File name: | ANNEX- COURT ORDER REF 5764775888.rar |
Full analysis: | https://app.any.run/tasks/178de4d0-a51f-4079-8927-4bb38d1bd34b |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | April 15, 2019, 10:26:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 1FFA8F789C1F1F9ED9F436599787CCC4 |
SHA1: | 973DF97CA81942F7B536AF2D97F0C85BB1B7B696 |
SHA256: | F1F99145FD38536E0D972B99807B7EA38D11842366812E81E282FE64FD11D2FA |
SSDEEP: | 24576:Foy3CWJPFTvBh2RhcAxN9RP6kmD2dGcj43jiZNr8/ox0zOyM:FoyyCFTX2hc4TVZZj43ja8/oxuOyM |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2208 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ANNEX- COURT ORDER REF 5764775888.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1888 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2208.2989\ANNEX- COURT ORDER REF 5764775888.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2208.2989\ANNEX- COURT ORDER REF 5764775888.exe | — | WinRAR.exe |
User: admin Company: AppResolver Integrity Level: MEDIUM Description: CapabilityAccessHandlers Exit code: 0 Version: 832.468.447.124 | ||||
3736 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | ANNEX- COURT ORDER REF 5764775888.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3400 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpBDBE.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
3776 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpE6F2.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2208 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2208.2989\ANNEX- COURT ORDER REF 5764775888.exe | executable | |
MD5:3F50EBE1D1F9F61C2C2159CF51B4FC41 | SHA256:96FC6A7C48BD453A7C01F5D521107D94CA18136BCBF90E2C482BBD2A8C0981AC | |||
3400 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmpBDBE.tmp | text | |
MD5:3E1E093DCCE32C716267A28292E0EE27 | SHA256:56285445424AD06DC043154819B5BDABAA7C26F5779CA3E37E08424ED9926CB8 | |||
3736 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\25291068-43af-3e16-50f6-5889d9ce7904 | text | |
MD5:454353131947D1483FF5470107478978 | SHA256:2DF94DC1C58E952A1EBD1AE1185A291A8A573982CA90EC1BBB87B81126002668 | |||
3776 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmpE6F2.tmp | text | |
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048 | SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3736 | RegAsm.exe | POST | 200 | 192.254.186.126:80 | http://redafire.ml/testmefornow/Panel/Panel/api | US | text | 2 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3736 | RegAsm.exe | 192.254.186.126:80 | redafire.ml | Unified Layer | US | suspicious |
Domain | IP | Reputation |
---|---|---|
redafire.ml |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .ml Domain |
3736 | RegAsm.exe | Potentially Bad Traffic | ET INFO HTTP POST Request to Suspicious *.ml Domain |
3736 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blaknight/HawkEye Win32.Backdoor.bc Check-in |