File name: | PROFORMA INVOICE #20190423072201 pdf.exe |
Full analysis: | https://app.any.run/tasks/653e0ec4-396d-4930-b91c-9b110debf1cf |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | April 25, 2019, 05:08:43 |
OS: | Windows 10 Professional (build: 16299, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 666A200148559E4A83FABB7A1BF655AC |
SHA1: | 574BE6A2468EBC675DB5FE6B848AF9A4178E6121 |
SHA256: | 9B578C46FB09CF29E1A9991BB46AD36776F2E119A9017E502039ABBAF8D6DB19 |
SSDEEP: | 24576:sAHnh+eWsN3skA4RV1Hom2KXMmHaNb+oIdm+NM19RuVHgRVJNDp8a68YyCamYv5:Lh+ZkldoPK8YaJKI |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:04:24 09:50:18+02:00 |
PEType: | PE32 |
LinkerVersion: | 12 |
CodeSize: | 581632 |
InitializedDataSize: | 1445888 |
UninitializedDataSize: | - |
EntryPoint: | 0x2800a |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 0.0.0.0 |
ProductVersionNumber: | 0.0.0.0 |
FileFlagsMask: | 0x0000 |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (British) |
CharacterSet: | Unicode |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 24-Apr-2019 07:50:18 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000110 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 24-Apr-2019 07:50:18 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0008DFDD | 0x0008E000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.67525 |
.rdata | 0x0008F000 | 0x0002FD8E | 0x0002FE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.76324 |
.data | 0x000BF000 | 0x00008F74 | 0x00005200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.19638 |
.rsrc | 0x000C8000 | 0x00124DA4 | 0x00124E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.47554 |
.reloc | 0x001ED000 | 0x00007134 | 0x00007200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.78396 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.40026 | 1007 | Latin 1 / Western European | English - United Kingdom | RT_MANIFEST |
2 | 2.05883 | 296 | Latin 1 / Western European | English - United Kingdom | RT_ICON |
3 | 2.25499 | 296 | Latin 1 / Western European | English - United Kingdom | RT_ICON |
4 | 4.46621 | 4304 | Latin 1 / Western European | English - United Kingdom | RT_ICON |
7 | 3.34702 | 1428 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
8 | 3.2817 | 1674 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
9 | 3.28849 | 1168 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
10 | 3.28373 | 1532 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
11 | 3.26322 | 1628 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
12 | 3.25812 | 1126 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
MPR.dll |
OLEAUT32.dll |
PSAPI.DLL |
SHELL32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2828 | "C:\Users\admin\Desktop\PROFORMA INVOICE #20190423072201 pdf.exe" | C:\Users\admin\Desktop\PROFORMA INVOICE #20190423072201 pdf.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
5916 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | PROFORMA INVOICE #20190423072201 pdf.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.8825 (WinRelRS3.050727-8800) | ||||
3420 | "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp9E26.tmp" | C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.8825 | ||||
1556 | "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpA26D.tmp" | C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.8825 | ||||
2128 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\WINDOWS\System32\rundll32.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
3648 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Documents\flowoperation.rtf" /o "" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 16.0.11328.20158 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3420 | vbc.exe | C:\Users\admin\AppData\Local\Temp\bhv9ED2.tmp | — | |
MD5:— | SHA256:— | |||
3648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{71F8ABD4-E38F-4F0A-8127-C09D6413EA7C}.tmp | — | |
MD5:— | SHA256:— | |||
3648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{186AB506-3E80-4A6D-8B61-4200DDD6B762}.tmp | — | |
MD5:— | SHA256:— | |||
3648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shm | — | |
MD5:— | SHA256:— | |||
3648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal | — | |
MD5:— | SHA256:— | |||
3648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db | sqlite | |
MD5:B0966619DBE001EB4CFAE92209ACC460 | SHA256:355072D0264F290D302D57D5A9C376A7F31993295D274C5B07DB7016490E1485 | |||
2828 | PROFORMA INVOICE #20190423072201 pdf.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url | text | |
MD5:960F87B0FC5DF0C36CCC7076B045481C | SHA256:F9AC10DEB2BF9C23B328D0F6C7957CA69FB07320F1974F92B797BC14F1CB062C | |||
3648 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\flowoperation.rtf.LNK | lnk | |
MD5:8FDE2361F8C2810F942E76F6A15234AD | SHA256:DFD80C4EEB5C1363E15F9B645A65B6E43A38187C76DFBF274CC9D95648772145 | |||
2828 | PROFORMA INVOICE #20190423072201 pdf.exe | C:\Users\admin\AppData\Roaming\.vbs | text | |
MD5:7B865456911B5E9E20F4A2DDF5042120 | SHA256:1329BE262137625AC968E90911159CDA297B7925E40AF8C34BBBE1E1DEFB2E52 | |||
3420 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp9E26.tmp | text | |
MD5:C867B0BA9152A5A4B9F56F4E0420B1C2 | SHA256:D26DB1E3014E5293260B3316C8E752D7AFE5BAA97228C0CD694719A2A125C434 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
5916 | RegAsm.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 14 b | shared |
3648 | WINWORD.EXE | POST | 200 | 52.114.76.37:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | IE | text | 60 b | whitelisted |
3648 | WINWORD.EXE | GET | 200 | 13.107.3.128:443 | https://config.edge.skype.com/config/v1/Office/16.0.11328.20158?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.11328.20158&MsoVersion=16.0.11328.20156&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b881EB61A-A918-44FD-BA69-C2A758AA4293%7d&LabMachine=false | US | text | 57.3 Kb | whitelisted |
3648 | WINWORD.EXE | POST | 200 | 52.114.76.37:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | IE | text | 9 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3648 | WINWORD.EXE | 52.114.76.37:443 | self.events.data.microsoft.com | Microsoft Corporation | IE | unknown |
5916 | RegAsm.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
5916 | RegAsm.exe | 162.241.253.78:21 | ftp.nxgenbiz.us | CyrusOne LLC | US | malicious |
3648 | WINWORD.EXE | 13.107.3.128:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
5916 | RegAsm.exe | 162.241.253.78:36613 | ftp.nxgenbiz.us | CyrusOne LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
config.edge.skype.com |
| whitelisted |
bot.whatismyipaddress.com |
| shared |
ftp.nxgenbiz.us |
| malicious |
self.events.data.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
5916 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spy.HawkEye IP Check |
5916 | RegAsm.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
5916 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger Exfiltration over FTP |
Process | Message |
---|---|
WINWORD.EXE | 2019-04-25 05:10:19.904 T#4476 <E> [AriaSDK.PAL] PAL is already shutdown!
|