download: | PO_3100191302_pdf%20%20%20IGST.com.gz |
Full analysis: | https://app.any.run/tasks/2d4d2a1f-23e8-4c07-a5ca-ddf55662ff75 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | July 18, 2019, 13:15:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/gzip |
File info: | gzip compressed data, was "PO_3100191302_pdf IGST.com", last modified: Wed Jul 17 20:52:16 2019, from Unix |
MD5: | F315262E9AE5FC9C8B5FAEC160D14905 |
SHA1: | C68439076BA57B07DEC9053BF5800F4934855212 |
SHA256: | 6B3E31106968E2134F689EF95ECEEDFEA96ADEE21438944809974D626EA521F8 |
SSDEEP: | 12288:4D42ZY7pLLQ6+3+x7M9vZ3PIDhEQBXd5mekj3S:4D42ZY9Q6+A7MhZohtd5mLj3S |
.z/gz/gzip | | | GZipped data (100) |
---|
Compression: | Deflated |
---|---|
Flags: | FileName |
ModifyDate: | 2019:07:17 22:52:16+02:00 |
ExtraFlags: | (none) |
OperatingSystem: | Unix |
ArchivedFileName: | PO_3100191302_pdf IGST.com |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2880 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\56f90125-2cc8-4658-865f-c19d99972deb.z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2856 | "C:\Users\admin\Desktop\PO_3100191302_pdf IGST.com" | C:\Users\admin\Desktop\PO_3100191302_pdf IGST.com | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 | ||||
3420 | "C:\Users\admin\AppData\Roaming\msconfig1.exe" | C:\Users\admin\AppData\Roaming\msconfig1.exe | PO_3100191302_pdf IGST.com | |
User: admin Integrity Level: MEDIUM Description: Version: 0.0.0.0 | ||||
2104 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | msconfig1.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
2496 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | — | msconfig1.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2104 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holdermail.txt | — | |
MD5:— | SHA256:— | |||
2496 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holderwb.txt | — | |
MD5:— | SHA256:— | |||
3420 | msconfig1.exe | C:\Users\admin\AppData\Roaming\pidloc.txt | text | |
MD5:99FAF9C068A7AB59EFBC1C410DEB20E8 | SHA256:9517DA8E3327A8F855161399FD9C8CC7C69BF36A820B3D981010CB30AFF62404 | |||
3420 | msconfig1.exe | C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe | executable | |
MD5:DB60147FE49A45335604E1ECC0404E29 | SHA256:7790FCD70D8363CFDF1CE16F0801BE034DCB1C841C3E972E2FD7CCC482C0A3EF | |||
2880 | WinRAR.exe | C:\Users\admin\Desktop\PO_3100191302_pdf IGST.com | executable | |
MD5:DB60147FE49A45335604E1ECC0404E29 | SHA256:7790FCD70D8363CFDF1CE16F0801BE034DCB1C841C3E972E2FD7CCC482C0A3EF | |||
2856 | PO_3100191302_pdf IGST.com | C:\Users\admin\AppData\Roaming\msconfig1.exe | executable | |
MD5:DB60147FE49A45335604E1ECC0404E29 | SHA256:7790FCD70D8363CFDF1CE16F0801BE034DCB1C841C3E972E2FD7CCC482C0A3EF | |||
3420 | msconfig1.exe | C:\Users\admin\AppData\Roaming\WindowsUpdate.exe | executable | |
MD5:DB60147FE49A45335604E1ECC0404E29 | SHA256:7790FCD70D8363CFDF1CE16F0801BE034DCB1C841C3E972E2FD7CCC482C0A3EF | |||
3420 | msconfig1.exe | C:\Users\admin\AppData\Roaming\pid.txt | text | |
MD5:643DE7CF7BA769C7466CCBC4ADFD7FAC | SHA256:7C6CB0B8E3DCE46864D50F483D628391F1F6F5398A8404003CE8D12150F563B2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3420 | msconfig1.exe | GET | 301 | 104.16.154.36:80 | http://whatismyipaddress.com/ | US | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3420 | msconfig1.exe | 192.185.105.194:587 | mail.freeautocadtutor4.com | CyrusOne LLC | US | unknown |
3420 | msconfig1.exe | 104.16.154.36:80 | whatismyipaddress.com | Cloudflare Inc | US | shared |
3420 | msconfig1.exe | 104.16.154.36:443 | whatismyipaddress.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
whatismyipaddress.com |
| shared |
mail.freeautocadtutor4.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3420 | msconfig1.exe | Potential Corporate Privacy Violation | ET POLICY Known External IP Lookup Service Domain in SNI |
3420 | msconfig1.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck) |
3420 | msconfig1.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |