File name: | PI190520.ace |
Full analysis: | https://app.any.run/tasks/5b2d4a62-0400-4c12-8e24-115c66dcbc96 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | May 20, 2019, 10:38:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid |
MD5: | C37FEDF3C54AB1743986769D2FBA4555 |
SHA1: | 773E721F9BD8EE3B4C1DA3BB755F20157D88F1C9 |
SHA256: | B23D486C7D5B37A77A1460D049B1359430E3F1C54F8EB5EDBF9C83EE55687EE6 |
SSDEEP: | 24576:goV/YSiIuLq91+utm2QHMHYsIZBRfKtbt5D5Yk:g+3ir+9Y2Q7ZXfKN/ |
.ace | | | ACE compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3372 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PI190520.ace" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
272 | "C:\Users\admin\Desktop\PI190520.exe" | C:\Users\admin\Desktop\PI190520.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2400 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | PI190520.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1024 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | PI190520.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2812 | "C:\Users\admin\Desktop\PI190520.exe" | C:\Users\admin\Desktop\PI190520.exe | eventvwr.exe | |
User: admin Integrity Level: HIGH | ||||
2152 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | PI190520.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Services Installation Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
2336 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp674D.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegSvcs.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
3980 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp94E6.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegSvcs.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2812 | PI190520.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FileHistory.vbs | text | |
MD5:B8924BD9B017457F15E970D5302F8222 | SHA256:B20CC06E77C70A3433ECD0A6DD34D8A728F601345CF3C7543A7028FEACDAA987 | |||
3372 | WinRAR.exe | C:\Users\admin\Desktop\PI190520.exe | executable | |
MD5:364BF50964BA77F7FE122AD5ACF95875 | SHA256:39B8ADC88ABB328BF558B2EDA6CD8C7D7C8097059111D98FB9099635E818F90B | |||
2152 | RegSvcs.exe | C:\Users\admin\AppData\Local\Temp\25291068-43af-3e16-50f6-5889d9ce7904 | text | |
MD5:5991253EE81690E6E5A59EEF592751AF | SHA256:9DA3EC1338AAD7A97870C113970011403EAC8730DEC3D34519C856D30E580EF3 | |||
2812 | PI190520.exe | C:\Users\admin\RdpSaProxy\tzsync.exe | executable | |
MD5:4723DC1F013DE8CE0AD1F07B2D02F265 | SHA256:5FB87B0B8385390C63C7B0809A2807E1366B51B8D298A68B62622B2C1BCD42E3 | |||
3980 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp94E6.tmp | text | |
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048 | SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9 | |||
2336 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp674D.tmp | text | |
MD5:3E1E093DCCE32C716267A28292E0EE27 | SHA256:56285445424AD06DC043154819B5BDABAA7C26F5779CA3E37E08424ED9926CB8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2152 | RegSvcs.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 13 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2152 | RegSvcs.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
2152 | RegSvcs.exe | 198.27.115.53:587 | mail.fuse42.com | OVH SAS | CA | malicious |
Domain | IP | Reputation |
---|---|---|
bot.whatismyipaddress.com |
| shared |
mail.fuse42.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2152 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spy.HawkEye IP Check |