File name: | PO-Specification-Drawings_051218.rar |
Full analysis: | https://app.any.run/tasks/c7212ba2-a92a-436e-a8f1-8709281deed8 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | December 06, 2018, 03:55:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 5CE735B5D33425CAF0327A65B0891285 |
SHA1: | 2CA52615FB87E94CBFA15CF6C7876AFE9ED99A1C |
SHA256: | 9BA750C364C9F2B7CAD0CAA210E14AF945D79ECB4540C19B02DAE2EEE0AB547D |
SSDEEP: | 24576:HzfslJLdKoQNi8IALM/7n22C0ovBSG+NQEiGp3Y0hqU7Xg:HwlJxKo6AA4rcONQLDB |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | PO-Specification-Drawings 051218.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2005:12:17 03:00:24 |
OperatingSystem: | Win32 |
UncompressedSize: | 1351504 |
CompressedSize: | 862772 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2932 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PO-Specification-Drawings_051218.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2420 | "C:\Users\admin\Desktop\PO-Specification-Drawings 051218.exe" | C:\Users\admin\Desktop\PO-Specification-Drawings 051218.exe | explorer.exe | |
User: admin Company: Ventriloquistic Integrity Level: MEDIUM Description: KEPULAUAN Exit code: 0 Version: 1.08.0005 | ||||
3440 | "C:\Users\admin\AppData\Local\Temp\hknewReborn.exe" | C:\Users\admin\AppData\Local\Temp\hknewReborn.exe | PO-Specification-Drawings 051218.exe | |
User: admin Integrity Level: MEDIUM Version: 8.0.7.19 | ||||
3588 | C:\Users\admin\Desktop\PO-Specification-Drawings 051218.exe" | C:\Users\admin\Desktop\PO-Specification-Drawings 051218.exe | PO-Specification-Drawings 051218.exe | |
User: admin Company: Ventriloquistic Integrity Level: MEDIUM Description: KEPULAUAN Version: 1.08.0005 | ||||
3632 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp7996.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | hknewReborn.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
3400 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpA72F.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | hknewReborn.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
(PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\PO-Specification-Drawings_051218.rar | |||
(PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop | |||
(PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3632 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp7996.tmp | text | |
MD5:C48992AAE0E8FD5463A7B1617B2E0B88 | SHA256:04802C51A3EE5E9F7D48462C50B17ABC0E84D54F5525D70E4C904BCC0634C3CE | |||
2420 | PO-Specification-Drawings 051218.exe | C:\Users\admin\AppData\Local\Temp\hknewReborn.exe | executable | |
MD5:89BAB612C085EE6B1BAADE1C33D5CE00 | SHA256:8CC38B5CFEE782B2B146DD991CA3D5569A061D3E6DC9CF603857D1CD07CDBA10 | |||
3440 | hknewReborn.exe | C:\Users\admin\AppData\Local\Temp\25291068-43af-3e16-50f6-5889d9ce7904 | text | |
MD5:3B75ADC98938A9DDAA31838DF7956525 | SHA256:97BD8C169B4BB0F2C96243C0A2E8BD4EF041EFE9CDCFA5F221CEF496AB8B00B5 | |||
2420 | PO-Specification-Drawings 051218.exe | C:\Users\admin\AppData\Local\Temp\~DF2728525480CAEA00.TMP | binary | |
MD5:04E325DBC0BCC8AF2912CE4FBD0F39F9 | SHA256:9FCA41BFF9DBB7CB19C80107468F823E55CF6A516355ECF28D1693D8C878444D | |||
3588 | PO-Specification-Drawings 051218.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | text | |
MD5:F4777D5638C152AE699C6A24708E8478 | SHA256:D37341087AAA4D89111A058BF95B1E2F8C703ADB69A9F4A45606C0461297964F | |||
2932 | WinRAR.exe | C:\Users\admin\Desktop\PO-Specification-Drawings 051218.exe | executable | |
MD5:734A03402BEED4E58A1C7C1571317FE9 | SHA256:9EB1E516789BB2BB93E23BD3223337893569419A72BC6EBB07754E62CDF401BC | |||
3588 | PO-Specification-Drawings 051218.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe | executable | |
MD5:734A03402BEED4E58A1C7C1571317FE9 | SHA256:9EB1E516789BB2BB93E23BD3223337893569419A72BC6EBB07754E62CDF401BC | |||
3400 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmpA72F.tmp | text | |
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048 | SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3440 | hknewReborn.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 13 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3440 | hknewReborn.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
3588 | PO-Specification-Drawings 051218.exe | 104.156.238.13:1603 | — | Choopa, LLC | JP | suspicious |
3440 | hknewReborn.exe | 103.14.97.80:587 | mail.universaltechnologies.in | Trunkoz Technologies Pvt Ltd | IN | malicious |
Domain | IP | Reputation |
---|---|---|
bot.whatismyipaddress.com |
| shared |
mail.universaltechnologies.in |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3440 | hknewReborn.exe | A Network Trojan was detected | ET TROJAN Hawkeye Keylogger SMTP Beacon |
3440 | hknewReborn.exe | A Network Trojan was detected | MALWARE [PTsecurity] HawkEye Reborn8 Stealing Data via SMTP |
3440 | hknewReborn.exe | A Network Trojan was detected | ET TROJAN Hawkeye Keylogger SMTP Beacon |
3440 | hknewReborn.exe | A Network Trojan was detected | MALWARE [PTsecurity] HawkEye Reborn8 Stealing Data via SMTP |