File name: | 91f6b71d207fd712756e18ac6e88b5da10b5b4e4f0e697daaebb65dbd61155f3 |
Full analysis: | https://app.any.run/tasks/250ba66c-6b0e-4972-bae5-5d44608fbd7c |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | March 21, 2019, 21:52:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 0D352C6BD47A21E59DE028862C31A9A6 |
SHA1: | ECF719A2AFA461D5BBAFA898AC7A5A0A59A94316 |
SHA256: | 91F6B71D207FD712756E18AC6E88B5DA10B5B4E4F0E697DAAEBB65DBD61155F3 |
SSDEEP: | 768:ByZtRxqmbPAPQODPxsvWITTKosiG5F6XuyzuM6b/j:B+CFPQODPxsvWIaosdshzIbr |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0002 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:03:21 12:50:30 |
ZipCRC: | 0x6096dbee |
ZipCompressedSize: | 405 |
ZipUncompressedSize: | 1811 |
ZipFileName: | [Content_Types].xml |
Creator: | Modey |
---|
LastModifiedBy: | Modey |
---|---|
CreateDate: | 2018:11:29 09:50:53Z |
ModifyDate: | 2018:11:29 09:53:26Z |
Application: | Microsoft Excel |
DocSecurity: | None |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: |
|
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 12 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
688 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2184 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
1604 | "C:\Users\admin\AppData\Roaming\profrankj92476.exe" | C:\Users\admin\AppData\Roaming\profrankj92476.exe | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
264 | "C:\Users\admin\AppData\Roaming\frankuox\frankuw.exe" | C:\Users\admin\AppData\Roaming\frankuox\frankuw.exe | — | profrankj92476.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2260 | "C:\Users\admin\AppData\Roaming\frankuox\frankuw.exe" | C:\Users\admin\AppData\Roaming\frankuox\frankuw.exe | frankuw.exe | |
User: admin Integrity Level: MEDIUM | ||||
3512 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpC8A7.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | frankuw.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
648 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpF5C3.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | frankuw.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
688 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR89C8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1604 | profrankj92476.exe | C:\Users\admin\AppData\Roaming\frankuox\frankuw.exe:ZoneIdentifier | — | |
MD5:— | SHA256:— | |||
688 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7A65EF0F.png | — | |
MD5:— | SHA256:— | |||
688 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~$91f6b71d207fd712756e18ac6e88b5da10b5b4e4f0e697daaebb65dbd61155f3.xlsx | — | |
MD5:— | SHA256:— | |||
2260 | frankuw.exe | C:\Users\admin\AppData\Local\Temp\c4e681c3-f0d5-5260-1e84-0e7fc68922c3 | text | |
MD5:66D310676A607DB61730F7E2F7B978B6 | SHA256:72FDE97496852A0F753DA982512BCEB0D599071080F680ABC8E751148DABDED0 | |||
2184 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\profrankj92476.exe | executable | |
MD5:0007E79A51DB3E457CD98D437DF902BE | SHA256:283394AB9965B1DAEB262D2F406CA638C57C48A4AEBCE145E06D7DBB18EF8922 | |||
2184 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\frankjoe[1].exe | executable | |
MD5:0007E79A51DB3E457CD98D437DF902BE | SHA256:283394AB9965B1DAEB262D2F406CA638C57C48A4AEBCE145E06D7DBB18EF8922 | |||
1604 | profrankj92476.exe | C:\Users\admin\AppData\Roaming\frankuox\frankuw.exe | executable | |
MD5:0007E79A51DB3E457CD98D437DF902BE | SHA256:283394AB9965B1DAEB262D2F406CA638C57C48A4AEBCE145E06D7DBB18EF8922 | |||
648 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmpF5C3.tmp | text | |
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048 | SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9 | |||
3512 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmpC8A7.tmp | text | |
MD5:3E1E093DCCE32C716267A28292E0EE27 | SHA256:56285445424AD06DC043154819B5BDABAA7C26F5779CA3E37E08424ED9926CB8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2260 | frankuw.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 13 b | shared |
2184 | EQNEDT32.EXE | GET | 200 | 217.182.138.150:80 | http://megaklik.top/frankjoe/frankjoe.exe | FR | executable | 965 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2260 | frankuw.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
2260 | frankuw.exe | 198.54.122.60:587 | mail.privateemail.com | Namecheap, Inc. | US | suspicious |
2184 | EQNEDT32.EXE | 217.182.138.150:80 | megaklik.top | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
megaklik.top |
| malicious |
bot.whatismyipaddress.com |
| shared |
mail.privateemail.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
2184 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
2184 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
2184 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2184 | EQNEDT32.EXE | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |
2260 | frankuw.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spy.HawkEye IP Check |