analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

C:\Users\admin\Desktop\Minecraft Checker By X-Risky.exe

Full analysis: https://app.any.run/tasks/0d576f6f-1844-40c9-8a3e-f726e75e0d7b
Verdict: Malicious activity
Threats:

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Analysis date: August 02, 2022, 16:39:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
hawkeye
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

9E406A02CA9D84F5760F5145117851F1

SHA1:

A731A2A9FF12D9A43007293D57AC0AD8DF389E6E

SHA256:

8DED238D427EB6D27201DB32A2721E026DC25408F37E38F85E051744F3C12131

SSDEEP:

12288:BN1n4zPJKa259zLgrD7iiUVv8YgBv2w/fXpZEqmiO3bd1kWlZ7:B7ehKa25aDfc85Bv2kf5WfiI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • Minecraft Checker By X-Risky.exe (PID: 2644)
      • Regasm.exe (PID: 2772)
    • HAWKEYE detected by memory dumps

      • Regasm.exe (PID: 2772)
    • Drops executable file immediately after starts

      • Minecraft Checker By X-Risky.exe (PID: 2644)
      • Regasm.exe (PID: 2772)
    • Application was dropped or rewritten from another process

      • Regasm.exe (PID: 2772)
    • Actions looks like stealing of personal data

      • vbc.exe (PID: 2752)
      • vbc.exe (PID: 3740)
    • Steals credentials from Web Browsers

      • vbc.exe (PID: 3740)
  • SUSPICIOUS

    • Checks supported languages

      • Regasm.exe (PID: 2772)
      • 57a6d785a.exe (PID: 2908)
      • Minecraft Checker By X-Risky.exe (PID: 2644)
      • vbc.exe (PID: 3740)
      • vbc.exe (PID: 2752)
    • Reads the computer name

      • Regasm.exe (PID: 2772)
      • 57a6d785a.exe (PID: 2908)
      • Minecraft Checker By X-Risky.exe (PID: 2644)
      • vbc.exe (PID: 3740)
      • vbc.exe (PID: 2752)
    • Executable content was dropped or overwritten

      • Minecraft Checker By X-Risky.exe (PID: 2644)
      • Regasm.exe (PID: 2772)
    • Starts itself from another location

      • Minecraft Checker By X-Risky.exe (PID: 2644)
    • Reads Environment values

      • Regasm.exe (PID: 2772)
    • Drops a file with a compile date too recent

      • Minecraft Checker By X-Risky.exe (PID: 2644)
      • Regasm.exe (PID: 2772)
    • Loads DLL from Mozilla Firefox

      • vbc.exe (PID: 3740)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Hawkeye

(PID) Process(2772) Regasm.exe
encryptedemailstring[email protected]
encryptedpassstringy?h2gJ50
encryptedsmtpstringfich.cf
portstring25
timerstring300000
fakemgrstring
encryptedftphostftp.yourhost.com
encryptedftpuserYourUsername
encryptedftppassYourPassword
encryptedphplinkhttp://www.site.com/logs.php
useemailyesemail
useftpnoftp
usephpnophp
delaytime0
cleariedontclearie
clearffdontclearff
binderbindfiles
downloaderdownloadfiles
websitevisitorwebsitevisitor
websiteblockerwebsiteblocker
notifyDisablenotify
DisableSSLEnableSSL
fakerrorDisablefakerror
startupstartup
screenyscreeny
clipclip
TaskManagerTaskManager
loggerlogger
stealersstealers
meltDisablemelt
regDisablereg
cmdDisablecmd
misconfigDisablemsconfig
spreadersDisablespreaders
steamDisablesteam
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (81)
.dll | Win32 Dynamic Link Library (generic) (7.2)
.exe | Win32 Executable (generic) (4.9)
.exe | Win16/32 Executable Delphi generic (2.2)
.exe | Generic Win/DOS Executable (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:07:24 17:09:37+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 598016
InitializedDataSize: 103424
UninitializedDataSize: -
EntryPoint: 0x93e9e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 0.0.0.0
InternalName: best checker.exe
LegalCopyright:
OriginalFileName: best checker.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 24-Jul-2019 15:09:37
FileDescription: -
FileVersion: 0.0.0.0
InternalName: best checker.exe
LegalCopyright: -
OriginalFilename: best checker.exe
ProductVersion: 0.0.0.0
Assembly Version: 0.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 24-Jul-2019 15:09:37
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x00091EA4
0x00092000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.95486
.sdata
0x00094000
0x000001E8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.62077
.rsrc
0x00096000
0x00018F94
0x00019000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.14596
.reloc
0x000B0000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.00112
490
Latin 1 / Western European
UNKNOWN
RT_MANIFEST
2
1.87688
67624
Latin 1 / Western European
UNKNOWN
RT_ICON
3
1.82579
16936
Latin 1 / Western European
UNKNOWN
RT_ICON
4
2.17979
9640
Latin 1 / Western European
UNKNOWN
RT_ICON
5
1.72045
4264
Latin 1 / Western European
UNKNOWN
RT_ICON
6
2.58971
1128
Latin 1 / Western European
UNKNOWN
RT_ICON

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start minecraft checker by x-risky.exe 57a6d785a.exe no specs #HAWKEYE regasm.exe vbc.exe vbc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2644"C:\Users\admin\AppData\Local\Temp\Minecraft Checker By X-Risky.exe" C:\Users\admin\AppData\Local\Temp\Minecraft Checker By X-Risky.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
2908"C:\Users\admin\AppData\Local\Temp\57a6d785a.exe" C:\Users\admin\AppData\Local\Temp\57a6d785a.exeMinecraft Checker By X-Risky.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
2772"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe
57a6d785a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.0.30319.34209 built by: FX452RTMGDR
Hawkeye
(PID) Process(2772) Regasm.exe
encryptedemailstring[email protected]
encryptedpassstringy?h2gJ50
encryptedsmtpstringfich.cf
portstring25
timerstring300000
fakemgrstring
encryptedftphostftp.yourhost.com
encryptedftpuserYourUsername
encryptedftppassYourPassword
encryptedphplinkhttp://www.site.com/logs.php
useemailyesemail
useftpnoftp
usephpnophp
delaytime0
cleariedontclearie
clearffdontclearff
binderbindfiles
downloaderdownloadfiles
websitevisitorwebsitevisitor
websiteblockerwebsiteblocker
notifyDisablenotify
DisableSSLEnableSSL
fakerrorDisablefakerror
startupstartup
screenyscreeny
clipclip
TaskManagerTaskManager
loggerlogger
stealersstealers
meltDisablemelt
regDisablereg
cmdDisablecmd
misconfigDisablemsconfig
spreadersDisablespreaders
steamDisablesteam
2752C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Regasm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483
3740C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Regasm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483
Total events
2 891
Read events
2 868
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2644Minecraft Checker By X-Risky.exeC:\Users\admin\AppData\Local\Temp\57a6d785a.exeexecutable
MD5:9E406A02CA9D84F5760F5145117851F1
SHA256:8DED238D427EB6D27201DB32A2721E026DC25408F37E38F85E051744F3C12131
2772Regasm.exeC:\Users\admin\AppData\Roaming\pid.txttext
MD5:92BF5E6240737E0326EA59846A83E076
SHA256:7B2E7211FB4F4D8352C9215C591252344775C56D58B9A5FF88BDA8358628EC4E
2772Regasm.exeC:\Users\admin\AppData\Roaming\pidloc.txttext
MD5:5DFAC43607F08090C461EEB487048747
SHA256:59E96AB5671F5D8D45BAC9BAEE99CB5EF421E5EB52C2C198BF66AB1222FAFF21
2772Regasm.exeC:\Users\admin\AppData\Roaming\WindowsUpdate.exeexecutable
MD5:0134814AD4F6572AFA2DACF6B455E00F
SHA256:1A3BBF6F2ABFA4DC657A51EEDF5FA2D6CEF29C9461520990DEB36B97614EB2CF
2772Regasm.exeC:\Users\admin\AppData\Local\Temp\holdermail.txttext
MD5:F3A0156CCE59E1BAE5CF27A978D1A8D0
SHA256:866880599E808490929FAED118F60E3A8E04B8CDDD26B4B6D6ECA01DBD1FD132
2772Regasm.exeC:\Users\admin\AppData\Local\Temp\holderwb.txttext
MD5:1A5A944C194E1821C443963AF2586F43
SHA256:42B3F74417D8260A119229A8B2CCE35D081FF45AC31217B7579006795CDE225E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2772
Regasm.exe
104.16.154.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
2772
Regasm.exe
104.16.155.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
whatismyipaddress.com
  • 104.16.154.36
  • 104.16.155.36
shared
dns.msftncsi.com
  • 131.107.255.255
shared
fich.cf
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .cf Domain
No debug info