MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99098b282b5a2190cdb362bd92f8ce2b42dc70121c91680b318fe5aa2443c815. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99098b282b5a2190cdb362bd92f8ce2b42dc70121c91680b318fe5aa2443c815
SHA3-384 hash: 249644e172ab888d45b457d1f36d3b0a298780a695cd4e9043369247202c66a9fb935c7bba65aaf0964ff39fcb6668e6
SHA1 hash: b900e523e7fdb0ad4df912189346653948df1754
MD5 hash: 58dabb3cafcad9f11c864a29d93f19da
humanhash: whiskey-cup-batman-football
File name:vesseldetails.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:684'544 bytes
First seen:2020-06-08 06:24:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:uDwTYTGwLkRGnQcawp33vZDP8RLzurKYIH1mrAHncQA+6D9:WSwLkRAQcawtMLzuuH12AHcQA+
Threatray 2'132 similar samples on MalwareBazaar
TLSH F3E4235132AD8F26D7FE83F65062084083F5B6573A61FA2D4D83F2E61E727604AD1E1B
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing HawkEye:

HELO: drymar.com
Sending IP: 104.129.25.20
From: DRYMAR SA <chartering@drymar.com>
Subject: MV TINA SAILED FROM KRISHNAPATNAM
Attachment: vesseldetails.zip (contains "vesseldetails.exe")

HawkEye SMTP exil server:
mail.oms.com.sg:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.67676.7209.21152.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 06:26:06 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=teeywkblliqzbtntmk6zf6gofnbny4asdsiwqczrr7s2ujcdzakq._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0a375c52851b79c5d3be0d18025940bee5f68501c8e18334264f116775e57fa7
HawkEye
2e2ac9d4b75c33626c14197dc15c3e92552952cb32c69014bb1b7424e37a758b
HawkEye
3a2adcac20af82cdb882ab9bd9a1a78ca30f833a488cd13a55daf8ff743271a3
HawkEye
95acc9e5d834d2fbd969547ccac5209bb66cffe2fcf772ba33267423961d3fd9
HawkEye
a4b07204b33173093041072e00e88d0083c88b88f634561aabe46ec8992f9332
HawkEye
c0a5e2237ef1901c7a3ee2c15290c8db625a1cb9659e99a86ee474460533aa32
HawkEye
c730e6287aa786e04d22daa4e6c77b504cdf80dc4f09877a15bc79bac84403f6
HawkEye
d12d7f07071e59df09d70cae377fc3e41b35a098d5096f7437ce17b59f74fd64
HawkEye
e83be3e4db904d9f9896cd039170dc3fba0f316b6be60affea209aae96da71b8
HawkEye
f9aa404e6b892570fa59a968eb1e6f2069cb6e6105632e323ae91d7c8005fe57
HawkEye
+ 2'122 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye_reborn family:m00nd3v_logger keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-yvc339y8sj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
M00nD3v Logger Payload
HawkEye Reborn
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip 202711cb7c027ea341302d92dee09c713871e52b86df1325c837d355a9ab2190

HawkEye

Executable exe 99098b282b5a2190cdb362bd92f8ce2b42dc70121c91680b318fe5aa2443c815

(this sample)

  
Dropped by
MD5 3ef015a723eb4b629ff8d4c2599674c8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 202711cb7c027ea341302d92dee09c713871e52b86df1325c837d355a9ab2190

Comments