analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2much.exe

Full analysis: https://app.any.run/tasks/7d9f342f-34d9-41a1-a334-0a7a1968bbc9
Verdict: Malicious activity
Threats:

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Analysis date: May 15, 2019, 12:31:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
keylogger
hawkeye
evasion
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

4DEFC86E258D002B2C01EDA4822D6331

SHA1:

B6AA5CCD6722D8C7C55536854438E4DE9D713BF5

SHA256:

159D09CDBD90E5CE221F9CA7FD30646268CB2521D4279D707B346602B0EDA59D

SSDEEP:

12288:4Szm0W4DTPa1RzO3Wmb++3k8O/l9EUJceUKdi3HIn7Ai+/TbMRTYIc:4Km0WEPa3O3WER3zi9cMEXTb5I

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • RegAsm.exe (PID: 2656)
    • Changes the autorun value in the registry

      • RegAsm.exe (PID: 2656)
    • Detected Hawkeye Keylogger

      • RegAsm.exe (PID: 2656)
    • Actions looks like stealing of personal data

      • vbc.exe (PID: 3028)
  • SUSPICIOUS

    • Creates files in the user directory

      • RegAsm.exe (PID: 2656)
    • Executable content was dropped or overwritten

      • RegAsm.exe (PID: 2656)
    • Checks for external IP

      • RegAsm.exe (PID: 2656)
    • Executes scripts

      • RegAsm.exe (PID: 2656)
  • INFO

    • Reads settings of System Certificates

      • RegAsm.exe (PID: 2656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

ProductVersion: 8.2.5.4
ProductName: Chantalle
OriginalFileName: englacially.exe
LegalCopyright: Copyright (C) to-and-fros 2018
InternalName: self-worshiper.exe
FileVersion: 4.3.6.0
FileDescription: propellant
CompanyName: agoge
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 8.2.5.4
FileVersionNumber: 4.3.6.0
Subsystem: Windows command line
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1f1f
UninitializedDataSize: -
InitializedDataSize: 604160
CodeSize: 94208
LinkerVersion: 14.15
PEType: PE32
TimeStamp: 2019:05:14 15:33:20+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 14-May-2019 13:33:20
Detected languages:
  • English - United States
CompanyName: agoge
FileDescription: propellant
FileVersion: 4.3.6.0
InternalName: self-worshiper.exe
LegalCopyright: Copyright (C) to-and-fros 2018
OriginalFilename: englacially.exe
ProductName: Chantalle
ProductVersion: 8.2.5.4

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 14-May-2019 13:33:20
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00016F22
0x00017000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.63432
.rdata
0x00018000
0x00007E84
0x00008000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.36355
.data
0x00020000
0x00007FAC
0x00007600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.766
.rsrc
0x00028000
0x00082851
0x00082A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.51126
.reloc
0x000AB000
0x000016F8
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.50596

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.91161
381
Latin 1 / Western European
English - United States
RT_MANIFEST
OJEGCDPJ
4.24848
188
Latin 1 / Western European
UNKNOWN
ORHNB
SZSBIB
6.50666
532992
Latin 1 / Western European
UNKNOWN
ORHNB

Imports

ADVAPI32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
WINSPOOL.DRV
ole32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2much.exe #HAWKEYE regasm.exe vbc.exe vbc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2420"C:\Users\admin\Desktop\2much.exe" C:\Users\admin\Desktop\2much.exe
explorer.exe
User:
admin
Company:
agoge
Integrity Level:
MEDIUM
Description:
propellant
Exit code:
0
Version:
4.3.6.0
2656"C:\Users\admin\Desktop\2much.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
2much.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5483 (Win7SP1GDR.050727-5400)
3028C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
RegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483
2964C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483
Total events
38
Read events
18
Write events
20
Delete events
0

Modification events

(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2656) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegAsm_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
Executable files
1
Suspicious files
3
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
3028vbc.exeC:\Users\admin\AppData\Local\Temp\holdermail.txt
MD5:
SHA256:
2964vbc.exeC:\Users\admin\AppData\Local\Temp\bhv3EBB.tmp
MD5:
SHA256:
2964vbc.exeC:\Users\admin\AppData\Local\Temp\holderwb.txt
MD5:
SHA256:
2656RegAsm.exeC:\Users\admin\AppData\Local\Temp\Cab5F24.tmp
MD5:
SHA256:
2656RegAsm.exeC:\Users\admin\AppData\Local\Temp\Tar5F25.tmp
MD5:
SHA256:
2656RegAsm.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\000F7F8FAB2D96E6F8CBD5C9A3B4EC90binary
MD5:45A791276EDB47AA2B3215E5B2DF9827
SHA256:8792B1F0D57C650DCB41860C15ECC590F3D0370BEE3B25E13BE0CA7B413450AE
2656RegAsm.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:B3E2F2D4B299EB0CE4C9816CF070051D
SHA256:4F7E7B147B69A7B140A47074ACED94CBFC0052DDEC5D0C9A06760655839872EE
2656RegAsm.exeC:\Users\admin\AppData\Roaming\pid.txttext
MD5:1680E9FA7B4DD5D62ECE800239BB53BD
SHA256:CF3B763A62724306DCA2A00ED53A7C0A19074286E40B8F0B96544CCBAB4AAAE2
2656RegAsm.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:7EB117D4F238090940DBE43EFBCDF1F4
SHA256:A45A77D256628943190F8AA0F4673496D11DBA6BC3569796B6F733465FD005E4
2656RegAsm.exeC:\Users\admin\AppData\Roaming\pidloc.txttext
MD5:EFD1636CFC3CC38FD7BABAE5CAC9EDE0
SHA256:F827D5B11C1EB3902D601C3E0B59BA32FE11C0B573FBF22FB2AF86BFD4651BBA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2656
RegAsm.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2656
RegAsm.exe
GET
200
23.111.11.204:80
http://repository.certum.pl/ca.cer
US
der
784 b
whitelisted
2656
RegAsm.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?27a8dabed2aad218
US
compressed
56.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
RegAsm.exe
77.88.21.38:587
smtp.yandex.com
YANDEX LLC
RU
whitelisted
2656
RegAsm.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2656
RegAsm.exe
23.111.11.204:80
repository.certum.pl
netDNA
US
unknown
2656
RegAsm.exe
104.16.155.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
whatismyipaddress.com
  • 104.16.155.36
  • 104.16.154.36
shared
smtp.yandex.com
  • 77.88.21.38
  • 213.180.193.38
  • 93.158.134.38
  • 87.250.250.38
  • 213.180.204.38
shared
repository.certum.pl
  • 23.111.11.204
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted

Threats

PID
Process
Class
Message
2656
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck)
2656
RegAsm.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2 ETPRO signatures available at the full report
No debug info