File name: | app.exe |
Full analysis: | https://app.any.run/tasks/ecb2f936-ce04-416c-a8d1-a88d5dadd4ae |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | July 12, 2020, 17:17:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 28D244503B10BFA557911E85C1520DC6 |
SHA1: | 78221AB06D02F1382DF8D28F749AE223D463DD27 |
SHA256: | 6B3FB80564D4843DAF117A578CECD55B24FA8035D4B8012A11E037E2A65809EC |
SSDEEP: | 6144:iwQbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx97cI:9QQtqB5urTIoYWBQk1E+VF9mOx9l |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (46) |
---|---|---|
.exe | | | InstallShield setup (27) |
.exe | | | Win64 Executable (generic) (17.3) |
.dll | | | Win32 Dynamic Link Library (generic) (4.1) |
.exe | | | Win32 Executable (generic) (2.8) |
AssemblyVersion: | 1.0.0.0 |
---|---|
ProductVersion: | 1.0.0.0 |
ProductName: | Microsoft |
OriginalFileName: | Microsoft.exe |
LegalCopyright: | Copyright © 2013 |
InternalName: | Microsoft.exe |
FileVersion: | 1.0.0.0 |
FileDescription: | Microsoft |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x7f0ee |
UninitializedDataSize: | - |
InitializedDataSize: | 171008 |
CodeSize: | 512512 |
LinkerVersion: | 8 |
PEType: | PE32 |
TimeStamp: | 2020:07:12 19:16:43+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 12-Jul-2020 17:16:43 |
FileDescription: | Microsoft |
FileVersion: | 1.0.0.0 |
InternalName: | Microsoft.exe |
LegalCopyright: | Copyright © 2013 |
OriginalFilename: | Microsoft.exe |
ProductName: | Microsoft |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 12-Jul-2020 17:16:43 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x0007D0F4 | 0x0007D200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.54525 |
.rsrc | 0x00080000 | 0x000298D8 | 0x00029A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.28258 |
.reloc | 0x000AA000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0980042 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.94474 | 2259 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
2 | 0.628466 | 67624 | Latin 1 / Western European | UNKNOWN | RT_ICON |
3 | 0.761655 | 38056 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4 | 0.801631 | 21640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
5 | 0.756154 | 16936 | Latin 1 / Western European | UNKNOWN | RT_ICON |
6 | 0.893158 | 9640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
7 | 0.932139 | 4264 | Latin 1 / Western European | UNKNOWN | RT_ICON |
8 | 1.07179 | 2440 | Latin 1 / Western European | UNKNOWN | RT_ICON |
9 | 1.16015 | 1128 | Latin 1 / Western European | UNKNOWN | RT_ICON |
32512 | 2.47702 | 34 | Latin 1 / Western European | UNKNOWN | RT_GROUP_ICON |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1028 | "C:\Users\admin\AppData\Local\Temp\app.exe" | C:\Users\admin\AppData\Local\Temp\app.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: Microsoft Exit code: 0 Version: 1.0.0.0 | ||||
792 | "C:\Users\admin\AppData\Local\Temp\app.exe" | C:\Users\admin\AppData\Local\Temp\app.exe | app.exe | |
User: admin Integrity Level: HIGH Description: Microsoft Exit code: 0 Version: 1.0.0.0 | ||||
2452 | "C:\Users\admin\AppData\Roaming\Windows Update.exe" | C:\Users\admin\AppData\Roaming\Windows Update.exe | app.exe | |
User: admin Integrity Level: HIGH Description: Microsoft Version: 1.0.0.0 | ||||
2248 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | Windows Update.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
2528 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 4294967295 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3620 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | Windows Update.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
2780 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 4294967295 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2400 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 4294967295 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3736 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 4294967295 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2248 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holdermail.txt | — | |
MD5:— | SHA256:— | |||
3620 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holderwb.txt | — | |
MD5:— | SHA256:— | |||
792 | app.exe | C:\Users\admin\AppData\Local\Temp\SysInfo.txt | text | |
MD5:0A681452984FB61C50D70AEEF8E30342 | SHA256:7B4A9D8674AD2DCBD9339D867CB662B8ADECDCCAB9D4C26F56F78F06FD561E7C | |||
2452 | Windows Update.exe | C:\Users\admin\AppData\Roaming\pid.txt | text | |
MD5:28B60A16B55FD531047C0C958CE14B95 | SHA256:BBA1DC9846DDD9A44C3D3B736FAA5BDB6673B8D0FE1B0DD445C9F9ADFDA2FF72 | |||
2452 | Windows Update.exe | C:\Users\admin\AppData\Roaming\WindowsUpdate.exe | executable | |
MD5:28D244503B10BFA557911E85C1520DC6 | SHA256:6B3FB80564D4843DAF117A578CECD55B24FA8035D4B8012A11E037E2A65809EC | |||
2452 | Windows Update.exe | C:\Windows\system32\drivers\etc\hosts | text | |
MD5:116CB296479E896240F3939B3930D12A | SHA256:CE5F26C28CBAE5CD45756C9793ABCA71AF9A1D6A207E5BBBE1A7F5BC144444C5 | |||
792 | app.exe | C:\Users\admin\AppData\Roaming\Windows Update.exe | executable | |
MD5:28D244503B10BFA557911E85C1520DC6 | SHA256:6B3FB80564D4843DAF117A578CECD55B24FA8035D4B8012A11E037E2A65809EC | |||
2452 | Windows Update.exe | C:\Users\admin\AppData\Roaming\pidloc.txt | text | |
MD5:E9FAEE87A060C806E7234779CFF7B480 | SHA256:CE744D98EF602BA5FE207C4C064DA0075A1BB9BF303E53CA86AF1025AD3AFBF3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2452 | Windows Update.exe | GET | 301 | 104.16.154.36:80 | http://whatismyipaddress.com/ | US | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2452 | Windows Update.exe | 74.208.5.15:587 | smtp.mail.com | 1&1 Internet SE | US | malicious |
2452 | Windows Update.exe | 104.16.154.36:443 | whatismyipaddress.com | Cloudflare Inc | US | shared |
2452 | Windows Update.exe | 104.16.154.36:80 | whatismyipaddress.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
whatismyipaddress.com |
| shared |
smtp.mail.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2452 | Windows Update.exe | Potential Corporate Privacy Violation | ET POLICY Known External IP Lookup Service Domain in SNI |
2452 | Windows Update.exe | Potential Corporate Privacy Violation | ET POLICY Known External IP Lookup Service Domain in SNI |
2452 | Windows Update.exe | A Network Trojan was detected | SPYWARE [PTsecurity] HawkEye / Predator Pain (IP Chck) |
2452 | Windows Update.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2452 | Windows Update.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |