File name: | Ref[G81987993157] Customer Ref[20130819T001T]_pdf.zip |
Full analysis: | https://app.any.run/tasks/37759c03-b10f-4f4a-847f-7670e5a38783 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | November 15, 2018, 16:21:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 8EF8C1D845F491C586F72B9241030DD7 |
SHA1: | C017C7C0FC77432CBCFDB35E8C5E9AB2244EE7DE |
SHA256: | B51923AA89C9631FACCA48B106458C3D5E66A8A2BDAB9B1F305913AE4D89A6ED |
SSDEEP: | 12288:ZzkdwAqn/O9TMFoc++A/XBrA6O/jQNk3/tziNBZM9e05RhnigC:Jk90KMFoJ+kxA/jrzwwVxi9 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2018:11:15 03:54:12 |
ZipCRC: | 0x1229c9b0 |
ZipCompressedSize: | 553709 |
ZipUncompressedSize: | 571392 |
ZipFileName: | Ref[G81987993157] Customer Ref[20130819T001T].exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3216 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ref[G81987993157] Customer Ref[20130819T001T]_pdf.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3132 | "C:\Users\admin\Desktop\Ref[G81987993157] Customer Ref[20130819T001T].exe" | C:\Users\admin\Desktop\Ref[G81987993157] Customer Ref[20130819T001T].exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3616 | "C:\Users\admin\Desktop\Ref[G81987993157] Customer Ref[20130819T001T].exe" | C:\Users\admin\Desktop\Ref[G81987993157] Customer Ref[20130819T001T].exe | Ref[G81987993157] Customer Ref[20130819T001T].exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3984 | "C:\Users\admin\AppData\Roaming\Windows Update.exe" | C:\Users\admin\AppData\Roaming\Windows Update.exe | — | Ref[G81987993157] Customer Ref[20130819T001T].exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
2632 | "C:\Users\admin\AppData\Roaming\Windows Update.exe" | C:\Users\admin\AppData\Roaming\Windows Update.exe | Ref[G81987993157] Customer Ref[20130819T001T].exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3444 | "C:\Users\admin\Desktop\Ref[G81987993157] Customer Ref[20130819T001T].exe" | C:\Users\admin\Desktop\Ref[G81987993157] Customer Ref[20130819T001T].exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4092 | "C:\Users\admin\Desktop\Ref[G81987993157] Customer Ref[20130819T001T].exe" | C:\Users\admin\Desktop\Ref[G81987993157] Customer Ref[20130819T001T].exe | Ref[G81987993157] Customer Ref[20130819T001T].exe | |
User: admin Integrity Level: MEDIUM | ||||
1452 | "C:\Users\admin\AppData\Roaming\Windows Update.exe" | C:\Users\admin\AppData\Roaming\Windows Update.exe | Windows Update.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2092 | dw20.exe -x -s 1652 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | — | Ref[G81987993157] Customer Ref[20130819T001T].exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Error Reporting Shim Version: 2.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3044 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | Ref[G81987993157] Customer Ref[20130819T001T].exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3216 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3216.42569\Ref[G81987993157] Customer Ref[20130819T001T].exe | — | |
MD5:— | SHA256:— | |||
3616 | Ref[G81987993157] Customer Ref[20130819T001T].exe | C:\Users\admin\AppData\Local\Temp\SysInfo.txt | text | |
MD5:06775771590A265B40A92714550E5326 | SHA256:831598358C9F4B3D9E9B515B6924BEAB5005D57715AD5489BDA0BB2DB690DBA8 | |||
4092 | Ref[G81987993157] Customer Ref[20130819T001T].exe | C:\Users\admin\AppData\Local\Temp\SysInfo.txt | text | |
MD5:06775771590A265B40A92714550E5326 | SHA256:831598358C9F4B3D9E9B515B6924BEAB5005D57715AD5489BDA0BB2DB690DBA8 | |||
3616 | Ref[G81987993157] Customer Ref[20130819T001T].exe | C:\Users\admin\AppData\Roaming\Windows Update.exe | executable | |
MD5:858EC82F00999C43B940EE9EE040F3B2 | SHA256:8A4A097E8B6F9667756A38657B59B1B631F6C42EC9A006D1D325689A14BE9CF8 | |||
4092 | Ref[G81987993157] Customer Ref[20130819T001T].exe | C:\Users\admin\AppData\Roaming\pidloc.txt | text | |
MD5:06775771590A265B40A92714550E5326 | SHA256:831598358C9F4B3D9E9B515B6924BEAB5005D57715AD5489BDA0BB2DB690DBA8 | |||
4092 | Ref[G81987993157] Customer Ref[20130819T001T].exe | C:\Users\admin\AppData\Roaming\pid.txt | text | |
MD5:77340C2E00E9E6AD1B2784DAD06291EA | SHA256:BE87FCC57797F6239F88630A7817111D7750B36F662B95B7D094A3B98692CDAA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4092 | Ref[G81987993157] Customer Ref[20130819T001T].exe | GET | 403 | 104.16.20.96:80 | http://whatismyipaddress.com/ | US | text | 100 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4092 | Ref[G81987993157] Customer Ref[20130819T001T].exe | 104.16.20.96:80 | whatismyipaddress.com | Cloudflare Inc | US | shared |
4092 | Ref[G81987993157] Customer Ref[20130819T001T].exe | 213.180.193.38:587 | smtp.yandex.com | YANDEX LLC | RU | whitelisted |
Domain | IP | Reputation |
---|---|---|
whatismyipaddress.com |
| shared |
smtp.yandex.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
4092 | Ref[G81987993157] Customer Ref[20130819T001T].exe | A Network Trojan was detected | MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck) |
4092 | Ref[G81987993157] Customer Ref[20130819T001T].exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |