MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89c63c6bf4dcdd3783947d5445d45d47156f74db90b0e6b01667729715c3ea0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89c63c6bf4dcdd3783947d5445d45d47156f74db90b0e6b01667729715c3ea0c
SHA3-384 hash: 1d99693144e0113b20c556221f12912a8254ddb8e333e9638821f874d308e52df2d197b485915360e97a58bb5243e671
SHA1 hash: 3f3ab4819e3b0ca09365e6dfe991c82e7465c10f
MD5 hash: ca131cf79b960aa7ed5f454f7900f9d5
humanhash: ten-quebec-oklahoma-one
File name:89c63c6bf4dcdd3783947d5445d45d47156f74db90b0e6b01667729715c3ea0c
Download: download sample
Signature HawkEye
Create hunting rule
File size:723'456 bytes
First seen:2020-11-14 18:17:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 679b67b48681c653b0962748e10fca7d (2 x HawkEye)
ssdeep 12288:blxpXXs3VIA+dV1wc9hoTLZOEXwyyR3tWPXxdyB1Z1derOrsIVLva61n9:ZX8lIA+djtro8Wg19
Threatray 121 similar samples on MalwareBazaar
TLSH 12F48EC379601E66F8E54877AB60D3F20C3EC194594FD7E29A7894AD49CC2E20719EF8
Reporter seifreed
Tags:HawkEye

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Ulise-6854100-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a window
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535516
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316857 Sample: W2UKhE4ebB Startdate: 15/11/2020 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 11 other signatures 2->48 7 W2UKhE4ebB.exe 10 2->7         started        11 dwxhyrgxjphnriv.exe 2 2->11         started        process3 file4 28 C:\Users\user\AppData\...\dwxhyrgxjphnriv.exe, PE32 7->28 dropped 30 C:\Users\user\...\dwxhyrgxjphnriv.eu.url, data 7->30 dropped 56 Writes to foreign memory regions 7->56 58 Maps a DLL or memory area into another process 7->58 60 Tries to delay execution (extensive OutputDebugStringW loop) 7->60 13 RegAsm.exe 15 7 7->13         started        62 Antivirus detection for dropped file 11->62 64 Multi AV Scanner detection for dropped file 11->64 66 Machine Learning detection for dropped file 11->66 17 RegAsm.exe 6 11->17         started        signatures5 process6 dnsIp7 32 mail.worldbridge-kr.com 13->32 34 194.167.4.0.in-addr.arpa 13->34 36 bot.whatismyipaddress.com 66.171.248.178, 49712, 49723, 80 ALCHEMYNETUS United States 13->36 68 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 13->68 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->70 72 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->72 80 3 other signatures 13->80 19 vbc.exe 13->19         started        22 vbc.exe 12 13->22         started        38 mail.worldbridge-kr.com 17->38 40 194.167.4.0.in-addr.arpa 17->40 74 Writes to foreign memory regions 17->74 76 Allocates memory in foreign processes 17->76 78 Sample uses process hollowing technique 17->78 24 vbc.exe 17->24         started        26 vbc.exe 12 17->26         started        signatures8 process9 signatures10 50 Tries to steal Instant Messenger accounts or passwords 19->50 52 Tries to steal Mail credentials (via file access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 26->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89c63c6bf4dcdd3783947d5445d45d47156f74db90b0e6b01667729715c3ea0c/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:20:51 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rhddy27u3totpa4upvkelvc5i4kw65g3scyonmawm5zjofod5iga._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
005149b4a8d817af2e11f4aa505878fcb9e7ea38ce96364734ebdc6109fb544b
HawkEye
05bb6d1557363b7f227e458b80ac03806f306e2004364598eb335b5bcb6f191a
HawkEye
0927a3a49404b9de1a120157dc89f931ac98f765a0a452d2c71a7d8daf7a42ff
HawkEye
1275be780e28778f4db9b08b70b14d2d2ca9cecac94085c704c9ba4083ec9b6f
HawkEye
18a40f97d649fd2106faeddba94fc124beff44f69b713dbf4b88614f151b6f25
HawkEye
1c8e7015a2423c7a1ca5e7c5cdbb0b7eaf175e2b5983269281bfe9d1c8ee9985
HawkEye
6c5cbab985bdb5d892675422a21b49c7a364961ca01141bb45ab98d3847d5a5d
HawkEye
b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a
HawkEye
e30457394a1155cb80d2c51170f98be3c246f716010d8ee7441a4971c2b8103d
HawkEye
ef55158b4fe6a2d1094c1978f3c27fab2b0fed72b2f1f15e8a574c79a067ec74
HawkEye
+ 111 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye_reborn family:m00nd3v_logger keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201114-ywef3sqtvj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads user/profile data of web browsers
Uses the VBS compiler for execution
M00nD3v Logger Payload
HawkEye Reborn
M00nd3v_Logger
Unpacked files
SH256 hash:
89c63c6bf4dcdd3783947d5445d45d47156f74db90b0e6b01667729715c3ea0c
MD5 hash:
ca131cf79b960aa7ed5f454f7900f9d5
SHA1 hash:
3f3ab4819e3b0ca09365e6dfe991c82e7465c10f
Link:
https://www.unpac.me/results/3fb00c60-b5fd-4f2e-bf38-374944464a34/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
TeslaCrypt
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89c63c6bf4dcdd3783947d5445d45d47156f74db90b0e6b01667729715c3ea0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments