| File name: | tkraw_Protected99.exe |
| Full analysis: | https://app.any.run/tasks/034fce4a-f41a-417f-b835-d5113dbde5d7 |
| Verdict: | Malicious activity |
| Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
| Analysis date: | November 25, 2023, 23:58:54 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 71826BA081E303866CE2A2534491A2F7 |
| SHA1: | B482D64A43F6BFBF758166ECBA680B7F0C59A4F7 |
| SHA256: | 62099532750DAD1054B127689680C38590033FA0BDFA4FB40C7B4DCB2607FB11 |
| SSDEEP: | 24576:EAHnh+eWsN3skA4RV1Hom2KXMmHa/F9OdaxwwHeIbiZLpFC1XJLc/r7/vRP0r2d7:Th+ZkldoPK8Ya/6U+ |
MALICIOUS
Drops the executable file immediately after the start
- tkraw_Protected99.exe (PID: 3004)
Create files in the Startup directory
- tkraw_Protected99.exe (PID: 3004)
Hawkeye Keylogger is detected
- RegAsm.exe (PID: 888)
Steals credentials from Web Browsers
- vbc.exe (PID: 2460)
- RegAsm.exe (PID: 888)
HAWKEYE has been detected (YARA)
- RegAsm.exe (PID: 888)
Steals credentials
- vbc.exe (PID: 2460)
- vbc.exe (PID: 2508)
Uses NirSoft utilities to collect credentials
- vbc.exe (PID: 2460)
- vbc.exe (PID: 2508)
Actions looks like stealing of personal data
- vbc.exe (PID: 2508)
- RegAsm.exe (PID: 888)
- vbc.exe (PID: 2460)
SUSPICIOUS
The process executes VB scripts
- RegAsm.exe (PID: 888)
Accesses Microsoft Outlook profiles
- vbc.exe (PID: 2508)
Loads DLL from Mozilla Firefox
- vbc.exe (PID: 2460)
Reads the Internet Settings
- RegAsm.exe (PID: 888)
INFO
Reads the machine GUID from the registry
- tkraw_Protected99.exe (PID: 3004)
- RegAsm.exe (PID: 888)
- vbc.exe (PID: 2460)
Checks supported languages
- tkraw_Protected99.exe (PID: 3004)
- RegAsm.exe (PID: 888)
- vbc.exe (PID: 2460)
- vbc.exe (PID: 2508)
Reads mouse settings
- tkraw_Protected99.exe (PID: 3004)
Creates files or folders in the user directory
- tkraw_Protected99.exe (PID: 3004)
Reads the computer name
- RegAsm.exe (PID: 888)
- vbc.exe (PID: 2460)
- vbc.exe (PID: 2508)
Create files in a temporary directory
- RegAsm.exe (PID: 888)
- vbc.exe (PID: 2508)
- vbc.exe (PID: 2460)
Reads Environment values
- RegAsm.exe (PID: 888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2019:04:10 06:43:40+02:00 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 12 |
| CodeSize: | 581632 |
| InitializedDataSize: | 1442816 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2800a |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
41
Monitored processes
4
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 888 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | tkraw_Protected99.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
| 2460 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp19D.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 Modules
| |||||||||||||||
| 2508 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp191E.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 Modules
| |||||||||||||||
| 3004 | "C:\Users\admin\Desktop\tkraw_Protected99.exe" | C:\Users\admin\Desktop\tkraw_Protected99.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
743
Read events
743
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
0
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3004 | tkraw_Protected99.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url | text | |
MD5:75D13A598D7D7D81C615422AD8D6CA19 | SHA256:6F1B1DAB8BBBD0230CFBC01A22A6A72D6543C897E6408ED12F6535A0AE21AC0F | |||
| 3004 | tkraw_Protected99.exe | C:\Users\admin\AppData\Roaming\winlogons\winlogons.exe | executable | |
MD5:B180172413ACE72B77179657C81815A9 | SHA256:94B9E90DEEEA0A835DEEBE8CBC797B414E65D32DC1C5325F880019A9F1935A04 | |||
| 2460 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp19D.tmp | text | |
MD5:0888EB5C6DCC37DDA28287D909D6DB1C | SHA256:D3C10379D5FD57E579AD3FC6A5B12C5CF19827DDC4F78367B16ADE825F8C3F37 | |||
| 888 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\5a3847f2-2d26-2931-8be2-2cbc76e72772 | text | |
MD5:454353131947D1483FF5470107478978 | SHA256:2DF94DC1C58E952A1EBD1AE1185A291A8A573982CA90EC1BBB87B81126002668 | |||
| 3004 | tkraw_Protected99.exe | C:\Users\admin\AppData\Roaming\winlogons\winlogons.vbs | text | |
MD5:97AB658F1E0DCBFF8B8CBEC32B8FD799 | SHA256:7056685CA86432159DA135E5425D29A878F3E3B6366D3AC620DD693A39219C4F | |||
| 2508 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp191E.tmp | text | |
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048 | SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
bot.whatismyipaddress.com |
| unknown |