MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6628501ee0344c1e6c7adc92944f5ddc7c784c1ac6278bdd7b66164b01707d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HawkEye

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	e6628501ee0344c1e6c7adc92944f5ddc7c784c1ac6278bdd7b66164b01707d3
SHA3-384 hash:	5d33ad6c1f47d5872ead14cdd392200867026f4e9d5a69a12aa56105ce18dacd480181da73e8daf0c32c21e01f52aaf1
SHA1 hash:	5bdfb137bd94a6e94edbf022df801bb2cc5a4494
MD5 hash:	976214501e8f1a06a4744538c2e5e60d
humanhash:	item-ack-foxtrot-blossom
File name:	INVOICE-1938002.exe
Download:	download sample
Signature	HawkEye Create hunting rule
File size:	550'949 bytes
First seen:	2020-06-08 07:55:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fd8135b0036737f4378aeccc98fbd15a (9 x Loki, 9 x AgentTesla, 2 x HawkEye)
ssdeep	12288:YEv8FVujUpVTWgThfJ614X5p/iYHI0Oq8M0oko8ZiFhDF8KSpTTj/Xc+0L:YEEbuQ9WmD1HITPTnXc+e
Threatray	2'411 similar samples on MalwareBazaar
TLSH	39C49E69F2A14833E153197D5C0B6778982EBE71292416823FE5DC4CAFF93893D3B186
Reporter	abuse_ch
Tags:	exe HawkEye

abuse_ch

Malspam distributing unidentified malware:

HELO: 94-100-28-224.static.hvvc.us
Sending IP: 94.100.28.224
From: JHSHIP INTERNATIONAL LTD <cus12@jhship.com.cn>
Subject: FWD: Possible CTM delivery
Attachment: Scan-1938002235_pdf.arj (contains "INVOICE-1938002.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Win32.Herz.B.5937.21320.UNOFFICIAL

Gathering data

Threat name:

Win32.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2020-06-08 07:57:06 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4zrikapoancmdzwhvxessrhv3xd4pbgbvrrhrpoxwzqwjmaxa7jq._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence spyware upx

Link:

https://tria.ge/reports/201109-j8ktfjhwqj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of web browsers

UPX packed file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip 1a2ee0d0fcce5a02d74f06b201d0462b3a57f08b617fdded23a088c97eff7266

HawkEye

exe e6628501ee0344c1e6c7adc92944f5ddc7c784c1ac6278bdd7b66164b01707d3

(this sample)

Dropped by

MD5 4e1cff8935178e29eb7cbc30aacbcc16

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 1a2ee0d0fcce5a02d74f06b201d0462b3a57f08b617fdded23a088c97eff7266

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample