URL: | http://www.terryhill.top/proforma/ |
Full analysis: | https://app.any.run/tasks/3e1a0995-f4f6-4b0b-bdad-263b19c28eb8 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | May 15, 2019, 10:31:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MD5: | 3A7DE59B8BD73B64B19D716674CA3E19 |
SHA1: | 80638C4AAD05385295BF870CAA166786EECCC7D4 |
SHA256: | 4732CBB36F2E3F31E49233F6DAEB7280A724F421F91C29920C172883294A7656 |
SSDEEP: | 3:N1KJS4S80L5Ij:Cc4S8pj |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1736 | "C:\Program Files\Internet Explorer\iexplore.exe" http://www.terryhill.top/proforma/ | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2816 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1736 CREDAT:267521 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
372 | "C:\Users\admin\Downloads\50knewc.exe" | C:\Users\admin\Downloads\50knewc.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2800 | "C:\Users\admin\Downloads\benu7.exe" | C:\Users\admin\Downloads\benu7.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2668 | "C:\Users\admin\Downloads\bobcry.exe" | C:\Users\admin\Downloads\bobcry.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
836 | "C:\Users\admin\Downloads\player4.exe" | C:\Users\admin\Downloads\player4.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2068 | "C:\Users\admin\Downloads\50knewc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | 50knewc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) | ||||
1860 | "C:\Users\admin\Downloads\benu7.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | benu7.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) | ||||
600 | "C:\Users\admin\Downloads\bobcry.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | bobcry.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) | ||||
2040 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpA6C7.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1736 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
1736 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFC8ACF041996C24CE.TMP | — | |
MD5:— | SHA256:— | |||
2816 | IEXPLORE.EXE | C:\Users\admin\Downloads\player4.exe.e8hukn8.partial | — | |
MD5:— | SHA256:— | |||
1736 | iexplore.exe | C:\Users\admin\Downloads\player4.exe.e8hukn8.partial:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
2816 | IEXPLORE.EXE | C:\Users\admin\Downloads\bobcry.exe.k09rwr2.partial | — | |
MD5:— | SHA256:— | |||
1736 | iexplore.exe | C:\Users\admin\Downloads\bobcry.exe.k09rwr2.partial:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
2816 | IEXPLORE.EXE | C:\Users\admin\Downloads\benu7.exe.q9cfxxp.partial | — | |
MD5:— | SHA256:— | |||
1736 | iexplore.exe | C:\Users\admin\Downloads\benu7.exe.q9cfxxp.partial:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
2816 | IEXPLORE.EXE | C:\Users\admin\Downloads\50knewc.exe.87byom0.partial | — | |
MD5:— | SHA256:— | |||
1736 | iexplore.exe | C:\Users\admin\Downloads\50knewc.exe.87byom0.partial:Zone.Identifier | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1736 | iexplore.exe | GET | 200 | 152.199.19.161:443 | https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblocklist.bin | US | — | — | whitelisted |
1736 | iexplore.exe | GET | 304 | 152.199.19.161:443 | https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlistWin7.xml | US | — | — | whitelisted |
2816 | IEXPLORE.EXE | GET | 200 | 54.36.212.206:80 | http://www.terryhill.top/proforma/50knewc.exe | FR | executable | 908 Kb | malicious |
1736 | iexplore.exe | GET | 200 | 152.199.19.161:443 | https://iecvlist.microsoft.com/IE11/1479242656000/iecompatviewlist.xml | US | xml | 362 Kb | whitelisted |
2816 | IEXPLORE.EXE | GET | 200 | 54.36.212.206:80 | http://www.terryhill.top/proforma/bobcry.exe | FR | executable | 894 Kb | malicious |
2816 | IEXPLORE.EXE | GET | 200 | 54.36.212.206:80 | http://www.terryhill.top/proforma/benu7.exe | FR | executable | 894 Kb | malicious |
600 | RegAsm.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 11 b | shared |
2676 | RegAsm.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 11 b | shared |
2816 | IEXPLORE.EXE | GET | 200 | 54.36.212.206:80 | http://www.terryhill.top/proforma/player4.exe | FR | executable | 908 Kb | malicious |
1860 | RegAsm.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 11 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1736 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
1736 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2068 | RegAsm.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
2068 | RegAsm.exe | 23.186.192.228:587 | mail.strutnfittings.com | — | — | unknown |
2816 | IEXPLORE.EXE | 54.36.212.206:80 | www.terryhill.top | OVH SAS | FR | malicious |
1736 | iexplore.exe | 54.36.212.206:80 | www.terryhill.top | OVH SAS | FR | malicious |
600 | RegAsm.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
2676 | RegAsm.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
1860 | RegAsm.exe | 192.35.177.64:80 | apps.identrust.com | IdenTrust | US | malicious |
2676 | RegAsm.exe | 107.6.154.186:587 | mail.mwanzompya.com | SingleHop, Inc. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
www.terryhill.top |
| malicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
bot.whatismyipaddress.com |
| shared |
mail.strutnfittings.com |
| unknown |
mail.renata-ltd.com |
| malicious |
mail.jaguarline.com |
| unknown |
mail.mwanzompya.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
2816 | IEXPLORE.EXE | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
2816 | IEXPLORE.EXE | Misc activity | ET INFO Packed Executable Download |
2816 | IEXPLORE.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2816 | IEXPLORE.EXE | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |
2816 | IEXPLORE.EXE | Misc activity | ET INFO Packed Executable Download |
2816 | IEXPLORE.EXE | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |
2068 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spy.HawkEye IP Check |
2068 | RegAsm.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
600 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spy.HawkEye IP Check |
Process | Message |
---|---|
50knewc.exe | User32.dll |
50knewc.exe | User32.dll |
50knewc.exe | User32.dll |
50knewc.exe | User32.dll |
50knewc.exe | User32.dll |
50knewc.exe | User32.dll |
50knewc.exe | User32.dll |
50knewc.exe | User32.dll |
50knewc.exe | User32.dll |
50knewc.exe | User32.dll |