File name: | baabec55747c87dd64e00667fa5f337b2f39c6d37e3396efe44b7d13cbd5c5e9(1).doc |
Full analysis: | https://app.any.run/tasks/69bd507c-42a8-40cf-aeed-be2332153a69 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | December 06, 2018, 06:26:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators, with escape sequences |
MD5: | 2A1A9DC50312FDE3FD19099B31684B12 |
SHA1: | 380A9E898B89CA42C95283D53EDBAA8B3398C582 |
SHA256: | BAABEC55747C87DD64E00667FA5F337B2F39C6D37E3396EFE44B7D13CBD5C5E9 |
SSDEEP: | 1536:pn3Pn3Jn36n36n37n37n37n37n37n37n37n3Gn3Pn3Pn3Pn3en3gn3nn3WEgErQN:lfV++DDDDDDDyfffqoXmEgErQN |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2840 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\baabec55747c87dd64e00667fa5f337b2f39c6d37e3396efe44b7d13cbd5c5e9(1).doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3296 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3160 | C:\Users\admin\AppData\Local\Temp\1.com | C:\Users\admin\AppData\Local\Temp\1.com | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Description: Cognatic4 Exit code: 0 Version: 3.04.0006 | ||||
3008 | :\Users\admin\AppData\Local\Temp\1.com | C:\Users\admin\AppData\Local\Temp\1.com | 1.com | |
User: admin Integrity Level: MEDIUM Description: Cognatic4 Version: 3.04.0006 | ||||
2392 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | 1.com | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
3320 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | — | 1.com |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2840 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR96A8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2392 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holdermail.txt | — | |
MD5:— | SHA256:— | |||
3320 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holderwb.txt | — | |
MD5:— | SHA256:— | |||
2840 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:0FEE22FA40EAB618E269AF59EF990721 | SHA256:DB543AC7F35DE26670D8A65A74DD48BCF6E5E70FF2A75D8A42E2FD500F8A170D | |||
2840 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$abec55747c87dd64e00667fa5f337b2f39c6d37e3396efe44b7d13cbd5c5e9(1).doc | pgc | |
MD5:BC3159C5453B714FC4C7321A0178CFFC | SHA256:5D485F73208CF9DF5F9EE32D9DCE1A314D39B29A7FCBC08BF23764A7D39B56AD | |||
3296 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Temp\1.com | executable | |
MD5:847EBB85EC30A8D241155A181E772406 | SHA256:582EE16DBF4CD83474AFB0BACDC27369AED7214CB2972E7AA2026860DABBAD94 | |||
3008 | 1.com | C:\Users\admin\AppData\Roaming\pid.txt | text | |
MD5:C02F9DE3C2F3040751818AACC7F60B74 | SHA256:E276F59BC5A81F2968DFB34B6324F7D59FEA2723FD733BC9E70D65E848EF8F42 | |||
3296 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\00gMwL[1].jpg | executable | |
MD5:847EBB85EC30A8D241155A181E772406 | SHA256:582EE16DBF4CD83474AFB0BACDC27369AED7214CB2972E7AA2026860DABBAD94 | |||
3008 | 1.com | C:\Users\admin\AppData\Roaming\pidloc.txt | text | |
MD5:92AB5180D6A941F6DC346CDE582CA986 | SHA256:DF06F3D90F69860C90F7C3510FB0295D984BE67F346DB67F5E4F95E998BBB4EC | |||
3160 | 1.com | C:\Users\admin\AppData\Local\Temp\~DFC80AE4D19DEE79F1.TMP | binary | |
MD5:3876E31416A502E6E63CD6C39DFBAB84 | SHA256:C8C3C9D5DA7DFD3AFACCC7D3D7483A6EC24D9788438F6BF018D7FA071422FFF3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3296 | EQNEDT32.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2Ss9Fz5 | US | html | 115 b | shared |
3008 | 1.com | GET | 403 | 104.16.17.96:80 | http://whatismyipaddress.com/ | US | text | 100 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3296 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
3008 | 1.com | 104.16.17.96:80 | whatismyipaddress.com | Cloudflare Inc | US | shared |
3296 | EQNEDT32.EXE | 163.172.215.76:443 | f.coka.la | Online S.a.s. | NL | malicious |
3008 | 1.com | 87.250.250.38:587 | smtp.yandex.com | YANDEX LLC | RU | whitelisted |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
f.coka.la |
| malicious |
whatismyipaddress.com |
| shared |
smtp.yandex.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3008 | 1.com | A Network Trojan was detected | MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck) |