MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676
SHA3-384 hash: f3720e0649cad3f136432aff7c6d8d60607b0e3d4104c52ef045d2bfd6576c09791dfe30a71e7aab1a23e86c6e9acc07
SHA1 hash: 8d5ddb0f3cce4f300b4c2812211170ad7c7bc5e5
MD5 hash: 67633b0950101ba4edc4c7d3559820a7
humanhash: xray-yellow-iowa-wolfram
File name:C&F.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:817'499 bytes
First seen:2020-10-11 16:40:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c458ff2d515beb8f44158cd3636a7400 (19 x AgentTesla, 6 x NetWire, 3 x HawkEye)
ssdeep 24576:pd7lY1gQp3c2tKpV06U5+a2zEolaDVnxT19XHaeJ:p9+zxtKb0b4f4yaDhxT19Xh
Threatray 198 similar samples on MalwareBazaar
TLSH BC05232AC321CD9DD71460B012EBBCF59820ECE9886C7B616ECDDE5EB875AF25140B17
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: altesoman.com
Sending IP: 107.173.40.220
From: For Al - Alalan Trading LLC (ALTES - LLC) <mangesh@altesoman.com>
Subject: RE: C & F price to Oman for below – as per your scope of supply
Attachment: CF.zip (contains "C&F.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection:
HawkEyev9
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69848/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Deleting a recently created file
Creating a window
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
HawkEye MailPassView Ramnit
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487752
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to detect sleep reduction / modifications
Detected HawkEye Rat
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected Keylogger Generic
Yara detected MailPassView
Yara detected Ramnit
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 296318 Sample: C&F.exe Startdate: 11/10/2020 Architecture: WINDOWS Score: 100 30 mail.eagleeyeapparels.com 2->30 32 eagleeyeapparels.com 2->32 34 bot.whatismyipaddress.com 2->34 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 14 other signatures 2->48 8 C&F.exe 1 2->8         started        signatures3 process4 file5 28 C:\Users\user\Desktop\C&Fmgr.exe, PE32 8->28 dropped 56 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 8->56 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->58 60 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->60 62 4 other signatures 8->62 12 C&F.exe 15 7 8->12         started        16 C&Fmgr.exe 1 8->16         started        19 C&F.exe 8->19         started        signatures6 process7 dnsIp8 36 mail.eagleeyeapparels.com 12->36 38 194.167.4.0.in-addr.arpa 12->38 40 2 other IPs or domains 12->40 64 Writes to foreign memory regions 12->64 66 Allocates memory in foreign processes 12->66 68 Sample uses process hollowing technique 12->68 70 Injects a PE file into a foreign processes 12->70 21 vbc.exe 12->21         started        24 vbc.exe 12 12->24         started        26 C:\Users\user\AppData\Local\...\~TMB479.tmp, PE32 16->26 dropped 72 Antivirus detection for dropped file 16->72 74 Multi AV Scanner detection for dropped file 16->74 76 Machine Learning detection for dropped file 16->76 78 Renames NTDLL to bypass HIPS 16->78 file9 signatures10 process11 signatures12 50 Tries to steal Instant Messenger accounts or passwords 21->50 52 Tries to steal Mail credentials (via file access) 21->52 54 Tries to harvest and steal browser information (history, passwords, etc) 24->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676/
Threat name:
Win32.Worm.Ramnit
Create hunting rule
Status:
Malicious
First seen:
2020-10-11 07:32:01 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v72ofgltykl725slhouben5p3emrf5i7tjf2x7lwntua7gwoez3a._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
28753bd34049059e094796e4480f184cb0fdec4f5ca2ba0ffc5cc79bb3a7c1a6
HawkEye
2e00a231db5268aabbf82259fb2f25b541b7877a5d8be339b107dfab1e896338
HawkEye
3c0f1342da1381efcb02db88a6f0c2c5da6006288915b146684e5de5e4bd7a8b
HawkEye
3dd0e88a93b6d4fa561f0ece77fee607262c53a5ecb7164b64c29505b88083a8
HawkEye
76f4037b2878a1f9d902b58becabe775f8f99df45b2c5c80ac9eb61a8da4a255
HawkEye
bbf613ce1f6850b2b62c6f55082ab7b9bcc7f92db0a8ec8f0b495e29cb4988ae
HawkEye
c2689bc7e035365f3aad0880c3f2526da7e6934882be23bef2b7fa20f4b04513
HawkEye
c6043128c116aedacc1be9abbcb74898065374269665a5387960ce47e805c2c0
HawkEye
c944ec2c1c332672384769d2abfbb4f298f9fcaa63b18b4094e1d9779fa82fe0
HawkEye
cb8d412bcde5007a389cfbf650e356fc4aca9c56499594af40306234e85c52db
HawkEye
+ 188 additional samples on MalwareBazaar
Result
Malware family:
hawkeye_reborn
Create hunting rule
Score:
  10/10
Tags:
upx stealer spyware family:m00nd3v_logger keylogger trojan family:hawkeye_reborn
Link:
https://tria.ge/reports/201011-1z2lvpkafx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Executes dropped EXE
UPX packed file
M00nD3v Logger Payload
ServiceHost packer
HawkEye Reborn
M00nd3v_Logger
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
00f4f4b81c6f83f070325f959b2cb2d1ca03bf4f3cc4844c992c89b79b42d06e
MD5 hash:
48b509fb36e3a89d26c903317a2f4a3e
SHA1 hash:
76b2e7375bce1f6e194c6df32dd312c9d3c88422
Link:
https://www.unpac.me/results/9dc49102-07fd-4677-89a7-f61086985e4b/
SH256 hash:
414f642cc634c8f9fe744110f2add77ed0bb2251a8e73c586803ae943f7aeeef
MD5 hash:
dddc5f4656eb88cdcfb211481cb8fe93
SHA1 hash:
de141904a38bb42fd37e9a6a67646c2190e9e998
Detections:
win_hawkeye_keylogger_g0
Create hunting rule
Link:
https://www.unpac.me/results/9dc49102-07fd-4677-89a7-f61086985e4b/
Parent samples :
76f4037b2878a1f9d902b58becabe775f8f99df45b2c5c80ac9eb61a8da4a255
c944ec2c1c332672384769d2abfbb4f298f9fcaa63b18b4094e1d9779fa82fe0
c2689bc7e035365f3aad0880c3f2526da7e6934882be23bef2b7fa20f4b04513
aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676
7dfdce0a99eabe706a8f617d20f54ab7c933fd0e702dffed576ea3d5d74aea9d
44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095
32a1d99c12d4bbbf6b20ee43a25cf4dccf34ba30d8d40dc68d9c59d4c7ba25d5
39ae83af1cd715dadb50a266b91587dab04fffa94d2aa923c03cff634265f9ec
SH256 hash:
400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
MD5 hash:
54e8ded7b148a13d3363ac7b33f6eb06
SHA1 hash:
63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
Link:
https://www.unpac.me/results/9dc49102-07fd-4677-89a7-f61086985e4b/
Parent samples :
e6b3160e17f1c4c0ce9136d7e19089f9e7e759bbd2989c27f8eb6083a627bfb9
c0498d7a70e78c236241d0e91b3bb599c1961ea62a10bd76a16fe7b18824f646
c2d23332a28fd0f2f0b404e53d9820ba0f5f8070043cfa0b2fbb18a4a33466b6
SH256 hash:
54241d67c33e245742af873dc6e61558b837618a3c03eb055695587e3ddf8740
MD5 hash:
b15ffed0dc3932b66ab628d422b18f70
SHA1 hash:
99e0ea3021640282792f2914a4d7e6626fca9df8
Detections:
win_hawkeye_keylogger_auto
Create hunting rule
Link:
https://www.unpac.me/results/9dc49102-07fd-4677-89a7-f61086985e4b/
Parent samples :
76f4037b2878a1f9d902b58becabe775f8f99df45b2c5c80ac9eb61a8da4a255
c944ec2c1c332672384769d2abfbb4f298f9fcaa63b18b4094e1d9779fa82fe0
c2689bc7e035365f3aad0880c3f2526da7e6934882be23bef2b7fa20f4b04513
aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676
7dfdce0a99eabe706a8f617d20f54ab7c933fd0e702dffed576ea3d5d74aea9d
44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095
32a1d99c12d4bbbf6b20ee43a25cf4dccf34ba30d8d40dc68d9c59d4c7ba25d5
39ae83af1cd715dadb50a266b91587dab04fffa94d2aa923c03cff634265f9ec
ef24fa91dc24e348f6ef60f53e36cb53150950aa1301469b7ee747523bc43f65
b926b9c322ee16dc0ea54330428658cda75dc84a1a58ef88ebec2572d87d850b
c5845be19adb4e49adb11f5c276835d1f2d11c2d277da2dc265968bb6edb4c2d
a1416f15382642c1bcf6fafac052bcd38900409be007f54414942e405c18ff73
SH256 hash:
e6ad1a92f06a4ec4847d2d40623131fdd237b1c013f93f77d4d28d568edcad06
MD5 hash:
1001f375be22e77a232e8836ea3721ed
SHA1 hash:
d7e960a487023fac393aa6f5943ef473fdcaa6ae
Detections:
win_hawkeye_keylogger_auto
Create hunting rule
Link:
https://www.unpac.me/results/9dc49102-07fd-4677-89a7-f61086985e4b/
Parent samples :
76f4037b2878a1f9d902b58becabe775f8f99df45b2c5c80ac9eb61a8da4a255
c944ec2c1c332672384769d2abfbb4f298f9fcaa63b18b4094e1d9779fa82fe0
c2689bc7e035365f3aad0880c3f2526da7e6934882be23bef2b7fa20f4b04513
aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676
7dfdce0a99eabe706a8f617d20f54ab7c933fd0e702dffed576ea3d5d74aea9d
44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095
32a1d99c12d4bbbf6b20ee43a25cf4dccf34ba30d8d40dc68d9c59d4c7ba25d5
39ae83af1cd715dadb50a266b91587dab04fffa94d2aa923c03cff634265f9ec
SH256 hash:
4924e0c81fdb47ac113b81db0fbd01c3bb63ec066e86fdc1adf3667e7eac6590
MD5 hash:
8538307d9843dde06fbb3700770538ff
SHA1 hash:
85d7ea52f71c2d1f0fb3da8b5c9f1ddeb41d5159
Detections:
win_hawkeye_keylogger_g0
Create hunting rule
Link:
https://www.unpac.me/results/9dc49102-07fd-4677-89a7-f61086985e4b/
Parent samples :
76f4037b2878a1f9d902b58becabe775f8f99df45b2c5c80ac9eb61a8da4a255
c944ec2c1c332672384769d2abfbb4f298f9fcaa63b18b4094e1d9779fa82fe0
c2689bc7e035365f3aad0880c3f2526da7e6934882be23bef2b7fa20f4b04513
aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676
7dfdce0a99eabe706a8f617d20f54ab7c933fd0e702dffed576ea3d5d74aea9d
44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095
32a1d99c12d4bbbf6b20ee43a25cf4dccf34ba30d8d40dc68d9c59d4c7ba25d5
39ae83af1cd715dadb50a266b91587dab04fffa94d2aa923c03cff634265f9ec
SH256 hash:
aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676
MD5 hash:
67633b0950101ba4edc4c7d3559820a7
SHA1 hash:
8d5ddb0f3cce4f300b4c2812211170ad7c7bc5e5
Link:
https://www.unpac.me/results/9dc49102-07fd-4677-89a7-f61086985e4b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_ramnit_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip a26bad6d27acc175eaf401a27458708ecb8950a4c6331a479a6b38bd23b15f20

HawkEye

Executable exe aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676

(this sample)

  
Dropped by
MD5 ba631067bffb779efc72bff83f84ea4a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69848/
  
Dropped by
SHA256 a26bad6d27acc175eaf401a27458708ecb8950a4c6331a479a6b38bd23b15f20

Comments