File name:	PO.exe
Full analysis:	https://app.any.run/tasks/bc98bce4-550f-4841-a013-9dd54a9f7db7
Verdict:	Malicious activity
Threats:	Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	December 18, 2018, 07:35:27
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	stealer keylogger hawkeye evasion trojan
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	CECDB998BFDA4AA80315FC39E54121EF
SHA1:	9A8BEF9EBE770EEF4809DC83092187328BDDD6E1
SHA256:	B734AAD330E24D173944AC7A455D08610E0B2F81CED85E6EE6369E6793C71481
SSDEEP:	12288:BzCuaEnZxFyYCE53LzamdvwVX4zEzCoaxnLyjM21:BzCgZvdtLza2vdALp

.exe	\|	Win32 Executable Microsoft Visual Basic 6 (90.6)
.exe	\|	Win32 Executable (generic) (4.9)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

OriginalFileName:	FADGE2.exe
InternalName:	FADGE2
ProductVersion:	4.04.0005
FileVersion:	4.04.0005
ProductName:	Tatemichi
LegalTrademarks:	racisms
LegalCopyright:	rode
FileDescription:	CORSON5
CompanyName:	SOJOURNMENT10
Comments:	MANSARD
CharacterSet:	Unicode
LanguageCode:	English (U.S.)
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x0000
ProductVersionNumber:	4.4.0.5
FileVersionNumber:	4.4.0.5
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	4.4
OSVersion:	4
EntryPoint:	0x1490
UninitializedDataSize:	-
InitializedDataSize:	16384
CodeSize:	757760
LinkerVersion:	6
PEType:	PE32
TimeStamp:	1998:01:30 05:33:35+01:00
MachineType:	Intel 386 or later, and compatibles

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	30-Jan-1998 04:33:35
Detected languages:	English - United States
Comments:	MANSARD
CompanyName:	SOJOURNMENT10
FileDescription:	CORSON5
LegalCopyright:	rode
LegalTrademarks:	racisms
ProductName:	Tatemichi
FileVersion:	4.04.0005
ProductVersion:	4.04.0005
InternalName:	FADGE2
OriginalFilename:	FADGE2.exe

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000B8

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	3
Time date stamp:	30-Jan-1998 04:33:35
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED IMAGE_FILE_RELOCS_STRIPPED

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x000B8D90	0x000B9000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.4219
.data	0x000BA000	0x00000ABC	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0
.rsrc	0x000BB000	0x00002FAE	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.93958

Title	Entropy	Size	Codepage	Language	Type
1	3.37347	752	Unicode (UTF 16LE)	English - United States	RT_VERSION
30001	4.76962	5672	Unicode (UTF 16LE)	UNKNOWN	RT_ICON
30002	5.3725	2216	Unicode (UTF 16LE)	UNKNOWN	RT_ICON
30003	5.36524	1736	Unicode (UTF 16LE)	UNKNOWN	RT_ICON
30004	3.69909	1384	Unicode (UTF 16LE)	UNKNOWN	RT_ICON

PID	CMD	Path	Indicators	Parent process
2068	"C:\Users\admin\Desktop\PO.exe"	C:\Users\admin\Desktop\PO.exe	—	explorer.exe
User: admin Company: SOJOURNMENT10 Integrity Level: MEDIUM Description: CORSON5 Exit code: 0 Version: 4.04.0005
2704	C:\Users\admin\Desktop\PO.exe"	C:\Users\admin\Desktop\PO.exe		PO.exe
User: admin Company: SOJOURNMENT10 Integrity Level: MEDIUM Description: CORSON5 Exit code: 0 Version: 4.04.0005
2544	"C:\Users\admin\AppData\Roaming\Windows Update.exe"	C:\Users\admin\AppData\Roaming\Windows Update.exe	—	PO.exe
User: admin Company: SOJOURNMENT10 Integrity Level: MEDIUM Description: CORSON5 Exit code: 3221226540 Version: 4.04.0005
264	"C:\Users\admin\AppData\Roaming\Windows Update.exe"	C:\Users\admin\AppData\Roaming\Windows Update.exe		PO.exe
User: admin Company: SOJOURNMENT10 Integrity Level: HIGH Description: CORSON5 Exit code: 0 Version: 4.04.0005
2916	C:\Users\admin\AppData\Roaming\Windows Update.exe"	C:\Users\admin\AppData\Roaming\Windows Update.exe		Windows Update.exe
User: admin Company: SOJOURNMENT10 Integrity Level: HIGH Description: CORSON5 Version: 4.04.0005
2316	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt"	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe		Windows Update.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5483
2492	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt"	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	—	Windows Update.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5483


(PID) Process:	(2704) PO.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2704) PO.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2704) PO.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2704) PO.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2916) Windows Update.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2916) Windows Update.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Windows Update_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2916) Windows Update.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Windows Update_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2916) Windows Update.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Windows Update_RASAPI32
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(2916) Windows Update.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Windows Update_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760
(PID) Process:	(2916) Windows Update.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Windows Update_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576

PID	Process	Filename		Type
2316	vbc.exe	C:\Users\admin\AppData\Local\Temp\holdermail.txt		—
		MD5:—	SHA256:—
2492	vbc.exe	C:\Users\admin\AppData\Local\Temp\holderwb.txt		—
		MD5:—	SHA256:—
2916	Windows Update.exe	C:\Users\admin\AppData\Roaming\pid.txt		text
		MD5:340A39045C40D50DDA207BCFDECE883A	SHA256:D8A1082B68A287D591A958486DC8E132B2EF7673A21EC940917A6BA13FAB69DA
2068	PO.exe	C:\Users\admin\AppData\Local\Temp\~DFA00223B0371CFAFE.TMP		binary
		MD5:17A3CF5323CD01187AC4703BDB27FBA4	SHA256:A5973BA793EC3A709FFD722476CF187EF2EEA3649CC1467D90C58D2AC6B99E46
2704	PO.exe	C:\Users\admin\AppData\Roaming\Windows Update.exe		executable
		MD5:CECDB998BFDA4AA80315FC39E54121EF	SHA256:B734AAD330E24D173944AC7A455D08610E0B2F81CED85E6EE6369E6793C71481
2704	PO.exe	C:\Users\admin\AppData\Local\Temp\SysInfo.txt		text
		MD5:153074824A075699D831EEF1764D8B7F	SHA256:FC8DCB0D02742EA5F9E902EA366F97AC993931E444E1AFB1B28A1E34DA80F242
264	Windows Update.exe	C:\Users\admin\AppData\Local\Temp\~DF38ED369C58F11627.TMP		binary
		MD5:17A3CF5323CD01187AC4703BDB27FBA4	SHA256:A5973BA793EC3A709FFD722476CF187EF2EEA3649CC1467D90C58D2AC6B99E46
2916	Windows Update.exe	C:\Users\admin\AppData\Roaming\pidloc.txt		text
		MD5:E9FAEE87A060C806E7234779CFF7B480	SHA256:CE744D98EF602BA5FE207C4C064DA0075A1BB9BF303E53CA86AF1025AD3AFBF3

PID	Process	Class	Message
2916	Windows Update.exe	A Network Trojan was detected	MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck)
2916	Windows Update.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction
2916	Windows Update.exe	A Network Trojan was detected	ET TROJAN HawkEye Keylogger FTP

PID	Process	IP	Domain	ASN	CN	Reputation
2916	Windows Update.exe	45.58.142.254:40027	—	Sharktech	US	malicious
2916	Windows Update.exe	104.16.18.96:80	whatismyipaddress.com	Cloudflare Inc	US	shared
2916	Windows Update.exe	45.58.142.254:21	—	Sharktech	US	malicious

General Info

PO.exe

CECDB998BFDA4AA80315FC39E54121EF

9A8BEF9EBE770EEF4809DC83092187328BDDD6E1

B734AAD330E24D173944AC7A455D08610E0B2F81CED85E6EE6369E6793C71481

12288:BzCuaEnZxFyYCE53LzamdvwVX4zEzCoaxnLyjM21:BzCgZvdtLza2vdALp

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Detected Hawkeye Keylogger

Actions looks like stealing of personal data

SUSPICIOUS

Creates files in the user directory

Executable content was dropped or overwritten

Checks for external IP

Application launched itself

Starts itself from another location

Executes scripts

Connects to unusual port

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings