File name: | C:\Users\admin\Desktop\Minecraft Checker By X-Risky.exe |
Full analysis: | https://app.any.run/tasks/0d576f6f-1844-40c9-8a3e-f726e75e0d7b |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | August 02, 2022, 16:39:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 9E406A02CA9D84F5760F5145117851F1 |
SHA1: | A731A2A9FF12D9A43007293D57AC0AD8DF389E6E |
SHA256: | 8DED238D427EB6D27201DB32A2721E026DC25408F37E38F85E051744F3C12131 |
SSDEEP: | 12288:BN1n4zPJKa259zLgrD7iiUVv8YgBv2w/fXpZEqmiO3bd1kWlZ7:B7ehKa25aDfc85Bv2kf5WfiI |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (81) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (7.2) |
.exe | | | Win32 Executable (generic) (4.9) |
.exe | | | Win16/32 Executable Delphi generic (2.2) |
.exe | | | Generic Win/DOS Executable (2.2) |
AssemblyVersion: | 0.0.0.0 |
---|---|
ProductVersion: | 0.0.0.0 |
OriginalFileName: | best checker.exe |
LegalCopyright: | |
InternalName: | best checker.exe |
FileVersion: | 0.0.0.0 |
FileDescription: | |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 0.0.0.0 |
FileVersionNumber: | 0.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x93e9e |
UninitializedDataSize: | - |
InitializedDataSize: | 103424 |
CodeSize: | 598016 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2019:07:24 17:09:37+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 24-Jul-2019 15:09:37 |
FileDescription: | - |
FileVersion: | 0.0.0.0 |
InternalName: | best checker.exe |
LegalCopyright: | - |
OriginalFilename: | best checker.exe |
ProductVersion: | 0.0.0.0 |
Assembly Version: | 0.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 24-Jul-2019 15:09:37 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x00091EA4 | 0x00092000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.95486 |
.sdata | 0x00094000 | 0x000001E8 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.62077 |
.rsrc | 0x00096000 | 0x00018F94 | 0x00019000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.14596 |
.reloc | 0x000B0000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
2 | 1.87688 | 67624 | Latin 1 / Western European | UNKNOWN | RT_ICON |
3 | 1.82579 | 16936 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4 | 2.17979 | 9640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
5 | 1.72045 | 4264 | Latin 1 / Western European | UNKNOWN | RT_ICON |
6 | 2.58971 | 1128 | Latin 1 / Western European | UNKNOWN | RT_ICON |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2644 | "C:\Users\admin\AppData\Local\Temp\Minecraft Checker By X-Risky.exe" | C:\Users\admin\AppData\Local\Temp\Minecraft Checker By X-Risky.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 Modules
| |||||||||||||||
2908 | "C:\Users\admin\AppData\Local\Temp\57a6d785a.exe" | C:\Users\admin\AppData\Local\Temp\57a6d785a.exe | — | Minecraft Checker By X-Risky.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 Modules
| |||||||||||||||
2772 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | 57a6d785a.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
Hawkeye(PID) Process(2772) Regasm.exe steamDisablesteam spreadersDisablespreaders misconfigDisablemsconfig cmdDisablecmd regDisablereg meltDisablemelt stealersstealers loggerlogger TaskManagerTaskManager clipclip screenyscreeny startupstartup fakerrorDisablefakerror DisableSSLEnableSSL notifyDisablenotify websiteblockerwebsiteblocker websitevisitorwebsitevisitor downloaderdownloadfiles binderbindfiles clearffdontclearff cleariedontclearie delaytime0 usephpnophp useftpnoftp useemailyesemail encryptedphplinkhttp://www.site.com/logs.php encryptedftppassYourPassword encryptedftpuserYourUsername encryptedftphostftp.yourhost.com fakemgrstring timerstring300000 portstring25 encryptedsmtpstringfich.cf encryptedpassstringy?h2gJ50 encryptedemailstring[email protected] | |||||||||||||||
2752 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | Regasm.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 Modules
| |||||||||||||||
3740 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | Regasm.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 Modules
|
(PID) Process: | (2644) Minecraft Checker By X-Risky.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | 57a6d785a.exe |
Value: C:\Users\admin\AppData\Local\Temp\57a6d785a.exe | |||
(PID) Process: | (2644) Minecraft Checker By X-Risky.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2644) Minecraft Checker By X-Risky.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2644) Minecraft Checker By X-Risky.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2644) Minecraft Checker By X-Risky.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2772) Regasm.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Regasm_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2772) Regasm.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Regasm_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2772) Regasm.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Regasm_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (2772) Regasm.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Regasm_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (2772) Regasm.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Regasm_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2772 | Regasm.exe | C:\Users\admin\AppData\Roaming\pidloc.txt | text | |
MD5:5DFAC43607F08090C461EEB487048747 | SHA256:59E96AB5671F5D8D45BAC9BAEE99CB5EF421E5EB52C2C198BF66AB1222FAFF21 | |||
2644 | Minecraft Checker By X-Risky.exe | C:\Users\admin\AppData\Local\Temp\57a6d785a.exe | executable | |
MD5:9E406A02CA9D84F5760F5145117851F1 | SHA256:8DED238D427EB6D27201DB32A2721E026DC25408F37E38F85E051744F3C12131 | |||
2772 | Regasm.exe | C:\Users\admin\AppData\Roaming\pid.txt | text | |
MD5:92BF5E6240737E0326EA59846A83E076 | SHA256:7B2E7211FB4F4D8352C9215C591252344775C56D58B9A5FF88BDA8358628EC4E | |||
2772 | Regasm.exe | C:\Users\admin\AppData\Local\Temp\holderwb.txt | text | |
MD5:1A5A944C194E1821C443963AF2586F43 | SHA256:42B3F74417D8260A119229A8B2CCE35D081FF45AC31217B7579006795CDE225E | |||
2772 | Regasm.exe | C:\Users\admin\AppData\Local\Temp\holdermail.txt | text | |
MD5:F3A0156CCE59E1BAE5CF27A978D1A8D0 | SHA256:866880599E808490929FAED118F60E3A8E04B8CDDD26B4B6D6ECA01DBD1FD132 | |||
2772 | Regasm.exe | C:\Users\admin\AppData\Roaming\WindowsUpdate.exe | executable | |
MD5:0134814AD4F6572AFA2DACF6B455E00F | SHA256:1A3BBF6F2ABFA4DC657A51EEDF5FA2D6CEF29C9461520990DEB36B97614EB2CF |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2772 | Regasm.exe | 104.16.155.36:80 | whatismyipaddress.com | Cloudflare Inc | US | shared |
2772 | Regasm.exe | 104.16.154.36:80 | whatismyipaddress.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
whatismyipaddress.com |
| shared |
dns.msftncsi.com |
| shared |
fich.cf |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .cf Domain |