File name: | Payment_Notification.msg |
Full analysis: | https://app.any.run/tasks/51b142a2-764a-4a45-91f9-bbe8ea4089fe |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | March 14, 2019, 12:11:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 5F44FF09A6AF400557AF4343F3764827 |
SHA1: | 76011D7718F28BEC65AA3A410B7EFFBAC597408E |
SHA256: | BB46972D06BE351DAA806A188F1940FC85D8AA688C08847C956221B5DA7C9AD1 |
SSDEEP: | 12288:4VsG/tl/SQWdVDOARkwgUArwhYLzvsEczaUu9E:UsGLSQKKAPgUAshYLzEEv |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3476 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Payment_Notification.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2840 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\VXZ59S7N\Payment_Notification gz.zip" | C:\Program Files\WinRAR\WinRAR.exe | OUTLOOK.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
4060 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2840.2703\Payment_Notification.gz.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2840.2703\Payment_Notification.gz.exe | — | WinRAR.exe |
User: admin Company: Haskness0 Integrity Level: MEDIUM Description: TRAYAN2 Exit code: 0 Version: 6.03.0002 | ||||
3304 | C:\Users\admin\AppData\Local\Temp\Rar$EXa2840.2703\Payment_Notification.gz.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2840.2703\Payment_Notification.gz.exe | Payment_Notification.gz.exe | |
User: admin Company: Haskness0 Integrity Level: MEDIUM Description: TRAYAN2 Version: 6.03.0002 | ||||
1244 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | Payment_Notification.gz.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
3332 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | — | Payment_Notification.gz.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3476 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRDCE4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3476 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\VXZ59S7N\Payment_Notification gz (2).zip\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
1244 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holdermail.txt | — | |
MD5:— | SHA256:— | |||
3332 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holderwb.txt | — | |
MD5:— | SHA256:— | |||
3476 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\VXZ59S7N\Payment_Notification gz.zip | compressed | |
MD5:FAD229214B4CE775589D55FF760DC388 | SHA256:B67A609CCB0CBFF4B88C759A79D6A3F71590FCC2DE9647F1695763FE941433E4 | |||
4060 | Payment_Notification.gz.exe | C:\Users\admin\AppData\Local\Temp\~DF4890A3C5910E4569.TMP | binary | |
MD5:E1F73FC97DBA66F93E18788C2D27F264 | SHA256:2F1D918170E9BF57B8EF1022D5C43E7437CC9B56C6076B0CAE5C14023CF6165D | |||
3304 | Payment_Notification.gz.exe | C:\Users\admin\AppData\Roaming\pidloc.txt | text | |
MD5:C8FD78B399B6D0F07579DF4416B9B870 | SHA256:0CAE7D060EE48F5EED7372A6564A3AC83C0314C26491BC1EC7412567132C6732 | |||
2840 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2840.2703\Payment_Notification.gz.exe | executable | |
MD5:58EE57C0D91B7137DAE24746CDDE364D | SHA256:77A078BAB1AAF78BB78B9912B130C0FA7BBDAD82C67274F62C5939A8D4F9BBAF | |||
3476 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:12A2E29376C1C337962E9799EEAEE924 | SHA256:9506EDB79E19649DD3F0910469FA34454693A0CB62A5C07316AE342A61C346C6 | |||
3476 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\VXZ59S7N\Payment_Notification gz (2).zip | compressed | |
MD5:FAD229214B4CE775589D55FF760DC388 | SHA256:B67A609CCB0CBFF4B88C759A79D6A3F71590FCC2DE9647F1695763FE941433E4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3476 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3304 | Payment_Notification.gz.exe | GET | 403 | 104.16.154.36:80 | http://whatismyipaddress.com/ | US | text | 100 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3476 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3304 | Payment_Notification.gz.exe | 208.91.199.225:587 | smtp.easterncarqo.co.in | PDR | US | shared |
3304 | Payment_Notification.gz.exe | 104.16.154.36:80 | whatismyipaddress.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
whatismyipaddress.com |
| shared |
smtp.easterncarqo.co.in |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3304 | Payment_Notification.gz.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck) |
3304 | Payment_Notification.gz.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3304 | Payment_Notification.gz.exe | A Network Trojan was detected | ET TROJAN HawkEye Keylogger Report SMTP |