MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b27c248040351b85f805c45a12dd85396824a1a3388225138d46924a9edd3788. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b27c248040351b85f805c45a12dd85396824a1a3388225138d46924a9edd3788
SHA3-384 hash: a298cb32f107d1f8539c5e38bb09c04b0fe19ecdd9bda0d6d9767f8ba358eb6e94d06b479ee933c97d0751f84a2e26de
SHA1 hash: 6f0f88b28b0e06970306cb94cb3acf04a3a71973
MD5 hash: 39f15e1f1cd7fd2ab1d7f0cd2d7ada94
humanhash: maine-bacon-seven-violet
File name:Scan Copy26042018,JPEG.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:1'653'760 bytes
First seen:2020-10-23 14:46:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2339ac77bf9371500ebbf86df3a10d43 (8 x njrat, 4 x LgoogLoader, 3 x RedLineStealer)
ssdeep 24576:wyVdOxLFDApSPKk48q506nH9ixFYGSKysohjfksmB50vWhM:3ViLFssPH48Pkitys1xHeWh
Threatray 953 similar samples on MalwareBazaar
TLSH B77522D593D68637C0A76B7452AB2B233F75F8607B24829B5221E46C5C327A0FE35327
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: customer0.extendcp.co.uk
Sending IP: 79.170.44.69
From: steve crane <stevecrane425@yahoo.com>
Reply-To: steve crane <stevecrane425@yahoo.com>
Subject: Re: Invoice
Attachment: Scan Copy26042018,JPEG.zip (contains "Scan Copy26042018,JPEG.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection:
HawkEyev9
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75080/
Detection(s):
Win.Malware.Ototi-6591407-0
Create hunting rule

SecuriteInfo.com.BackDoor.Generic19.BMJZ.21232.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a process from a recently created file
Creating a window
Moving a recently created file
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/508220
Signature
Antivirus / Scanner detection for submitted sample
Drops PE files to the user root directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303230 Sample: Scan Copy26042018,JPEG.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 72 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Uses schtasks.exe or at.exe to add and modify task schedules 2->42 8 Scan Copy26042018,JPEG.exe 1 6 2->8         started        11 rundll32.exe 2->11         started        13 pkeipq.exe 1 2->13         started        process3 file4 30 C:\Users\user\AppData\Local\...\pkeipq.exe, PE32 8->30 dropped 15 pkeipq.exe 1 3 8->15         started        process5 dnsIp6 32 192.168.2.1 unknown unknown 15->32 28 C:\Users\user\pkeipq.exe, PE32 15->28 dropped 34 Multi AV Scanner detection for dropped file 15->34 36 Drops PE files to the user root directory 15->36 20 cmd.exe 1 15->20         started        22 pkeipq.exe 15->22         started        file7 signatures8 process9 process10 24 conhost.exe 20->24         started        26 schtasks.exe 1 20->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b27c248040351b85f805c45a12dd85396824a1a3388225138d46924a9edd3788/
Threat name:
Win32.Trojan.AitInject
Create hunting rule
Status:
Malicious
First seen:
2018-04-26 09:28:32 UTC
AV detection:
27 of 48 (56.25%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wj6cjacagunyl6afyrnbfxmfhfucjindhcbcke4ni2jevhw5g6ea._file
Verdict:
malicious
Similar samples:
03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca
HawkEye
09bdb0fb2e5689963f8375783abf0d87d2dbccc6a7ed8b03d7a53af29ab2c4d6
HawkEye
1f1bc6a65867b976dd8cdc00b6519b60b4da65af780f1636c447e5ebca91da96
HawkEye
215efb4d72a987d380f71ce2cea15cb73c3084253026a2c80efd7a3c83ae5f9f
HawkEye
4b5962005864c7cd8c362e37987f7091991f6f3f0a992e02e1b51beb92292a5d
HawkEye
77d83370f3109b9a0c199c60870edd92184c170abfc2f1817cd625245fcfae10
HawkEye
d488a34718cf2db560dd4c62ccb5fac527cc192716c2d166a71f98abd384aba6
HawkEye
e131a045dc4874ee4eed8e75af0faeecaf86a80e18f13b9845a8b6f57686beec
HawkEye
e4319ba20af83dd8ba6041fd70c3c27dc2c79c648de642487fc1a217e0549fc8
HawkEye
ebfcc36e36933bf6454937c260a1370cd3ece3b67d7abbf66ec9eb4d2892dd79
HawkEye
+ 943 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201023-vky548a3r2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
b27c248040351b85f805c45a12dd85396824a1a3388225138d46924a9edd3788
MD5 hash:
39f15e1f1cd7fd2ab1d7f0cd2d7ada94
SHA1 hash:
6f0f88b28b0e06970306cb94cb3acf04a3a71973
Link:
https://www.unpac.me/results/5bf34c5d-3060-47f5-b787-41f046601ef5/
SH256 hash:
20b2f7590b00463f18d1360116642c7b6aa4d970942e4c02cd3b0bbf24142042
MD5 hash:
b20f14254612635f9a2a4ad212cedc66
SHA1 hash:
3bebd63e4fc069fe660eaae8ff0040a47583d617
Link:
https://www.unpac.me/results/5bf34c5d-3060-47f5-b787-41f046601ef5/
SH256 hash:
21320e7e34c07fd6fafcb2560ad01a7f092a1f16151bf515b0feef220cc2b1c1
MD5 hash:
41f30550a1a40dfd3e160b11fe540863
SHA1 hash:
ea8cb6f5dbcf0a8a4d946ebe021194853d4f4881
Detections:
win_hawkeye_keylogger_g0
Create hunting rule
Link:
https://www.unpac.me/results/5bf34c5d-3060-47f5-b787-41f046601ef5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Skeeyah
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b27c248040351b85f805c45a12dd85396824a1a3388225138d46924a9edd3788

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip cd4c8f4cd4db25eba2e6480d6e5d0b3d273833884434c9eab434a73593127dca

HawkEye

Executable exe b27c248040351b85f805c45a12dd85396824a1a3388225138d46924a9edd3788

(this sample)

  
Dropped by
MD5 a43b761cebbc4ba5275cc2b4a4b1c1ba
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/75080/
  
Dropped by
SHA256 cd4c8f4cd4db25eba2e6480d6e5d0b3d273833884434c9eab434a73593127dca

Comments