URL: | http://23.249.161.100/ace/vpn.exe |
Full analysis: | https://app.any.run/tasks/3170c012-eeab-4965-8cc7-0a7a99f2444c |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | January 22, 2019, 17:18:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | A979FB8AF3242E734EAE6CB0A3165689 |
SHA1: | E6D8B7DAFC1437DDFE007837E4BCBCD4F6E8CE49 |
SHA256: | E35490283F725D22CC22F25C2381FDB8355B672EEED3913682FECEDF812A1A24 |
SSDEEP: | 3:N1KbEMgYWJn:CIMgYUn |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2952 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3216 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
4068 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\vpn[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\vpn[1].exe | iexplore.exe | |
User: admin Integrity Level: MEDIUM Description: 0b0d878f-60f7-41a1-a103-11e782de08e Exit code: 0 Version: 1.0.0.0 | ||||
3880 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | vpn[1].exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3584 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp9B95.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
2604 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpC508.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2952 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2952 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2952 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF3F4A459B7C78BBA8.TMP | — | |
MD5:— | SHA256:— | |||
4068 | vpn[1].exe | C:\Users\admin\filename.exe\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2952 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFBE0A9CEAA201AE7B.TMP | — | |
MD5:— | SHA256:— | |||
2952 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D4060C1D-1E69-11E9-BAD8-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
3216 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log | text | |
MD5:5D1750EE2BD2B61B7BAD4DF6CDB60851 | SHA256:FA1E6D19DB7B0FA11B81E98B5D1C125E78AC2252F9096CC29E40B8ABDEE3CE18 | |||
4068 | vpn[1].exe | C:\Users\admin\filename.exe | executable | |
MD5:D5CE784C695297BFAC9425B9B17E7A7C | SHA256:434F4F55868FBA8D5E6D4B1904BE5E5C10A0AFC9A0C893CD99A06CF08B57BE97 | |||
2952 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019012220190123\index.dat | dat | |
MD5:F2FC07A211FA2B02419435FD3EE7B615 | SHA256:E206560A27DC1CE3A421B487A3FE7F268238E4154F9839910BE661A11590C734 | |||
2952 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\vpn[1].exe | executable | |
MD5:D5CE784C695297BFAC9425B9B17E7A7C | SHA256:434F4F55868FBA8D5E6D4B1904BE5E5C10A0AFC9A0C893CD99A06CF08B57BE97 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3216 | iexplore.exe | GET | 200 | 23.249.161.100:80 | http://23.249.161.100/ace/vpn.exe | US | executable | 1.88 Mb | malicious |
3880 | RegAsm.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 11 b | shared |
2952 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3880 | RegAsm.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
2952 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3216 | iexplore.exe | 23.249.161.100:80 | — | ColoCrossing | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
bot.whatismyipaddress.com |
| shared |
hawkeye.sx |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3216 | iexplore.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3216 | iexplore.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3216 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3216 | iexplore.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3880 | RegAsm.exe | Misc activity | SUSPICIOUS [PTsecurity] External IP Request (HawkEye) |