MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f86be0fe01d3a3fae24c8bf92bb289ec52dd7f6a9461b9ce95f062d162f124c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f86be0fe01d3a3fae24c8bf92bb289ec52dd7f6a9461b9ce95f062d162f124c0
SHA3-384 hash: de50f61fac6d9e48ec18f51998c73fd13c78d7d2f70dd34c07493d7b75687d4bd001960c5f330ded52e70316ae123a53
SHA1 hash: b11908b1730bddcca7b0f9fb149a4e6618823a8a
MD5 hash: a9c87ddd563276c81565018d69d45285
humanhash: apart-cardinal-blue-october
File name:INVOICE.EXE
Download: download sample
Signature HawkEye
Create hunting rule
File size:447'488 bytes
First seen:2020-06-17 10:34:56 UTC
Last seen:2020-07-10 12:11:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:m5v3dM4VEKcJo+VbuKS4VB0mpBymVPLpNmJALWJDarn1dw4jZQZXgYEaP:TsEPo+Vbuh4VbBymVPDlKar1CX9
Threatray 170 similar samples on MalwareBazaar
TLSH DF949EA0F288ACA8DD0B52725C3AFA21151B7E9B85F4C51D265FB61A1BF33432467D0F
Reporter cocaman
Tags:exe HawkEye

Intelligence

File Origin
# of uploads :
3
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2020-06-17 10:29:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7bv6b7qb2or7vysmrp4sxmuj5rjn273ksrq3ttuv6brncyxretaa._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
0b0843fec59e2e7c90b04d88f9d90f7e6a3c8e7511a601d20ba588a52380781b
HawkEye
1136fada0e7737d8ea5304cb8e85550cf1ca35e2b64bfa6e000b07d5c428f7d7
HawkEye
3853c83c0df51ab8dc2d06d29efc8ca581044dbbcfe4c7c4d05fcc0ab62e22a8
HawkEye
400ad786bf1e76812b70a3ab4ba345668fe07c176743f412f6ff5372238c2320
HawkEye
538a207974969d50055870c016eb819c2a71a1388db863bf025ea5bc2144b00b
HawkEye
717cc1c1cd1788a45027d549ae018a57f72e8f5f7586be633055c2400440b489
HawkEye
7fcccc36958bd79308c0a9a1bbb9cf89d025b256dbee80dc9fc2e52f776573d7
HawkEye
a66accde52c8f24dbd3d705a4babfee4015f547dc6f7a608cb6d37dd2930fccd
HawkEye
c51d3c8be3936b476ac729e5ddc15eb4dcd5dea18dbcf8200f0767b33ab0b076
HawkEye
ee6195ec1370d529ba036d6ce5f7ca391822519455a57817e1576ac8a45b8b8d
HawkEye
+ 160 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
stealer spyware family:m00nd3v_logger
Link:
https://tria.ge/reports/200624-g5ny2qw6ja/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
M00nD3v Logger Payload
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_NK_BabyShark_KimJoingRAT_Apr19_1
Create hunting rule
Author:Florian Roth
Description:Detects BabyShark KimJongRAT
Reference:https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

img 8cccfb25adbe29e3c074f067b55522d4c2fde672b4bce124b48495d21787d8d3

HawkEye

Executable exe f86be0fe01d3a3fae24c8bf92bb289ec52dd7f6a9461b9ce95f062d162f124c0

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 8cccfb25adbe29e3c074f067b55522d4c2fde672b4bce124b48495d21787d8d3
Cape
Cape
https://www.capesandbox.com/analysis/19501/

Comments