MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57f4a2e59ddbdae494c86f258f57973b041c55c4a54ca2631153de0fdf6a0c05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57f4a2e59ddbdae494c86f258f57973b041c55c4a54ca2631153de0fdf6a0c05
SHA3-384 hash: 01a03b232135405b86a28e4bc0000cd2625a0f0ad94f418b54876606fb692deca888958ba350a0b2d45feab257afe60c
SHA1 hash: bae2ebb4ee3a257732ef9d5757ed45e57653a30b
MD5 hash: e56ed4558d3474dd31ee6d66909142c6
humanhash: nineteen-illinois-october-dakota
File name:REQUEST FOR QUOTATION #13032020_pdf.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:991'744 bytes
First seen:2020-05-05 07:33:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'633 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:IG3ZZL8fldujIEvRCJV+KF5eLFHCU2rBYK:IGJt8NdoRvIT+KWFiDB
Threatray 1'574 similar samples on MalwareBazaar
TLSH 2E256C9C365071EFC86BC572DE982C64FA60747B931B8213A06315EDAA4D9ABCF144F3
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: mail.apartacel.com
Sending IP: 187.189.47.210
From: karen@choimesse.com
Subject: FW: URGENT REQUEST FOR QUOTATION
Attachment: REQUEST FOR QUOTATION 13032020_pdf.zip (contains "REQUEST FOR QUOTATION #13032020_pdf.exe")

AgentTesla SMTP exfil server:
mail.crdd.mx:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ArtemisE56ED4558D34.13636.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 23:56:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k72kfzm53pnojfgin4sy6v4xhmcbyvoeuvgkeyyrkppa7x3kbqcq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
1275be780e28778f4db9b08b70b14d2d2ca9cecac94085c704c9ba4083ec9b6f
HawkEye
50a0367e0dc806e22c71c7bfcfe9c2446b47dbb7dbba35d0de812e2803d33461
HawkEye
6266401f72539a6707cd55f3e277f6f878e8826af0f2944f7538319c08adc9e7
HawkEye
6c5cbab985bdb5d892675422a21b49c7a364961ca01141bb45ab98d3847d5a5d
HawkEye
6ff9969b0b9d452a37be71de3c3cb1773a4ce604068bdb715ee3f2742d0e3898
HawkEye
b74b3eed1ddcdea79f040a30597fd87e5ed33cc6b4a5082f42680dc4d48d0082
HawkEye
b97c07956f3a215d26bd24049ede64222b5395669ee81aee5e50e21ea708c6c0
HawkEye
bee806a6597b32462f0911d193fa873c14e453f9dd0a7dda050fcb0e03c44bb3
HawkEye
ca2ced5097fc534170c8820bc307d3daa6b1a4c1677dfd945571af6a9ac7df08
HawkEye
efae5ec231c8b0480b191a116e802f713d2a48721d51dea33a904e38d323faa1
HawkEye
+ 1'564 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye_reborn family:m00nd3v_logger keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-tymnpj9my6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Uses the VBS compiler for execution
M00nD3v Logger Payload
rezer0
HawkEye Reborn
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip 5aeb66e91ce472bb51cf7f8b2778e05201de3d0ec40bb528967a417374854ad9

HawkEye

Executable exe 57f4a2e59ddbdae494c86f258f57973b041c55c4a54ca2631153de0fdf6a0c05

(this sample)

  
Dropped by
MD5 4e80135962882bf88e54f90154f3c1b0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5aeb66e91ce472bb51cf7f8b2778e05201de3d0ec40bb528967a417374854ad9

Comments