analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

_output8F7AF9F.exe

Full analysis: https://app.any.run/tasks/c3ead84b-f2ea-491f-b06f-67af4929c516
Verdict: Malicious activity
Threats:

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Analysis date: July 17, 2019, 15:54:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
hawkeye
evasion
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

68F4B08EF0A514FDBAEB70E688421CB5

SHA1:

C29499B1DEB0AB8723E71FF507420364493AD56B

SHA256:

279AE41AD70664F78F4C1C7F57C8828F0B2CF9A7D46EE4BF2EAFAC9C62A70559

SSDEEP:

12288:iypUkj36QbElf/RZPIO5X9euIrzIz9Sx:fvYx/R9IWeuIW9Sx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Detected Hawkeye Keylogger

      • _output8F7AF9F.exe (PID: 2788)
    • Changes the autorun value in the registry

      • _output8F7AF9F.exe (PID: 2788)
    • Actions looks like stealing of personal data

      • vbc.exe (PID: 3252)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • _output8F7AF9F.exe (PID: 2788)
    • Checks for external IP

      • _output8F7AF9F.exe (PID: 2788)
    • Creates files in the user directory

      • _output8F7AF9F.exe (PID: 2788)
    • Application launched itself

      • _output8F7AF9F.exe (PID: 3128)
    • Loads DLL from Mozilla Firefox

      • vbc.exe (PID: 3064)
    • Executes scripts

      • _output8F7AF9F.exe (PID: 2788)
  • INFO

    • Application was crashed

      • _output8F7AF9F.exe (PID: 2788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (90.6)
.exe | Win32 Executable (generic) (4.9)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:10:23 00:42:07+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 696320
InitializedDataSize: 16384
UninitializedDataSize: -
EntryPoint: 0x147c
OSVersion: 4
ImageVersion: 8.5
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 8.5.0.2
ProductVersionNumber: 8.5.0.2
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Collapseseptangle10
CompanyName: CollapseCuffs9
FileDescription: CollapseChorism
ProductName: Collapsepreinitiating
FileVersion: 8.05.0002
ProductVersion: 8.05.0002
InternalName: CollapseRECONCEPTION
OriginalFileName: CollapseRECONCEPTION.exe

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 22-Oct-2015 22:42:07
Detected languages:
  • English - United States
Comments: Collapseseptangle10
CompanyName: CollapseCuffs9
FileDescription: CollapseChorism
ProductName: Collapsepreinitiating
FileVersion: 8.05.0002
ProductVersion: 8.05.0002
InternalName: CollapseRECONCEPTION
OriginalFilename: CollapseRECONCEPTION.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 22-Oct-2015 22:42:07
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000A9BE8
0x000AA000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.71114
.data
0x000AB000
0x00000A2C
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x000AC000
0x00002916
0x00003000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.46723

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.33209
772
Unicode (UTF 16LE)
English - United States
RT_VERSION
30001
4.89565
5672
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30002
5.11034
3752
Unicode (UTF 16LE)
UNKNOWN
RT_ICON

Imports

MSVBVM60.DLL
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start _output8f7af9f.exe no specs #HAWKEYE _output8f7af9f.exe vbc.exe vbc.exe no specs dw20.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3128"C:\Users\admin\AppData\Local\Temp\_output8F7AF9F.exe" C:\Users\admin\AppData\Local\Temp\_output8F7AF9F.exeexplorer.exe
User:
admin
Company:
CollapseCuffs9
Integrity Level:
MEDIUM
Description:
CollapseChorism
Exit code:
0
Version:
8.05.0002
2788C:\Users\admin\AppData\Local\Temp\_output8F7AF9F.exe" C:\Users\admin\AppData\Local\Temp\_output8F7AF9F.exe
_output8F7AF9F.exe
User:
admin
Company:
CollapseCuffs9
Integrity Level:
MEDIUM
Description:
CollapseChorism
Version:
8.05.0002
3252C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
_output8F7AF9F.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
3064C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe_output8F7AF9F.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
3016dw20.exe -x -s 1712C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe_output8F7AF9F.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Error Reporting Shim
Version:
2.0.50727.4927 (NetFXspW7.050727-4900)
Total events
148
Read events
124
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3252vbc.exeC:\Users\admin\AppData\Local\Temp\holdermail.txt
MD5:
SHA256:
3064vbc.exeC:\Users\admin\AppData\Local\Temp\holderwb.txt
MD5:
SHA256:
3128_output8F7AF9F.exeC:\Users\admin\AppData\Local\Temp\~DF9AFB786D143AAD81.TMPbinary
MD5:267AEEDE850FB390101A79B039367FC4
SHA256:55B5A205DD84FE60CF78525CB53068E7C6706B5B8B880BE4C6045812C713F35E
2788_output8F7AF9F.exeC:\Users\admin\AppData\Roaming\pidloc.txttext
MD5:D7330D98E8BB2B39B3E48D299E75726D
SHA256:9B920DAC3947F1E95546137F3E3B29107C1226049FE04119BEF7856A4A2C4191
2788_output8F7AF9F.exeC:\Users\admin\AppData\Roaming\WindowsUpdate.exeexecutable
MD5:68F4B08EF0A514FDBAEB70E688421CB5
SHA256:279AE41AD70664F78F4C1C7F57C8828F0B2CF9A7D46EE4BF2EAFAC9C62A70559
2788_output8F7AF9F.exeC:\Users\admin\AppData\Roaming\pid.txttext
MD5:D210CF373CF002A04EC72EE395F66306
SHA256:6DB12D3DEFF9081B3585A3A81238B26693DEB28B8553EBA473146505E5301C50
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2788
_output8F7AF9F.exe
GET
301
104.16.154.36:80
http://whatismyipaddress.com/
US
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2788
_output8F7AF9F.exe
85.95.249.9:587
mail.bismak.com.tr
Inetmar internet Hizmetleri San. Tic. Ltd. Sti
TR
malicious
2788
_output8F7AF9F.exe
104.16.154.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
2788
_output8F7AF9F.exe
104.16.154.36:443
whatismyipaddress.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
whatismyipaddress.com
  • 104.16.154.36
  • 104.16.155.36
shared
mail.bismak.com.tr
  • 85.95.249.9
malicious

Threats

PID
Process
Class
Message
2788
_output8F7AF9F.exe
Potential Corporate Privacy Violation
ET POLICY Known External IP Lookup Service Domain in SNI
2788
_output8F7AF9F.exe
A Network Trojan was detected
MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck)
2788
_output8F7AF9F.exe
A Network Trojan was detected
ET TROJAN HawkEye Keylogger Report SMTP
2 ETPRO signatures available at the full report
No debug info