File name: | Payment slip.r00 |
Full analysis: | https://app.any.run/tasks/84460516-d512-4c0a-b7b2-d8925273a129 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | May 14, 2019, 22:51:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 5BE6F6F30D87CA5DAF0753C40D17E10B |
SHA1: | 400D51E9B74D17C82EF4D115EF0FF1B76EB15EDE |
SHA256: | 6FFD492EB82A4FF227CDACB0A2FC0AC6368E649F8E4F931D55327C80BED6B9B7 |
SSDEEP: | 24576:i5/q4JX1Jx+0Z1lGq+vH5DLHCc/u6NDLRFbqBD5slNT9:idXbXvwDLFu6NHbT9 |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1440 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Payment slip.r00" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1432 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1440.29818\Payment slip.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1440.29818\Payment slip.exe | WinRAR.exe | |
User: admin Company: I79ES90RF71X Integrity Level: MEDIUM Description: T74KK73VJ83C Exit code: 0 Version: J68ZG74FT75M | ||||
3664 | "C:\Users\admin\AppData\Local\Temp\76398576\iwa.exe" ldw=kvp | C:\Users\admin\AppData\Local\Temp\76398576\iwa.exe | — | Payment slip.exe |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
2528 | C:\Users\admin\AppData\Local\Temp\76398576\iwa.exe C:\Users\admin\AppData\Local\Temp\76398576\JATGG | C:\Users\admin\AppData\Local\Temp\76398576\iwa.exe | iwa.exe | |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
3076 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | iwa.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Version: 4.6.1055.0 built by: NETFXREL2 | ||||
1028 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp5E83.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegSvcs.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
1916 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp7623.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegSvcs.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1432 | Payment slip.exe | C:\Users\admin\AppData\Local\Temp\76398576\pxq.docx | text | |
MD5:9285D6B650675D8B44505377D2FD66BE | SHA256:B0227DEB4F04DE1EDDF3660099B28D81FE8A4E433B200A1124DCA2A2FFB0CCC6 | |||
1432 | Payment slip.exe | C:\Users\admin\AppData\Local\Temp\76398576\qbr.ico | text | |
MD5:E255E39CB529D92499B90D92CEDBA0BB | SHA256:AD45BAC7F5D2E9CC9AC081DCDF0C4CE5808FCD65E08530FAE4D10863DFDAC315 | |||
1432 | Payment slip.exe | C:\Users\admin\AppData\Local\Temp\76398576\rhd.ppt | text | |
MD5:B97D65D121264E5A3876BEA6AB2266C2 | SHA256:9E71AE2EEF2B1F67371DCF32B31CBE651A48ADDC6A4F02103B7371AA13BB0511 | |||
1432 | Payment slip.exe | C:\Users\admin\AppData\Local\Temp\76398576\FileConstants.bmp | text | |
MD5:2572F3FE9AAC7FC39649500186F605ED | SHA256:D79981B760506E40D80A083EC44EDC9D2C257E35CEA9A21415D6AFB101B0F127 | |||
1432 | Payment slip.exe | C:\Users\admin\AppData\Local\Temp\76398576\etd.txt | text | |
MD5:40DD483781ACD2F02829412D232588D4 | SHA256:139E954FA757E0DE01CB099CC5A17162BA3E59BD21AA70079328767A0657177A | |||
1432 | Payment slip.exe | C:\Users\admin\AppData\Local\Temp\76398576\ldw=kvp | text | |
MD5:800DD0FE9A090631D892155F711FEFC4 | SHA256:E026DA3C9961781E678D665CF74DC965DA19F82205DD39DE6FFC04E0D09E5929 | |||
1432 | Payment slip.exe | C:\Users\admin\AppData\Local\Temp\76398576\pbh.pdf | text | |
MD5:3138B3EAB052E5B530D34B26A0CEDB13 | SHA256:E9BCF9E3DA9855824DC523E2B79B09ABF5F251433E1A37ACD5EEF50761CDE35E | |||
1432 | Payment slip.exe | C:\Users\admin\AppData\Local\Temp\76398576\ben.ppt | text | |
MD5:BC46799C3CC862C5757DBF4CE591AE17 | SHA256:307976FFE39A0DE2B9D49C9AC987B0DD0C7799F5CCEF7FC588DDBBBEDBD81194 | |||
1432 | Payment slip.exe | C:\Users\admin\AppData\Local\Temp\76398576\seb.txt | text | |
MD5:6C1FE31D1FCA4448A85CE3355A683176 | SHA256:5BC68C5FDB5ADFB206942548EFA20894FB566D70B002FA63845D6D66D4FE55A1 | |||
1432 | Payment slip.exe | C:\Users\admin\AppData\Local\Temp\76398576\csv.ppt | text | |
MD5:7767D3920B132DEE27B9A10CE1CEB00D | SHA256:6673505E4AF1B18913F39D9B91D6734A87299FD9D2DB188D53A9FD90F9E8311C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3076 | RegSvcs.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 15 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3076 | RegSvcs.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
3076 | RegSvcs.exe | 77.88.21.38:587 | smtp.yandex.com | YANDEX LLC | RU | whitelisted |
Domain | IP | Reputation |
---|---|---|
bot.whatismyipaddress.com |
| shared |
smtp.yandex.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3076 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spy.HawkEye IP Check |