File name:

2much.exe

Full analysis: https://app.any.run/tasks/7d9f342f-34d9-41a1-a334-0a7a1968bbc9
Verdict: Malicious activity
Threats:

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Malware Trends Tracker     >>>
Analysis date: May 15, 2019, 12:31:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
keylogger
hawkeye
evasion
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

4DEFC86E258D002B2C01EDA4822D6331

SHA1:

B6AA5CCD6722D8C7C55536854438E4DE9D713BF5

SHA256:

159D09CDBD90E5CE221F9CA7FD30646268CB2521D4279D707B346602B0EDA59D

SSDEEP:

12288:4Szm0W4DTPa1RzO3Wmb++3k8O/l9EUJceUKdi3HIn7Ai+/TbMRTYIc:4Km0WEPa3O3WER3zi9cMEXTb5I

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detected Hawkeye Keylogger

      • RegAsm.exe (PID: 2656)

    • Application was dropped or rewritten from another process

      • RegAsm.exe (PID: 2656)

    • Changes the autorun value in the registry

      • RegAsm.exe (PID: 2656)

    • Actions looks like stealing of personal data

      • vbc.exe (PID: 3028)

  • SUSPICIOUS

    • Checks for external IP

      • RegAsm.exe (PID: 2656)

    • Executes scripts

      • RegAsm.exe (PID: 2656)

    • Creates files in the user directory

      • RegAsm.exe (PID: 2656)

    • Executable content was dropped or overwritten

      • RegAsm.exe (PID: 2656)

  • INFO

    • Reads settings of System Certificates

      • RegAsm.exe (PID: 2656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:05:14 15:33:20+02:00
PEType: PE32
LinkerVersion: 14.15
CodeSize: 94208
InitializedDataSize: 604160
UninitializedDataSize: -
EntryPoint: 0x1f1f
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows command line
FileVersionNumber: 4.3.6.0
ProductVersionNumber: 8.2.5.4
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: agoge
FileDescription: propellant
FileVersion: 4.3.6.0
InternalName: self-worshiper.exe
LegalCopyright: Copyright (C) to-and-fros 2018
OriginalFileName: englacially.exe
ProductName: Chantalle
ProductVersion: 8.2.5.4

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 14-May-2019 13:33:20
Detected languages:
  • English - United States
CompanyName: agoge
FileDescription: propellant
FileVersion: 4.3.6.0
InternalName: self-worshiper.exe
LegalCopyright: Copyright (C) to-and-fros 2018
OriginalFilename: englacially.exe
ProductName: Chantalle
ProductVersion: 8.2.5.4

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 14-May-2019 13:33:20
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00016F22
0x00017000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.63432
.rdata
0x00018000
0x00007E84
0x00008000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.36355
.data
0x00020000
0x00007FAC
0x00007600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.766
.rsrc
0x00028000
0x00082851
0x00082A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.51126
.reloc
0x000AB000
0x000016F8
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.50596

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.91161
381
Latin 1 / Western European
English - United States
RT_MANIFEST
OJEGCDPJ
4.24848
188
Latin 1 / Western European
UNKNOWN
ORHNB
SZSBIB
6.50666
532992
Latin 1 / Western European
UNKNOWN
ORHNB

Imports

ADVAPI32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
WINSPOOL.DRV
ole32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2much.exe #HAWKEYE regasm.exe vbc.exe vbc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2420"C:\Users\admin\Desktop\2much.exe" C:\Users\admin\Desktop\2much.exe
explorer.exe
User:
admin
Company:
agoge
Integrity Level:
MEDIUM
Description:
propellant
Exit code:
0
Version:
4.3.6.0
Modules
Images
c:\users\admin\desktop\2much.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2656"C:\Users\admin\Desktop\2much.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
2much.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
2964C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
3028C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
RegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
38
Read events
18
Write events
20
Delete events
0

Modification events

(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
Executable files
1
Suspicious files
3
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
3028vbc.exeC:\Users\admin\AppData\Local\Temp\holdermail.txt
MD5:
SHA256:
2964vbc.exeC:\Users\admin\AppData\Local\Temp\bhv3EBB.tmp
MD5:
SHA256:
2964vbc.exeC:\Users\admin\AppData\Local\Temp\holderwb.txt
MD5:
SHA256:
2656RegAsm.exeC:\Users\admin\AppData\Local\Temp\Cab5F24.tmp
MD5:
SHA256:
2656RegAsm.exeC:\Users\admin\AppData\Local\Temp\Tar5F25.tmp
MD5:
SHA256:
2656RegAsm.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:
SHA256:
2656RegAsm.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:
SHA256:
2656RegAsm.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\000F7F8FAB2D96E6F8CBD5C9A3B4EC90binary
MD5:
SHA256:
2656RegAsm.exeC:\Users\admin\AppData\Roaming\WindowsUpdate.exeexecutable
MD5:246BB0F8D68A463FD17C235DEB5491C0
SHA256:32B60D7BBA22CC1682F4BA651D86C9FB357BDC82E9A284AB9668E5446BD24BB3
2656RegAsm.exeC:\Users\admin\AppData\Roaming\pidloc.txttext
MD5:EFD1636CFC3CC38FD7BABAE5CAC9EDE0
SHA256:F827D5B11C1EB3902D601C3E0B59BA32FE11C0B573FBF22FB2AF86BFD4651BBA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
4
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2656
RegAsm.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2656
RegAsm.exe
GET
200
23.111.11.204:80
http://repository.certum.pl/ca.cer
US
der
784 b
whitelisted
2656
RegAsm.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?27a8dabed2aad218
US
compressed
56.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
RegAsm.exe
104.16.155.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
2656
RegAsm.exe
23.111.11.204:80
repository.certum.pl
netDNA
US
unknown
2656
RegAsm.exe
77.88.21.38:587
smtp.yandex.com
YANDEX LLC
RU
whitelisted
2656
RegAsm.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
whatismyipaddress.com
  • 104.16.155.36
  • 104.16.154.36
shared
smtp.yandex.com
  • 77.88.21.38
  • 213.180.193.38
  • 93.158.134.38
  • 87.250.250.38
  • 213.180.204.38
malicious
repository.certum.pl
  • 23.111.11.204
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted

Threats

PID
Process
Class
Message
2656
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck)
2656
RegAsm.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2 ETPRO signatures available at the full report
Process
Message
2much.exe
User32.dll
2much.exe
User32.dll
2much.exe
User32.dll
2much.exe
User32.dll
2much.exe
User32.dll
2much.exe
User32.dll
2much.exe
User32.dll
2much.exe
User32.dll
2much.exe
User32.dll
2much.exe
User32.dll
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2much.exe