File name: | RE REQUESTED PAYMENT DETAILS_pdf.r09 |
Full analysis: | https://app.any.run/tasks/a77491fb-8ea4-41f8-be18-db437a6a5fc0 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | December 02, 2019, 18:06:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 5F611299062543F07CAE41ED48934FA7 |
SHA1: | E9516430E5177AA2615D3983237FFEAAAA0CD242 |
SHA256: | 1DEDCE8398CBFE0D6927AD4EC3DDE805F7A34FF2075FD214CE75B0D86F30DFAF |
SSDEEP: | 12288:wtybIrUM3qIXtIJIGGO78coPW/JxwBUNah1qWxeB1WjsmfZRUs9oKo/NVQRZnRu:icIrl3qIXtrQVo+BxYUNah1qcenQZz94 |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | RE REQUESTED PAYMENT DETAILS_pdf.scr |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2000:04:28 16:23:20 |
OperatingSystem: | Win32 |
UncompressedSize: | 18386944 |
CompressedSize: | 582534 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2236 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RE REQUESTED PAYMENT DETAILS_pdf.r09.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3148 | "C:\Users\admin\Desktop\RE REQUESTED PAYMENT DETAILS_pdf.scr" /S | C:\Users\admin\Desktop\RE REQUESTED PAYMENT DETAILS_pdf.scr | — | explorer.exe |
User: admin Company: aSUS Integrity Level: MEDIUM Exit code: 0 Version: 5.00 | ||||
1036 | "C:\Users\admin\Desktop\RE REQUESTED PAYMENT DETAILS_pdf.scr" /S | C:\Users\admin\Desktop\RE REQUESTED PAYMENT DETAILS_pdf.scr | RE REQUESTED PAYMENT DETAILS_pdf.scr | |
User: admin Company: aSUS Integrity Level: MEDIUM Exit code: 0 Version: 5.00 | ||||
2148 | "C:\Users\admin\AppData\Roaming\Windows Update.exe" | C:\Users\admin\AppData\Roaming\Windows Update.exe | — | RE REQUESTED PAYMENT DETAILS_pdf.scr |
User: admin Company: aSUS Integrity Level: MEDIUM Exit code: 3221226540 Version: 5.00 | ||||
3980 | "C:\Users\admin\AppData\Roaming\Windows Update.exe" | C:\Users\admin\AppData\Roaming\Windows Update.exe | RE REQUESTED PAYMENT DETAILS_pdf.scr | |
User: admin Company: aSUS Integrity Level: HIGH Exit code: 0 Version: 5.00 | ||||
1944 | "C:\Users\admin\AppData\Roaming\Windows Update.exe" | C:\Users\admin\AppData\Roaming\Windows Update.exe | Windows Update.exe | |
User: admin Company: aSUS Integrity Level: HIGH Version: 5.00 | ||||
3692 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | Windows Update.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
1928 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | — | Windows Update.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3692 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holdermail.txt | — | |
MD5:— | SHA256:— | |||
1928 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holderwb.txt | — | |
MD5:— | SHA256:— | |||
3980 | Windows Update.exe | C:\Users\admin\AppData\Local\Temp\~DF356D062CE9906871.TMP | binary | |
MD5:50E7C94B5266AF8EAAB87BAA10BEF26A | SHA256:3B12E0F478EB166E187CEDB9D8A92242D868B8206755A84134153AA4279846D6 | |||
2236 | WinRAR.exe | C:\Users\admin\Desktop\RE REQUESTED PAYMENT DETAILS_pdf.scr | executable | |
MD5:EB67A6BBBB801A7CD49FC1CE24BDE493 | SHA256:090E233894642384AB662A7C55FDCA68A45F3AA79092418D26E96CEDD5A964B5 | |||
1944 | Windows Update.exe | C:\Users\admin\AppData\Roaming\WindowsUpdate.exe | executable | |
MD5:EB67A6BBBB801A7CD49FC1CE24BDE493 | SHA256:090E233894642384AB662A7C55FDCA68A45F3AA79092418D26E96CEDD5A964B5 | |||
3148 | RE REQUESTED PAYMENT DETAILS_pdf.scr | C:\Users\admin\AppData\Local\Temp\~DF1BD1BD5C369D3816.TMP | binary | |
MD5:50E7C94B5266AF8EAAB87BAA10BEF26A | SHA256:3B12E0F478EB166E187CEDB9D8A92242D868B8206755A84134153AA4279846D6 | |||
1036 | RE REQUESTED PAYMENT DETAILS_pdf.scr | C:\Users\admin\AppData\Local\Temp\SysInfo.txt | text | |
MD5:BEAE6EF0B9F0267A01907CEC1EAB2515 | SHA256:A708F6DD1DD92B29E2B43BA4EBD1F2044057AAB4652E031B4895F6E2D17EFBEB | |||
1036 | RE REQUESTED PAYMENT DETAILS_pdf.scr | C:\Users\admin\AppData\Roaming\Windows Update.exe | executable | |
MD5:EB67A6BBBB801A7CD49FC1CE24BDE493 | SHA256:090E233894642384AB662A7C55FDCA68A45F3AA79092418D26E96CEDD5A964B5 | |||
1944 | Windows Update.exe | C:\Users\admin\AppData\Roaming\pid.txt | text | |
MD5:6F2688A5FCE7D48C8D19762B88C32C3B | SHA256:F513A0AA4F8F39744C6FDDF2B5EB18CC1EAC55CA866A1B243D835362A023F243 | |||
1944 | Windows Update.exe | C:\Users\admin\AppData\Roaming\pidloc.txt | text | |
MD5:E9FAEE87A060C806E7234779CFF7B480 | SHA256:CE744D98EF602BA5FE207C4C064DA0075A1BB9BF303E53CA86AF1025AD3AFBF3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1944 | Windows Update.exe | GET | 301 | 104.16.154.36:80 | http://whatismyipaddress.com/ | US | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1944 | Windows Update.exe | 104.16.154.36:443 | whatismyipaddress.com | Cloudflare Inc | US | shared |
1944 | Windows Update.exe | 104.16.154.36:80 | whatismyipaddress.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
whatismyipaddress.com |
| shared |
mail.vensoft.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1944 | Windows Update.exe | Potential Corporate Privacy Violation | ET POLICY Known External IP Lookup Service Domain in SNI |
1944 | Windows Update.exe | A Network Trojan was detected | SPYWARE [PTsecurity] HawkEye / Predator Pain (IP Chck) |