analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

HitmanPro.Alert.3.7.10.Build.789.zip

Full analysis: https://app.any.run/tasks/dfad302f-bf52-4ad3-87d4-3953ad739ee2
Verdict: Malicious activity
Analysis date: September 18, 2019, 16:24:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

AE13C1E1D49A4F2A6603C99B1805B19D

SHA1:

38F656555CC2C82804C4F916AC016508667FA46E

SHA256:

DEB3DAA2AFBD18A1BADB9416AE246A6780CA7C5E6981FC849C3AA5D943D9D470

SSDEEP:

49152:nkl0MZNn4cLPLSxU5AJMvGg7Sck8C2SJyjAHNJEhdDqRH13TVG+fltIMS3b2bukv:n80M/n4lWQgGWAsHD03RGyl+Nqbd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • hmpalert3.exe (PID: 812)
      • hmpalert3.exe (PID: 3952)
      • hmpalert.exe (PID: 3620)
      • hmpalert.exe (PID: 3496)
      • HitmanPro.exe (PID: 3904)
    • Loads dropped or rewritten executable

      • DllHost.exe (PID: 2608)
      • hmpalert.exe (PID: 3620)
      • WinRAR.exe (PID: 3196)
      • DllHost.exe (PID: 3340)
      • hmpalert.exe (PID: 3496)
      • HitmanPro.exe (PID: 3904)
    • Changes settings of System certificates

      • hmpalert3.exe (PID: 3952)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3568)
      • hmpalert3.exe (PID: 3952)
      • WinRAR.exe (PID: 3196)
    • Application launched itself

      • hmpalert3.exe (PID: 812)
      • hmpalert.exe (PID: 3620)
    • Creates files in the Windows directory

      • hmpalert3.exe (PID: 3952)
      • hmpalert.exe (PID: 3620)
    • Creates files in the program directory

      • hmpalert3.exe (PID: 3952)
      • hmpalert.exe (PID: 3620)
    • Creates files in the driver directory

      • hmpalert3.exe (PID: 3952)
    • Creates a software uninstall entry

      • hmpalert3.exe (PID: 3952)
      • hmpalert.exe (PID: 3620)
    • Creates or modifies windows services

      • hmpalert3.exe (PID: 3952)
    • Executed as Windows Service

      • hmpalert.exe (PID: 3620)
    • Creates files in the user directory

      • hmpalert3.exe (PID: 3952)
    • Removes files from Windows directory

      • hmpalert.exe (PID: 3620)
  • INFO

    • Manual execution by user

      • hmpalert3.exe (PID: 812)
      • WinRAR.exe (PID: 3196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:09:06 21:08:23
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: HitmanPro.Alert 3.7.10 Build 789 Multilingual/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe hmpalert3.exe no specs hmpalert3.exe hmpalert.exe Thumbnail Cache Out of Proc Server no specs hmpalert.exe winrar.exe Thumbnail Cache Out of Proc Server no specs hitmanpro.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3568"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\HitmanPro.Alert.3.7.10.Build.789.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
812"C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exe" C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exeexplorer.exe
User:
admin
Company:
SurfRight B.V.
Integrity Level:
MEDIUM
Description:
HitmanPro.Alert
Exit code:
1
Version:
3.7.10.789
3952"C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exe" /elevated /scanC:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exe
hmpalert3.exe
User:
admin
Company:
SurfRight B.V.
Integrity Level:
HIGH
Description:
HitmanPro.Alert
Version:
3.7.10.789
3620"C:\Program Files\HitmanPro.Alert\hmpalert.exe" /serviceC:\Program Files\HitmanPro.Alert\hmpalert.exe
services.exe
User:
SYSTEM
Company:
SurfRight B.V.
Integrity Level:
SYSTEM
Description:
HitmanPro.Alert
Version:
3.7.10.789
2608C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3496"C:\Program Files\HitmanPro.Alert\hmpalert.exe" /trayC:\Program Files\HitmanPro.Alert\hmpalert.exe
hmpalert.exe
User:
admin
Company:
SurfRight B.V.
Integrity Level:
MEDIUM
Description:
HitmanPro.Alert
Version:
3.7.10.789
3196"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\Patch.zip" "C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3340C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3904"C:\Users\admin\AppData\Local\Temp\HitmanPro.exe" /noupdate /scan /quietC:\Users\admin\AppData\Local\Temp\HitmanPro.exehmpalert.exe
User:
admin
Company:
SurfRight B.V.
Integrity Level:
HIGH
Description:
HitmanPro 3.8
Version:
3, 8, 15, 306
Total events
1 588
Read events
993
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
10
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
3620hmpalert.exeC:\ProgramData\HitmanPro\localcache.db-journal
MD5:
SHA256:
3952hmpalert3.exeC:\Windows\system32\hmpalert.dllexecutable
MD5:84A42A99E951A99D0E73E51CFB0CFA2C
SHA256:3BBF372926671376CA4660CEC53FECE9136316E6FA4714C1331D302E3B522889
3952hmpalert3.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro.Alert\HitmanPro.Alert.lnklnk
MD5:52E315CE08A8BEA8E18C07379E5D1FD5
SHA256:45A964D3452711DBEAC98845C0A1581F5DC945E7C8CFEFB309BEBFC6964DF4DE
3620hmpalert.exeC:\ProgramData\HitmanPro\localcache.dbsqlite
MD5:447A472A60880B7BDF3B410A8216984E
SHA256:734031E81A8534BCB24B6C60019420F1A16AD8B8E2E9E30F54D9246725291F40
3568WinRAR.exeC:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\Patch.zipcompressed
MD5:A0CEE0F7EDB93B0D23487466CF44C338
SHA256:B0AF5357C4D3E773DBF16ECD4047D2C63D3DE66A5BEC6D37838AECE66A4A9EC7
3620hmpalert.exeC:\ProgramData\HitmanPro.Alert\excalibur.dbsqlite
MD5:3632289B94E0E288CA91E92945942E79
SHA256:7449B9B7DABC20012E488B70A44B1FA59DCC0ED66922671467B55567110DA379
3620hmpalert.exeC:\ProgramData\HitmanPro.Alert\excalibur.db-journalbinary
MD5:E4AA063DC5CB25D89BA2A738E777261F
SHA256:F955FAD66F0D1D00E7B25EB3C470F9EB31F070FE18764AAC8704A3069F7009F0
3568WinRAR.exeC:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exeexecutable
MD5:E8FE4B6D76994174F3A84086993ADC2A
SHA256:F0A9340F09F2CB58C5B7F0CE694376520AC5D0B36B8072E080C66CFA92C4F18D
3952hmpalert3.exeC:\Program Files\HitmanPro.Alert\hmpalert.exeexecutable
MD5:E8FE4B6D76994174F3A84086993ADC2A
SHA256:F0A9340F09F2CB58C5B7F0CE694376520AC5D0B36B8072E080C66CFA92C4F18D
3952hmpalert3.exeC:\Windows\system32\drivers\hmpalert.sysexecutable
MD5:105249813BDB57627FDB2DB9B5D47D3A
SHA256:1F49716B6BB6D2EACF8C50BCCC6D3928716E557FAD4299735284AD67F1CCC2C9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
8
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3620
hmpalert.exe
POST
200
40.71.250.191:80
http://activate.hitmanpro.nl/activaterequest.aspx
US
suspicious
3620
hmpalert.exe
POST
200
40.71.250.191:80
http://activate.hitmanpro.nl/activaterequest.aspx
US
suspicious
3620
hmpalert.exe
POST
200
40.71.250.191:80
http://activate.hitmanpro.nl/activaterequest.aspx
US
text
428 b
suspicious
3496
hmpalert.exe
GET
200
185.105.204.28:80
http://updates.hitmanpro.com/hmpalert-blm1.bf
NL
binary
7.76 Kb
suspicious
3952
hmpalert3.exe
GET
200
91.199.212.52:80
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
3952
hmpalert3.exe
GET
302
185.105.204.28:80
http://get.hitmanpro.com/
NL
html
157 b
suspicious
3620
hmpalert.exe
POST
200
40.71.250.191:80
http://activate.hitmanpro.nl/activaterequest.aspx
US
text
1.50 Kb
suspicious
GET
172.217.22.4:80
http://www.google.com/
US
whitelisted
3496
hmpalert.exe
POST
200
23.97.160.56:80
http://alert.hitmanpro.com/report.ashx
NL
text
29 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3952
hmpalert3.exe
91.199.212.52:80
crt.usertrust.com
Comodo CA Ltd
GB
suspicious
172.217.22.4:80
www.google.com
Google Inc.
US
whitelisted
3620
hmpalert.exe
40.71.250.191:80
activate.hitmanpro.nl
Microsoft Corporation
US
whitelisted
3952
hmpalert3.exe
185.105.204.28:443
get.hitmanpro.com
Astralus B.V.
NL
suspicious
185.105.204.28:80
get.hitmanpro.com
Astralus B.V.
NL
suspicious
87.249.108.117:80
cloud.hitmanpro.com
Virtu Secure Webservices B.V.
NL
suspicious
3496
hmpalert.exe
23.97.160.56:80
alert.hitmanpro.com
Microsoft Corporation
NL
whitelisted

DNS requests

Domain
IP
Reputation
activate.hitmanpro.nl
  • 40.71.250.191
suspicious
get.hitmanpro.com
  • 185.105.204.28
suspicious
files.surfright.nl
  • 185.105.204.28
whitelisted
crt.usertrust.com
  • 91.199.212.52
whitelisted
alert.hitmanpro.com
  • 23.97.160.56
suspicious
updates.hitmanpro.com
  • 185.105.204.28
suspicious
cloud.hitmanpro.com
  • 87.249.108.117
whitelisted
www.google.com
  • 172.217.22.4
whitelisted

Threats

PID
Process
Class
Message
3952
hmpalert3.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
Process
Message
hmpalert.exe
Service: starting
hmpalert.exe
Service: mode 1
hmpalert.exe
FalsePositiveManager: not initialized
hmpalert.exe
Antivirus: startup
hmpalert.exe
Antivirus: initialize
hmpalert.exe
Antivirus: creating C:\ProgramData\HitmanPro\localcache.db
hmpalert.exe
Antivirus: created (result 0)
hmpalert.exe
Antivirus: opening (result 0) C:\ProgramData\HitmanPro\localcache.db
hmpalert.exe
Antivirus: read 0 hashes from store
hmpalert.exe
Antivirus: opening (result 0) C:\ProgramData\HitmanPro\localcache.db