File name: | 20969e312596ebe708c3729f09d38945.rar |
Full analysis: | https://app.any.run/tasks/640a97a8-5c0e-4ff9-89d4-6a370e6b224e |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | June 12, 2019, 04:37:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 20969E312596EBE708C3729F09D38945 |
SHA1: | B446808530CCD9D006247C785B95E5ECA27C718D |
SHA256: | 5272C571C9FDA901FEAC83808C572318718D02008DD7BD905411F81DEEC612F1 |
SSDEEP: | 12288:1hG8oFcK0ioI8Ks4gryzWJbaAi5Ym7bGHBndAyg1lyNTMNt3IQmb:vG8oqpivA4waVYm7bGhCvdJLy |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2940 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\20969e312596ebe708c3729f09d38945.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3008 | "C:\Users\admin\Desktop\INV-2003493202-201906.exe" | C:\Users\admin\Desktop\INV-2003493202-201906.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM | ||||
3032 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | INV-2003493202-201906.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
2356 | "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\admin\Desktop\INV-2003493202-201906.exe" | C:\Windows\System32\cmd.exe | — | INV-2003493202-201906.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2992 | choice /C Y /N /D Y /T 3 | C:\Windows\system32\choice.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Offers the user a choice Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3816 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp9813.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
3180 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\stonefish.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3596 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpC4E1.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3180 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRAAB1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3180 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:CCB2FEBFA33D3507B05370C3E2D3B3FA | SHA256:EBD4278673E75AAD44DDA8FB7C0B6D11EAA4AA9C24409F2E9AC1DCD16324D706 | |||
3180 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:FF30E774DF14DB739CE08281A12F100A | SHA256:60A36C7210D2C51C28AEAF55A60846BA180540E7C08379A9761C849751CC3CE0 | |||
2940 | WinRAR.exe | C:\Users\admin\Desktop\INV-2003493202-201906.exe | executable | |
MD5:94C23C2C3E2E34900A58C406D02DBE2E | SHA256:8705E2095F8B23B1A555E3B32725EE83E122AE8F3FB149764FDD519887E864F4 | |||
3180 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\stonefish.rtf.LNK | lnk | |
MD5:B665C40DDD1980A89BE4853F7149D80E | SHA256:6A70DDC3DA2669C35647DAA98574F713070A3F5B1A8752119AA32B27E2BD8D9B | |||
3180 | WINWORD.EXE | C:\Users\admin\Desktop\~$onefish.rtf | pgc | |
MD5:CE4B926809774FEEFA2481F0E7A5BE74 | SHA256:7C94064B63489C13E1441925272AD93D16F3D606A3AC3A2AAA1F59F2F651554D | |||
3032 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\25291068-43af-3e16-50f6-5889d9ce7904 | text | |
MD5:454353131947D1483FF5470107478978 | SHA256:2DF94DC1C58E952A1EBD1AE1185A291A8A573982CA90EC1BBB87B81126002668 | |||
3596 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmpC4E1.tmp | text | |
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048 | SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9 | |||
3816 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp9813.tmp | text | |
MD5:3E1E093DCCE32C716267A28292E0EE27 | SHA256:56285445424AD06DC043154819B5BDABAA7C26F5779CA3E37E08424ED9926CB8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3032 | RegAsm.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 14 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3032 | RegAsm.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
3032 | RegAsm.exe | 202.143.99.153:587 | mail.gattibufood.com | CtrlS Datacenters Ltd. | IN | malicious |
Domain | IP | Reputation |
---|---|---|
bot.whatismyipaddress.com |
| shared |
mail.gattibufood.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3032 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spy.HawkEye IP Check |