analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PO-Specification-Drawings_051218.rar

Full analysis: https://app.any.run/tasks/c7212ba2-a92a-436e-a8f1-8709281deed8
Verdict: Malicious activity
Threats:

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Analysis date: December 06, 2018, 03:55:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
keylogger
hawkeye
stealer
rat
nanocore
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

5CE735B5D33425CAF0327A65B0891285

SHA1:

2CA52615FB87E94CBFA15CF6C7876AFE9ED99A1C

SHA256:

9BA750C364C9F2B7CAD0CAA210E14AF945D79ECB4540C19B02DAE2EEE0AB547D

SSDEEP:

24576:HzfslJLdKoQNi8IALM/7n22C0ovBSG+NQEiGp3Y0hqU7Xg:HwlJxKo6AA4rcONQLDB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PO-Specification-Drawings 051218.exe (PID: 2420)
      • PO-Specification-Drawings 051218.exe (PID: 3588)
      • hknewReborn.exe (PID: 3440)
    • Detected Hawkeye Keylogger

      • hknewReborn.exe (PID: 3440)
    • Actions looks like stealing of personal data

      • vbc.exe (PID: 3400)
      • vbc.exe (PID: 3632)
    • Stealing of credential data

      • vbc.exe (PID: 3632)
      • vbc.exe (PID: 3400)
    • Connects to CnC server

      • hknewReborn.exe (PID: 3440)
    • Changes the autorun value in the registry

      • PO-Specification-Drawings 051218.exe (PID: 3588)
    • NanoCore was detected

      • PO-Specification-Drawings 051218.exe (PID: 3588)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PO-Specification-Drawings 051218.exe (PID: 2420)
      • WinRAR.exe (PID: 2932)
      • PO-Specification-Drawings 051218.exe (PID: 3588)
    • Application launched itself

      • PO-Specification-Drawings 051218.exe (PID: 2420)
    • Connects to SMTP port

      • hknewReborn.exe (PID: 3440)
    • Loads DLL from Mozilla Firefox

      • vbc.exe (PID: 3632)
    • Executes scripts

      • hknewReborn.exe (PID: 3440)
    • Creates files in the user directory

      • PO-Specification-Drawings 051218.exe (PID: 3588)
    • Connects to unusual port

      • PO-Specification-Drawings 051218.exe (PID: 3588)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: PO-Specification-Drawings 051218.exe
PackingMethod: Normal
ModifyDate: 2005:12:17 03:00:24
OperatingSystem: Win32
UncompressedSize: 1351504
CompressedSize: 862772
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winrar.exe po-specification-drawings 051218.exe #HAWKEYE hknewreborn.exe #NANOCORE po-specification-drawings 051218.exe vbc.exe vbc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2932"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PO-Specification-Drawings_051218.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2420"C:\Users\admin\Desktop\PO-Specification-Drawings 051218.exe" C:\Users\admin\Desktop\PO-Specification-Drawings 051218.exe
explorer.exe
User:
admin
Company:
Ventriloquistic
Integrity Level:
MEDIUM
Description:
KEPULAUAN
Exit code:
0
Version:
1.08.0005
3440"C:\Users\admin\AppData\Local\Temp\hknewReborn.exe" C:\Users\admin\AppData\Local\Temp\hknewReborn.exe
PO-Specification-Drawings 051218.exe
User:
admin
Integrity Level:
MEDIUM
Version:
8.0.7.19
3588C:\Users\admin\Desktop\PO-Specification-Drawings 051218.exe" C:\Users\admin\Desktop\PO-Specification-Drawings 051218.exe
PO-Specification-Drawings 051218.exe
User:
admin
Company:
Ventriloquistic
Integrity Level:
MEDIUM
Description:
KEPULAUAN
Version:
1.08.0005
3632"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp7996.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
hknewReborn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
3400"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpA72F.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
hknewReborn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
Total events
843
Read events
805
Write events
38
Delete events
0

Modification events

(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2932) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\PO-Specification-Drawings_051218.rar
(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(2932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
3
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3632vbc.exeC:\Users\admin\AppData\Local\Temp\tmp7996.tmptext
MD5:C48992AAE0E8FD5463A7B1617B2E0B88
SHA256:04802C51A3EE5E9F7D48462C50B17ABC0E84D54F5525D70E4C904BCC0634C3CE
2420PO-Specification-Drawings 051218.exeC:\Users\admin\AppData\Local\Temp\hknewReborn.exeexecutable
MD5:89BAB612C085EE6B1BAADE1C33D5CE00
SHA256:8CC38B5CFEE782B2B146DD991CA3D5569A061D3E6DC9CF603857D1CD07CDBA10
3440hknewReborn.exeC:\Users\admin\AppData\Local\Temp\25291068-43af-3e16-50f6-5889d9ce7904text
MD5:3B75ADC98938A9DDAA31838DF7956525
SHA256:97BD8C169B4BB0F2C96243C0A2E8BD4EF041EFE9CDCFA5F221CEF496AB8B00B5
2420PO-Specification-Drawings 051218.exeC:\Users\admin\AppData\Local\Temp\~DF2728525480CAEA00.TMPbinary
MD5:04E325DBC0BCC8AF2912CE4FBD0F39F9
SHA256:9FCA41BFF9DBB7CB19C80107468F823E55CF6A516355ECF28D1693D8C878444D
3588PO-Specification-Drawings 051218.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dattext
MD5:F4777D5638C152AE699C6A24708E8478
SHA256:D37341087AAA4D89111A058BF95B1E2F8C703ADB69A9F4A45606C0461297964F
2932WinRAR.exeC:\Users\admin\Desktop\PO-Specification-Drawings 051218.exeexecutable
MD5:734A03402BEED4E58A1C7C1571317FE9
SHA256:9EB1E516789BB2BB93E23BD3223337893569419A72BC6EBB07754E62CDF401BC
3588PO-Specification-Drawings 051218.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exeexecutable
MD5:734A03402BEED4E58A1C7C1571317FE9
SHA256:9EB1E516789BB2BB93E23BD3223337893569419A72BC6EBB07754E62CDF401BC
3400vbc.exeC:\Users\admin\AppData\Local\Temp\tmpA72F.tmptext
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048
SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
17
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3440
hknewReborn.exe
GET
200
66.171.248.178:80
http://bot.whatismyipaddress.com/
US
text
13 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3440
hknewReborn.exe
66.171.248.178:80
bot.whatismyipaddress.com
Alchemy Communications, Inc.
US
malicious
3588
PO-Specification-Drawings 051218.exe
104.156.238.13:1603
Choopa, LLC
JP
suspicious
3440
hknewReborn.exe
103.14.97.80:587
mail.universaltechnologies.in
Trunkoz Technologies Pvt Ltd
IN
malicious

DNS requests

Domain
IP
Reputation
bot.whatismyipaddress.com
  • 66.171.248.178
shared
mail.universaltechnologies.in
  • 103.14.97.80
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3440
hknewReborn.exe
A Network Trojan was detected
ET TROJAN Hawkeye Keylogger SMTP Beacon
3440
hknewReborn.exe
A Network Trojan was detected
MALWARE [PTsecurity] HawkEye Reborn8 Stealing Data via SMTP
3440
hknewReborn.exe
A Network Trojan was detected
ET TROJAN Hawkeye Keylogger SMTP Beacon
3440
hknewReborn.exe
A Network Trojan was detected
MALWARE [PTsecurity] HawkEye Reborn8 Stealing Data via SMTP
4 ETPRO signatures available at the full report
No debug info