File name: | Archive.zip |
Full analysis: | https://app.any.run/tasks/9885c7fa-cdaf-4b90-9f22-94e6126b9a81 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | June 12, 2019, 10:20:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 200452397AF990878ED2E3B4E5482F4A |
SHA1: | 9FA6EAEE5FB1A43C86EE30F335A546116CE70B72 |
SHA256: | 00ADBA61B838079ACE134DE62D66612D7B571130CE853078D9C5771A2AB25516 |
SSDEEP: | 24576:7LzT4OP5A2LaIZw7lh7MTekUez1S2trqTPeN7oeQI/L:rTi2LVYh7Mykxzlr2UoeQID |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Elenco di consegna merci di giugno.exe |
---|---|
ZipUncompressedSize: | 1544192 |
ZipCompressedSize: | 1111913 |
ZipCRC: | 0xc062bf03 |
ZipModifyDate: | 2019:06:10 21:39:21 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0008 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1240 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Archive.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2732 | cmd /c ""C:\Users\admin\Desktop\italiano.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3616 | tzutil /s "W. Europe Standard Time" | C:\Windows\system32\tzutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Time Zone Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3152 | certutil /decode "C:\Users\admin\AppData\Local\Temp\b64" "C:\Users\admin\AppData\Local\Temp\decoded" | C:\Windows\system32\certutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2924 | regedit.exe /s "C:\Users\admin\AppData\Local\Temp\decoded" | C:\Windows\regedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Editor Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1680 | "C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded" | C:\Windows\regedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Editor Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1812 | "C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded" | C:\Windows\regedit.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Editor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2152 | "C:\Users\admin\Desktop\Elenco di consegna merci di giugno.exe" | C:\Users\admin\Desktop\Elenco di consegna merci di giugno.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1720 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | Elenco di consegna merci di giugno.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3736 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp8CF6.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
(PID) Process: | (1240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (1240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (1240) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\Archive.zip | |||
(PID) Process: | (1240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (1240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (1240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (1240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (1240) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | @C:\Windows\System32\acppage.dll,-6002 |
Value: Windows Batch File | |||
(PID) Process: | (1240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop |
PID | Process | Filename | Type | |
---|---|---|---|---|
3152 | certutil.exe | C:\Users\admin\AppData\Local\Temp\decoded | text | |
MD5:CC4D5700F092115E8867C7DD6372F0C3 | SHA256:3CCF035606E304B96E0AA7B17E045A32C8AA8BD9B7CE664DBA4D9BD87784F018 | |||
3736 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp8CF6.tmp | text | |
MD5:0A9AD333B44B4C3B2B8BA195FA9AE2CC | SHA256:7EEA662C96FDAC6835E428FEACEBE2267C49001FF45404F962A5E92EDA9E1878 | |||
1240 | WinRAR.exe | C:\Users\admin\Desktop\italiano.bat | text | |
MD5:1EF792C1087122735BE1F937D68AE8A4 | SHA256:110DAE47D95110833713E39691180E88DF9DF59AA3FCBCE680B33617D3BDF492 | |||
2732 | cmd.exe | C:\Users\admin\AppData\Local\Temp\b64 | text | |
MD5:31D3914C66095D867C9A84C8FAE369B0 | SHA256:97FF2CFDC676C831EBCBD0440DE720647FB8B22367344279E57BBECFAAB4E859 | |||
1240 | WinRAR.exe | C:\Users\admin\Desktop\Elenco di consegna merci di giugno.exe | executable | |
MD5:B63AF0ACA113F8AF9D120D600F336DCC | SHA256:4404752F0E70971E30E787BAD018EB3B5F481CAB9E9343D7E67860544F4236DC | |||
2608 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmpB9F3.tmp | text | |
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048 | SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9 | |||
1720 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\25291068-43af-3e16-50f6-5889d9ce7904 | text | |
MD5:454353131947D1483FF5470107478978 | SHA256:2DF94DC1C58E952A1EBD1AE1185A291A8A573982CA90EC1BBB87B81126002668 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1720 | RegAsm.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 13 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1720 | RegAsm.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
— | — | 79.124.76.85:30905 | ftp.tiffanyhomestudio.com | NetInfo.BG JSCo | BG | malicious |
1720 | RegAsm.exe | 79.124.76.85:21 | ftp.tiffanyhomestudio.com | NetInfo.BG JSCo | BG | malicious |
Domain | IP | Reputation |
---|---|---|
bot.whatismyipaddress.com |
| shared |
ftp.tiffanyhomestudio.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1720 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spy.HawkEye IP Check |
1720 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger Exfiltration over FTP |
1720 | RegAsm.exe | A Network Trojan was detected | ET TROJAN HawkEye Keylogger FTP |