File name:

db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06

Full analysis: https://app.any.run/tasks/b28eb02a-3cf0-4763-a9a7-972da8ca1c85
Verdict: Malicious activity
Threats:

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Analysis date: January 10, 2025, 18:16:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
smtp
stealer
hawkeye
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

46A4D09A8947DCE0C60D1FB5E757AD02

SHA1:

5EE29EA5C51B3DB66CF2ED4D6787AA44FEBC33D6

SHA256:

DB3D98C97CFB274F58DE6EFC1739357371BCB8D006E02FF2857EF8D3605A9C06

SSDEEP:

12288:F9KNTJTUTsEEciz4hnw0TrGM9YHi9okW882B7IMXOp8/pdhDX8:FaJTUgBcY4hnw0TrX9YC9wpS1DX8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • Windows Update.exe (PID: 6688)
    • Actions looks like stealing of personal data

      • Windows Update.exe (PID: 6688)
      • vbc.exe (PID: 6892)
      • vbc.exe (PID: 4932)
    • HAWKEYE has been detected (YARA)

      • Windows Update.exe (PID: 6688)
    • Steals credentials from Web Browsers

      • vbc.exe (PID: 4932)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe (PID: 2572)
    • Probably fake Windows Update file has been dropped

      • db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe (PID: 2572)
    • Executable content was dropped or overwritten

      • db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe (PID: 2572)
      • Windows Update.exe (PID: 6688)
    • Probably fake Windows Update

      • Windows Update.exe (PID: 6688)
    • Starts itself from another location

      • db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe (PID: 2572)
    • Checks for external IP

      • svchost.exe (PID: 2192)
      • Windows Update.exe (PID: 6688)
    • Potential Corporate Privacy Violation

      • Windows Update.exe (PID: 6688)
    • The process executes VB scripts

      • Windows Update.exe (PID: 6688)
    • Connects to SMTP port

      • Windows Update.exe (PID: 6688)
  • INFO

    • Reads the machine GUID from the registry

      • db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe (PID: 2572)
      • Windows Update.exe (PID: 6688)
    • Creates files or folders in the user directory

      • db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe (PID: 2572)
      • Windows Update.exe (PID: 6688)
    • Checks supported languages

      • db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe (PID: 2572)
      • Windows Update.exe (PID: 6688)
      • vbc.exe (PID: 6892)
      • vbc.exe (PID: 4932)
    • Create files in a temporary directory

      • db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe (PID: 2572)
      • vbc.exe (PID: 6892)
      • vbc.exe (PID: 4932)
    • Reads the computer name

      • db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe (PID: 2572)
      • Windows Update.exe (PID: 6688)
      • vbc.exe (PID: 6892)
      • vbc.exe (PID: 4932)
    • Disables trace logs

      • Windows Update.exe (PID: 6688)
    • Process checks computer location settings

      • db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe (PID: 2572)
    • Checks proxy server information

      • Windows Update.exe (PID: 6688)
    • The process uses the downloaded file

      • db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe (PID: 2572)
    • Drops encrypted VBS script (Microsoft Script Encoder)

      • vbc.exe (PID: 6892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Hawkeye

(PID) Process(6688) Windows Update.exe
encryptedemailstring[email protected]
encryptedpassstring@Hustle007ky1
encryptedsmtpstringmail.britishcrowncourt.net
portstring587
timerstring300000
fakemgrstringFile Unavailable
encryptedftphostftp.yourhost.com
encryptedftpuserYourUsername
encryptedftppassYourPassword
encryptedphplinkhttp://www.site.com/logs.php
useemailyesemail
useftpnoftp
usephpnophp
delaytime5000
clearieclearie
clearffclearff
binderbindfiles
downloaderdownloadfiles
websitevisitorwebsitevisitor
websiteblockerwebsiteblocker
notifynotify
DisableSSLEnableSSL
fakerrorfakeerror
startupstartup
screenyscreeny
clipclip
TaskManagerDisableTaskManager
loggerlogger
stealersstealers
meltmelt
regDisablereg
cmdDisablecmd
misconfigDisablemsconfig
spreadersDisablespreaders
steamsteam
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (46)
.exe | InstallShield setup (27)
.exe | Win64 Executable (generic) (17.3)
.dll | Win32 Dynamic Link Library (generic) (4.1)
.exe | Win32 Executable (generic) (2.8)

EXIF

EXE

AssemblyVersion: 0.0.0.0
ProductVersion: 1.0.0.0
ProductName: LenovoController.Application
OriginalFileName: bpaymentcopy.exe
LegalCopyright: Copyright © Hewlett-Packard Company 2012
InternalName: bpaymentcopy.exe
FileVersion: 1.0.0.0
FileDescription: LenovoController.Application
CompanyName: Hewlett-Packard Company
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x80cae
UninitializedDataSize: -
InitializedDataSize: 81408
CodeSize: 519680
LinkerVersion: 8
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2024:12:03 00:38:14+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe #HAWKEYE windows update.exe svchost.exe vbc.exe vbc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2572"C:\Users\admin\AppData\Local\Temp\db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe" C:\Users\admin\AppData\Local\Temp\db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe
explorer.exe
User:
admin
Company:
Hewlett-Packard Company
Integrity Level:
MEDIUM
Description:
LenovoController.Application
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6688"C:\Users\admin\AppData\Roaming\Windows Update.exe" C:\Users\admin\AppData\Roaming\Windows Update.exe
db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe
User:
admin
Company:
Hewlett-Packard Company
Integrity Level:
MEDIUM
Description:
LenovoController.Application
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\windows update.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Hawkeye
(PID) Process(6688) Windows Update.exe
encryptedemailstring[email protected]
encryptedpassstring@Hustle007ky1
encryptedsmtpstringmail.britishcrowncourt.net
portstring587
timerstring300000
fakemgrstringFile Unavailable
encryptedftphostftp.yourhost.com
encryptedftpuserYourUsername
encryptedftppassYourPassword
encryptedphplinkhttp://www.site.com/logs.php
useemailyesemail
useftpnoftp
usephpnophp
delaytime5000
clearieclearie
clearffclearff
binderbindfiles
downloaderdownloadfiles
websitevisitorwebsitevisitor
websiteblockerwebsiteblocker
notifynotify
DisableSSLEnableSSL
fakerrorfakeerror
startupstartup
screenyscreeny
clipclip
TaskManagerDisableTaskManager
loggerlogger
stealersstealers
meltmelt
regDisablereg
cmdDisablecmd
misconfigDisablemsconfig
spreadersDisablespreaders
steamsteam
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6892C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Windows Update.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.9149
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4932C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Windows Update.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.9149
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
5 838
Read events
5 823
Write events
15
Delete events
0

Modification events

(PID) Process:(6688) Windows Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Windows Update_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6688) Windows Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Windows Update_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6688) Windows Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Windows Update_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6688) Windows Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Windows Update_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6688) Windows Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Windows Update_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6688) Windows Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Windows Update_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6688) Windows Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Windows Update_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6688) Windows Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Windows Update_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6688) Windows Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Windows Update_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6688) Windows Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Windows Update_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
2
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
4932vbc.exeC:\Users\admin\AppData\Local\Temp\bhvBBE1.tmp
MD5:
SHA256:
2572db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exeC:\Users\admin\AppData\Roaming\Windows Update.exeexecutable
MD5:46A4D09A8947DCE0C60D1FB5E757AD02
SHA256:DB3D98C97CFB274F58DE6EFC1739357371BCB8D006E02FF2857EF8D3605A9C06
4932vbc.exeC:\Users\admin\AppData\Local\Temp\holderwb.txttext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
6688Windows Update.exeC:\Users\admin\AppData\Roaming\pid.txttext
MD5:99E7E6CE097324ACEB45F98299CEB621
SHA256:86618DEAD4B0D6BB47D327DE127BF227236C1F7F0766D56D8DBA97DADD090822
2572db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exeC:\Users\admin\AppData\Local\Temp\SysInfo.txttext
MD5:5A4CFEF904B664F5C8B7B16B88B6152E
SHA256:15C6E94BA0F22D8D66125AF31DCC4830763F805DE604B67DABCA0664DD9E02FF
6688Windows Update.exeC:\Users\admin\AppData\Roaming\WindowsUpdate.exeexecutable
MD5:46A4D09A8947DCE0C60D1FB5E757AD02
SHA256:DB3D98C97CFB274F58DE6EFC1739357371BCB8D006E02FF2857EF8D3605A9C06
6688Windows Update.exeC:\Users\admin\AppData\Roaming\pidloc.txttext
MD5:E9FAEE87A060C806E7234779CFF7B480
SHA256:CE744D98EF602BA5FE207C4C064DA0075A1BB9BF303E53CA86AF1025AD3AFBF3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
35
DNS requests
22
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.48.23.159:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5200
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6688
Windows Update.exe
GET
403
104.19.223.79:80
http://whatismyipaddress.com/
unknown
shared
5388
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5388
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
732
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.159:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.185:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 23.48.23.159
  • 23.48.23.166
  • 23.48.23.194
  • 23.48.23.143
  • 23.48.23.167
  • 23.48.23.180
  • 23.48.23.141
  • 23.48.23.150
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 104.126.37.185
  • 104.126.37.131
  • 104.126.37.123
  • 104.126.37.176
  • 104.126.37.178
  • 104.126.37.179
  • 104.126.37.139
  • 104.126.37.128
  • 104.126.37.130
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.134
  • 40.126.32.68
  • 40.126.32.136
  • 20.190.160.22
  • 40.126.32.133
  • 40.126.32.140
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
whatismyipaddress.com
  • 104.19.223.79
  • 104.19.222.79
shared
mail.britishcrowncourt.net
  • 207.204.50.48
unknown

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (whatismyipaddress .com)
Generic Protocol Command Decode
SURICATA SMTP invalid reply
Misc activity
INFO [ANY.RUN] SMTP email client opens transfer with server (EHLO)
Generic Protocol Command Decode
SURICATA SMTP invalid reply
Misc activity
INFO [ANY.RUN] SMTP email client opens transfer with server (EHLO)
2 ETPRO signatures available at the full report
No debug info