File name: | STATEMENT OF ACCOUNT - November 30th 2018.msg |
Full analysis: | https://app.any.run/tasks/28edc7b5-e022-454c-9860-2ac707e04f3e |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | December 06, 2018, 07:19:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 6F1F7E3A13D35C566C033A0947028E51 |
SHA1: | 4E7F8B70801A7BC18F7507CABD9E2D9CE644490A |
SHA256: | 4EA08A4AE45E46419A740733AB41A98DC968219D6E53F8180D6FD315D40DC614 |
SSDEEP: | 1536:dTz7U/5GRlRGUn3Pn3Jn36n36n37n37n37n37n37n37n37n3Gn3Pn3Pn3Pn3en3t:2CaUfV++DDDDDDDyfffqoXmEgErQ |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\STATEMENT OF ACCOUNT - November 30th 2018.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2736 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\NCEY62LN\SOA.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3336 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
4004 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3976 | C:\Users\admin\AppData\Local\Temp\1.com | C:\Users\admin\AppData\Local\Temp\1.com | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Description: Cognatic4 Exit code: 0 Version: 3.04.0006 | ||||
4072 | :\Users\admin\AppData\Local\Temp\1.com | C:\Users\admin\AppData\Local\Temp\1.com | 1.com | |
User: admin Integrity Level: MEDIUM Description: Cognatic4 Version: 3.04.0006 | ||||
2364 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | 1.com | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B2E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\NCEY62LN\SOA (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2736 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR801D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2736 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_77D4ADF8-9BED-4BAE-93B0-9611AB176006.0\9160D2FC.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:A1372998E1D15EBF204367BAA9889747 | SHA256:B7EEB2389ECAC1B889564770A3E13F64BD029298583F88BFAF645973D7249351 | |||
3336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_77D4ADF8-9BED-4BAE-93B0-9611AB176006.0\~WRS{B6C48FEB-E6B1-4C6C-B26E-0CEF5692CEE3}.tmp | — | |
MD5:— | SHA256:— | |||
3336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_77D4ADF8-9BED-4BAE-93B0-9611AB176006.0\~WRF{739618F8-E5D5-4E83-B8F4-97F4C4162A02}.tmp | — | |
MD5:— | SHA256:— | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_A156B9A87A0B92479B13B090F11D623F.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
2736 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_77D4ADF8-9BED-4BAE-93B0-9611AB176006.0\9160D2FC.doc | text | |
MD5:2A1A9DC50312FDE3FD19099B31684B12 | SHA256:BAABEC55747C87DD64E00667FA5F337B2F39C6D37E3396EFE44B7D13CBD5C5E9 | |||
2736 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:78CB780C69E93FA8E2E79ACA387E6269 | SHA256:DF9E53E25A455C52E10351198CFCFC61FCF7C99CD852BAFF5931F28C38382B7B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2948 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
4072 | 1.com | GET | 403 | 104.16.20.96:80 | http://whatismyipaddress.com/ | US | text | 100 b | shared |
4004 | EQNEDT32.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2Ss9Fz5 | US | html | 115 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4004 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
4072 | 1.com | 104.16.20.96:80 | whatismyipaddress.com | Cloudflare Inc | US | shared |
2948 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
4004 | EQNEDT32.EXE | 163.172.215.76:443 | f.coka.la | Online S.a.s. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
bit.ly |
| shared |
f.coka.la |
| malicious |
whatismyipaddress.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
4072 | 1.com | A Network Trojan was detected | MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck) |