MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdade907a458b6c9d2e87af5667c3b8a16aa7804535634ed662b0e07c34f64b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdade907a458b6c9d2e87af5667c3b8a16aa7804535634ed662b0e07c34f64b1
SHA3-384 hash: c0bab8775eb173052351653f34465b3795ae6ea52fe061ea1dbc19cdaedd1b24320fb916d450c2764de8d20acf8d2c1f
SHA1 hash: 1c925518e075761758a47f677016c95f5e80c92c
MD5 hash: 0c3bdc11fd6454bb67da849864170b44
humanhash: louisiana-california-burger-butter
File name:E-Remittance Form_z.TXT.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:1'441'541 bytes
First seen:2021-08-14 08:46:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:rAOcZAh8BbGTd6g+HrTWCGMnuce4hXQoVUsywK6ULRrAPWcBfhNQXNmrKb:taRov+LCuug7VU4KVrAPWLIrKb
Threatray 847 similar samples on MalwareBazaar
TLSH T1A9651203E78444F7D0370B3116675B347EBAB9301B659B5BABA4453DAE72340BE34BA2
dhash icon f1f8ece470f0b0b2 (7 x NanoCore, 2 x RemcosRAT, 2 x HawkEye)
Reporter abuse_ch
Tags:exe HawkEye


Avatar
abuse_ch
HawkEye SMTP exfil server:
smtp.yandex.com:587

HawkEye SMTP exfil email address:
heavenly.logs@yandex.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E-Remittance Form_z.TXT.exe
Verdict:
Malicious activity
Analysis date:
2021-08-14 08:48:07 UTC
Tags:
keylogger hawkeye stealer evasion trojan
Link:
https://app.any.run/tasks/7a1ffd81-e81d-4e41-9f73-78b87dd91199

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
HawkEyev9
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179203/
Detection(s):
Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a UDP request
Adding an access-denied ACE
Launching a process
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/730d4139-71ff-4423-bc12-5b8768d4fd8b
Result
Threat name:
HawkEye MailPassView
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832837
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Detected HawkEye Rat
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 465268 Sample: E-Remittance Form_z.TXT.exe Startdate: 14/08/2021 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 12 other signatures 2->47 13 E-Remittance Form_z.TXT.exe 26 2->13         started        process3 file4 37 C:\Users\user\AppData\Local\...\urdavsa.pif, PE32 13->37 dropped 16 urdavsa.pif 3 3 13->16         started        process5 file6 35 C:\Users\user\AppData\Local\Temp\...\run.vbs, ASCII 16->35 dropped 39 Multi AV Scanner detection for dropped file 16->39 20 wscript.exe 1 16->20         started        signatures7 process8 process9 22 urdavsa.pif 20->22         started        process10 24 wscript.exe 1 22->24         started        process11 26 urdavsa.pif 24->26         started        process12 28 wscript.exe 1 26->28         started        process13 30 urdavsa.pif 28->30         started        signatures14 49 Writes to foreign memory regions 30->49 51 Allocates memory in foreign processes 30->51 53 Injects a PE file into a foreign processes 30->53 33 RegSvcs.exe 30->33         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdade907a458b6c9d2e87af5667c3b8a16aa7804535634ed662b0e07c34f64b1/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-14 08:47:07 UTC
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xww6sb5elc3mtuxipl2wm7b3rilku6aeknldj3lgfmhapq2pmsyq._file
Verdict:
malicious
Similar samples:
022a59ed972a0a93af024278929ae49d28e59382e620c283dd3b701f24a218d4
HawkEye
1bf63394fcf232d3a303d17df87252e2f47c43205edadc99ed15a50c9e193ebc
HawkEye
20abcc84d40d1b7314e3f293c510ee4f5199d43db15074aa79705c98bacf5ff5
HawkEye
63df29d3fa84705de35251b66c3cf555ba225d9a2b064edbd566ccd1b3c59e07
HawkEye
7cf95c0b9a54fa67fcd82ab0dc3dddbbb3861b9c4111a12e628f0003b02e41d9
HawkEye
ac63e6a70d5a7b867b798cd4a22db827d66c95f2506d1efdb49d2b6bf6d73aa8
HawkEye
c8a4462c6b8f5d8728d5374adc98def5a5c38dd97d70a1c3859c876bfbe3fbd0
HawkEye
ebbc6f882c469db06196cbeea3ef7b62899229ef1f89234ef3ace2f83ce2b557
HawkEye
ee9581098eb9fed674854c0f2579b5bfb17ae7788cdbb15abaa3c5af3af50ecc
HawkEye
f1f545de09f0d7a4b5adcbfd695e64333d6195e53c120cacfb1e276d8fc7afed
HawkEye
+ 837 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye_reborn family:m00nd3v_logger keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210814-sr9bd6bjbx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
M00nD3v Logger Payload
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
HawkEye Reborn
M00nd3v_Logger
Unpacked files
SH256 hash:
122ad262bebd39ce4215af76fbc5321d4c2da8e94d4e1f7667847d54856029f2
MD5 hash:
1d69003d6bb3ef8fa5580f7f97d09dd3
SHA1 hash:
b1a8ec5dbeeef683176720fbfa87688ed9d7a806
Detections:
win_hawkeye_keylogger_g0
Create hunting rule
Link:
https://www.unpac.me/results/dcc53e79-56db-4060-930b-e58a2212293b/
Parent samples :
bdade907a458b6c9d2e87af5667c3b8a16aa7804535634ed662b0e07c34f64b1
e773f60aeb241f884b4f932d7ddd4e31c87f31781d5bd53d8583b3d54807a449
fa38ec9464602a1727813004fc616d9d0359c37da01b7d07c3e38784c0b2a46d
de1730eddefee2b8d8193d92b02fc5a3fd1bf6d54c6f55eff53c85c8a2501a79
691cb999c6be0f430c14a9411abf6796f174c8d8f3c3edc4b819b3b35972d832
0a0e7c81912b02e6ec1c7fbb338f4ef200e23d441d57c692cc88fef616593f0d
752efe9ad078a9be4a82b6f7c2123d58c90a1456287390b50df9e9c3292bc490
936ad4294125b52a7bbcbc1130128209932a3fbe505eb0fb539495c61205a5b3
c2d23332a28fd0f2f0b404e53d9820ba0f5f8070043cfa0b2fbb18a4a33466b6
SH256 hash:
2a289cb5244076d25da11b51cf8c32a92b9f43007884abf8351b202f1bcf6d43
MD5 hash:
8b8fb3685244f473f20a85b82ce7793f
SHA1 hash:
7e40788f7ab938061446fd1297fc15c21c6898db
Link:
https://www.unpac.me/results/dcc53e79-56db-4060-930b-e58a2212293b/
SH256 hash:
bdade907a458b6c9d2e87af5667c3b8a16aa7804535634ed662b0e07c34f64b1
MD5 hash:
0c3bdc11fd6454bb67da849864170b44
SHA1 hash:
1c925518e075761758a47f677016c95f5e80c92c
Link:
https://www.unpac.me/results/dcc53e79-56db-4060-930b-e58a2212293b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdade907a458b6c9d2e87af5667c3b8a16aa7804535634ed662b0e07c34f64b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_HawkEyeV9
Create hunting rule
Author:ditekshen
Description:Detects HawkEyeV9 payload
Rule name:MAL_HawkEye_Keylogger_Gen_Dec18
Create hunting rule
Author:Florian Roth
Description:Detects HawkEye Keylogger Reborn
Reference:https://twitter.com/James_inthe_box/status/1072116224652324870
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_NAME_ConfuserEx
Create hunting rule
Author:Arnim Rupp
Description:Detects ConfuserEx packed file
Reference:https://github.com/yck1509/ConfuserEx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179203/

Comments