File name: | INV-98-UHX.doc |
Full analysis: | https://app.any.run/tasks/f2bfec4e-5331-4701-8b16-83ec65b370d0 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | January 18, 2019, 04:42:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 367C248CF6492C5650E13F9068A40B76 |
SHA1: | BBF70243F96CCFE692D646C8497C363AE88BE1FD |
SHA256: | 9044EFFCC0B538A5302A72A3FBCF052D09789F779D2170278AAA0354325571EF |
SSDEEP: | 1536:at7aapppppppGttC+OEi8M52TrtL8quKWlV6HNfJvwxKikBvATSKiHX99A0e83LD:yC9 |
.rtf | | | Rich Text Format (100) |
---|
Upr: | {CH??NG TRÌNH }{*{CH{ƯƠNG TRÌNH }}} |
---|---|
Author: | Mr.Duoc |
LastModifiedBy: | Windows User |
CreateDate: | 2018:12:14 09:22:00 |
ModifyDate: | 2018:12:14 09:22:00 |
LastPrinted: | 2018:12:12 16:35:00 |
RevisionNumber: | 2 |
TotalEditTime: | - |
Pages: | 2 |
Words: | 265 |
Characters: | 1511 |
CharactersWithSpaces: | 1773 |
InternalVersionNumber: | 24689 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1420 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\INV-98-UHX.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.5123.5000 | ||||
3000 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2420 | C:\Users\admin\AppData\Local\Temp\1.exe | C:\Users\admin\AppData\Local\Temp\1.exe | — | EQNEDT32.EXE |
User: admin Company: interalliance Integrity Level: MEDIUM Description: HAUNTED10 Exit code: 0 Version: 3.09.0001 | ||||
2716 | :\Users\admin\AppData\Local\Temp\1.exe | C:\Users\admin\AppData\Local\Temp\1.exe | 1.exe | |
User: admin Company: interalliance Integrity Level: MEDIUM Description: HAUNTED10 Version: 3.09.0001 | ||||
972 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | 1.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 | ||||
2480 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | — | 1.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR758D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
972 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holdermail.txt | — | |
MD5:— | SHA256:— | |||
2480 | vbc.exe | C:\Users\admin\AppData\Local\Temp\bhvC6D4.tmp | — | |
MD5:— | SHA256:— | |||
2480 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holderwb.txt | — | |
MD5:— | SHA256:— | |||
1420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2D4489F0-DE0F-42CF-B14E-24365EF9E989}.tmp | — | |
MD5:— | SHA256:— | |||
3000 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\FR48QXLH.txt | text | |
MD5:F860B220BFABB61BEC5D276DE308F4CB | SHA256:2BA8A05B4E599EA0FC8ADFF06D40905F614FAC483B80920495DBAD7F99D23FA0 | |||
1420 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:BDEB2D4C15E71ED37174A10B084C4B0C | SHA256:F72253F652FCC0CFA6CA9A3A305B9141EE2852D9C6EB31D3B1E918A1FB7A7EAC | |||
3000 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\2HiWP5m[1].htm | html | |
MD5:E2CC6E4DDEB1818639921B6DB9B71FF3 | SHA256:85C57B52DDC5F036B3733FA1C2B0FECD17F4BB35B29A5BA8FDC7403382AFA4FE | |||
2420 | 1.exe | C:\Users\admin\AppData\Local\Temp\~DFB79084D1862C1121.TMP | binary | |
MD5:D24115B537CADAB89F4884B3C651C5E0 | SHA256:8AFCCE0322506ADD5662970A4D4D074F23A7444D6F07B9CB9EE018E9A8D57659 | |||
1420 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\INV-98-UHX.LNK | lnk | |
MD5:347FAF42C8C7DE280F02A9B7FC6090F1 | SHA256:5056F900D772FB4C32E992F432281B3BA0C8969B7AADE1569064F943E4AA0DA1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3000 | EQNEDT32.EXE | GET | 200 | 65.60.35.58:443 | https://aoiap.org/images/q.png | US | executable | 1005 Kb | malicious |
2716 | 1.exe | GET | 403 | 104.16.17.96:80 | http://whatismyipaddress.com/ | US | text | 100 b | shared |
3000 | EQNEDT32.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2HiWP5m | US | html | 117 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3000 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
2716 | 1.exe | 104.16.17.96:80 | whatismyipaddress.com | Cloudflare Inc | US | shared |
2716 | 1.exe | 65.60.35.58:587 | aoiap.org | SingleHop, Inc. | US | suspicious |
3000 | EQNEDT32.EXE | 65.60.35.58:443 | aoiap.org | SingleHop, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
aoiap.org |
| malicious |
whatismyipaddress.com |
| shared |
mail.aoiap.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3000 | EQNEDT32.EXE | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell.Downloader httpHeader |
2716 | 1.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck) |
2716 | 1.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |