analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

A.X.exe

Full analysis: https://app.any.run/tasks/0b37961f-a675-4ef1-b19d-ce43fd85365e
Verdict: Malicious activity
Threats:

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Analysis date: November 15, 2018, 01:41:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
hawkeye
evasion
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E003026677323E6C709BC404322060C3

SHA1:

3096F69F1789145690E43353EC5A8EB0445AEF3C

SHA256:

AA65847F8DFEB9EEA3085F1F27D1974FC39B7B99649D8EECF6EA70DCA624E26F

SSDEEP:

12288:Yt1YqneVaku4gTKeskVaC2hiRwwSFXtjdvHIPqt:4YxM1DWl5C2kRpW9jdoPqt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Detected Hawkeye Keylogger

      • A.X.exe (PID: 704)
    • Changes the autorun value in the registry

      • A.X.exe (PID: 704)
    • Actions looks like stealing of personal data

      • vbc.exe (PID: 3008)
  • SUSPICIOUS

    • Application launched itself

      • A.X.exe (PID: 3952)
    • Creates files in the user directory

      • A.X.exe (PID: 704)
    • Executable content was dropped or overwritten

      • A.X.exe (PID: 704)
    • Connects to SMTP port

      • A.X.exe (PID: 704)
    • Checks for external IP

      • A.X.exe (PID: 704)
    • Executes scripts

      • A.X.exe (PID: 704)
    • Loads DLL from Mozilla Firefox

      • vbc.exe (PID: 1732)
  • INFO

    • Reads settings of System Certificates

      • A.X.exe (PID: 704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (90.6)
.exe | Win32 Executable (generic) (4.9)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2006:12:29 04:34:00+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 921600
InitializedDataSize: 20480
UninitializedDataSize: -
EntryPoint: 0x1344
OSVersion: 4
ImageVersion: 1.9
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.9.0.2
ProductVersionNumber: 1.9.0.2
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: VALENTA10
FileDescription: birdfoot
ProductName: looknon
FileVersion: 1.09.0002
ProductVersion: 1.09.0002
InternalName: Pseudogreek
OriginalFileName: Pseudogreek.exe

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 29-Dec-2006 03:34:00
Detected languages:
  • English - United States
CompanyName: VALENTA10
FileDescription: birdfoot
ProductName: looknon
FileVersion: 1.09.0002
ProductVersion: 1.09.0002
InternalName: Pseudogreek
OriginalFilename: Pseudogreek.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 29-Dec-2006 03:34:00
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000E0894
0x000E1000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.94911
.data
0x000E2000
0x00000A6C
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x000E3000
0x0000392C
0x00004000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.07173

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.2979
616
Unicode (UTF 16LE)
English - United States
RT_VERSION
30001
3.73755
1640
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30002
4.01016
744
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30003
5.67126
3752
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30004
5.93601
2216
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30005
4.55438
5160
Unicode (UTF 16LE)
UNKNOWN
RT_ICON

Imports

MSVBVM60.DLL
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start a.x.exe no specs #HAWKEYE a.x.exe vbc.exe vbc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3952"C:\Users\admin\AppData\Local\Temp\A.X.exe" C:\Users\admin\AppData\Local\Temp\A.X.exeexplorer.exe
User:
admin
Company:
VALENTA10
Integrity Level:
MEDIUM
Description:
birdfoot
Exit code:
0
Version:
1.09.0002
704C:\Users\admin\AppData\Local\Temp\A.X.exe" C:\Users\admin\AppData\Local\Temp\A.X.exe
A.X.exe
User:
admin
Company:
VALENTA10
Integrity Level:
MEDIUM
Description:
birdfoot
Version:
1.09.0002
3008C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
A.X.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
1732C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeA.X.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
Total events
128
Read events
104
Write events
24
Delete events
0

Modification events

(PID) Process:(704) A.X.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\A_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(704) A.X.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\A_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(704) A.X.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\A_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(704) A.X.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\A_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(704) A.X.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\A_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(704) A.X.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\A_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(704) A.X.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\A_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(704) A.X.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\A_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(704) A.X.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\A_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(704) A.X.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\A_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
1
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3008vbc.exeC:\Users\admin\AppData\Local\Temp\holdermail.txt
MD5:
SHA256:
1732vbc.exeC:\Users\admin\AppData\Local\Temp\holderwb.txt
MD5:
SHA256:
3952A.X.exeC:\Users\admin\AppData\Local\Temp\~DFC5223A9FFDD378C0.TMPbinary
MD5:4DD9CDDAD8F4AD66BF9EC2EACCB42745
SHA256:41C4526BAEF1368A92D0DFE10599CA197BF6FAEF7E9B8011FE3A52AA96175DCF
704A.X.exeC:\Users\admin\AppData\Roaming\pidloc.txttext
MD5:7056A6B342AD8132CF840C2157DAA7B8
SHA256:8400CE09329E7BF411DF79D5253CC5F2F864E5C30D66A6E9CFB75B6E7FBF68E6
704A.X.exeC:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70binary
MD5:DA6C793FB0533AF0139A6D76C9956547
SHA256:BCEC4BFFD8EE03E0FDF1C1577EF4635AC08DB1F94CF07B0C406A6B3A171E9E1D
704A.X.exeC:\Users\admin\AppData\Roaming\WindowsUpdate.exeexecutable
MD5:E003026677323E6C709BC404322060C3
SHA256:AA65847F8DFEB9EEA3085F1F27D1974FC39B7B99649D8EECF6EA70DCA624E26F
704A.X.exeC:\Users\admin\AppData\Roaming\pid.txttext
MD5:F64EAC11F2CD8F0EFA196F8AD173178E
SHA256:E4E549408422875958476160732390DEFEFCAC7C2BD8353D918FE452D20DE2A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
704
A.X.exe
GET
403
104.16.16.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
704
A.X.exe
104.16.16.96:80
whatismyipaddress.com
Cloudflare Inc
US
shared
704
A.X.exe
204.141.43.189:587
smtp.zoho.com
ZOHO
US
unknown

DNS requests

Domain
IP
Reputation
whatismyipaddress.com
  • 104.16.16.96
  • 104.16.17.96
  • 104.16.18.96
  • 104.16.20.96
  • 104.16.19.96
shared
smtp.zoho.com
  • 204.141.43.189
shared

Threats

PID
Process
Class
Message
704
A.X.exe
A Network Trojan was detected
MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck)
2 ETPRO signatures available at the full report
No debug info