD5 c0c5e8ddd13886ed8dacb20ce843e8ca
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 29169cb386ecee24942139f291835dd8e3c1b9f1ac2bbc4b86678190b0ea5074

Comments