analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Payment_Notification.msg

Full analysis: https://app.any.run/tasks/51b142a2-764a-4a45-91f9-bbe8ea4089fe
Verdict: Malicious activity
Threats:

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Analysis date: March 14, 2019, 12:11:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
hawkeye
evasion
trojan
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

5F44FF09A6AF400557AF4343F3764827

SHA1:

76011D7718F28BEC65AA3A410B7EFFBAC597408E

SHA256:

BB46972D06BE351DAA806A188F1940FC85D8AA688C08847C956221B5DA7C9AD1

SSDEEP:

12288:4VsG/tl/SQWdVDOARkwgUArwhYLzvsEczaUu9E:UsGLSQKKAPgUAshYLzEEv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3476)
    • Application was dropped or rewritten from another process

      • Payment_Notification.gz.exe (PID: 3304)
      • Payment_Notification.gz.exe (PID: 4060)
    • Changes the autorun value in the registry

      • Payment_Notification.gz.exe (PID: 3304)
    • Detected Hawkeye Keylogger

      • Payment_Notification.gz.exe (PID: 3304)
    • Actions looks like stealing of personal data

      • vbc.exe (PID: 1244)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3476)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3476)
      • Payment_Notification.gz.exe (PID: 3304)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2840)
      • Payment_Notification.gz.exe (PID: 3304)
    • Application launched itself

      • Payment_Notification.gz.exe (PID: 4060)
    • Executes scripts

      • Payment_Notification.gz.exe (PID: 3304)
    • Checks for external IP

      • Payment_Notification.gz.exe (PID: 3304)
    • Connects to SMTP port

      • Payment_Notification.gz.exe (PID: 3304)
    • Loads DLL from Mozilla Firefox

      • vbc.exe (PID: 3332)
  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start outlook.exe winrar.exe payment_notification.gz.exe no specs #HAWKEYE payment_notification.gz.exe vbc.exe vbc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3476"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Payment_Notification.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2840"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\VXZ59S7N\Payment_Notification gz.zip"C:\Program Files\WinRAR\WinRAR.exe
OUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
4060"C:\Users\admin\AppData\Local\Temp\Rar$EXa2840.2703\Payment_Notification.gz.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2840.2703\Payment_Notification.gz.exeWinRAR.exe
User:
admin
Company:
Haskness0
Integrity Level:
MEDIUM
Description:
TRAYAN2
Exit code:
0
Version:
6.03.0002
3304C:\Users\admin\AppData\Local\Temp\Rar$EXa2840.2703\Payment_Notification.gz.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2840.2703\Payment_Notification.gz.exe
Payment_Notification.gz.exe
User:
admin
Company:
Haskness0
Integrity Level:
MEDIUM
Description:
TRAYAN2
Version:
6.03.0002
1244C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Payment_Notification.gz.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
3332C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exePayment_Notification.gz.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
Total events
2 047
Read events
1 612
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
27
Unknown types
1

Dropped files

PID
Process
Filename
Type
3476OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRDCE4.tmp.cvr
MD5:
SHA256:
3476OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\VXZ59S7N\Payment_Notification gz (2).zip\:Zone.Identifier:$DATA
MD5:
SHA256:
1244vbc.exeC:\Users\admin\AppData\Local\Temp\holdermail.txt
MD5:
SHA256:
3332vbc.exeC:\Users\admin\AppData\Local\Temp\holderwb.txt
MD5:
SHA256:
3476OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\VXZ59S7N\Payment_Notification gz.zipcompressed
MD5:FAD229214B4CE775589D55FF760DC388
SHA256:B67A609CCB0CBFF4B88C759A79D6A3F71590FCC2DE9647F1695763FE941433E4
4060Payment_Notification.gz.exeC:\Users\admin\AppData\Local\Temp\~DF4890A3C5910E4569.TMPbinary
MD5:E1F73FC97DBA66F93E18788C2D27F264
SHA256:2F1D918170E9BF57B8EF1022D5C43E7437CC9B56C6076B0CAE5C14023CF6165D
3304Payment_Notification.gz.exeC:\Users\admin\AppData\Roaming\pidloc.txttext
MD5:C8FD78B399B6D0F07579DF4416B9B870
SHA256:0CAE7D060EE48F5EED7372A6564A3AC83C0314C26491BC1EC7412567132C6732
2840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2840.2703\Payment_Notification.gz.exeexecutable
MD5:58EE57C0D91B7137DAE24746CDDE364D
SHA256:77A078BAB1AAF78BB78B9912B130C0FA7BBDAD82C67274F62C5939A8D4F9BBAF
3476OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:12A2E29376C1C337962E9799EEAEE924
SHA256:9506EDB79E19649DD3F0910469FA34454693A0CB62A5C07316AE342A61C346C6
3476OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\VXZ59S7N\Payment_Notification gz (2).zipcompressed
MD5:FAD229214B4CE775589D55FF760DC388
SHA256:B67A609CCB0CBFF4B88C759A79D6A3F71590FCC2DE9647F1695763FE941433E4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3476
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3304
Payment_Notification.gz.exe
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3476
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3304
Payment_Notification.gz.exe
208.91.199.225:587
smtp.easterncarqo.co.in
PDR
US
shared
3304
Payment_Notification.gz.exe
104.16.154.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
whatismyipaddress.com
  • 104.16.154.36
  • 104.16.155.36
shared
smtp.easterncarqo.co.in
  • 208.91.199.225
  • 208.91.199.224
  • 208.91.199.223
  • 208.91.198.143
malicious

Threats

PID
Process
Class
Message
3304
Payment_Notification.gz.exe
A Network Trojan was detected
MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck)
3304
Payment_Notification.gz.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3304
Payment_Notification.gz.exe
A Network Trojan was detected
ET TROJAN HawkEye Keylogger Report SMTP
2 ETPRO signatures available at the full report
No debug info