Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report BrowsingHistoryView.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:126932
Start date:28.04.2019
Start time:18:53:54
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 10s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:BrowsingHistoryView.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.spyw.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 94
  • Number of non-executed functions: 149
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold520 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection1Process Injection1Credential DumpingProcess Discovery2Application Deployment SoftwareData from Local System1Data CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesObfuscated Files or Information2Network SniffingSystem Information Discovery4Remote ServicesClipboard Data1Exfiltration Over Other Network MediumFallback Channels

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: BrowsingHistoryView.exevirustotal: Detection: 12%Perma Link

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_004098C4 FindFirstFileW,FindNextFileW,0_2_004098C4
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_004098C4 FindFirstFileW,FindNextFileW,0_1_004098C4

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: BrowsingHistoryView.exeString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: BrowsingHistoryView.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: BrowsingHistoryView.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: BrowsingHistoryView.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: BrowsingHistoryView.exeString found in binary or memory: http://www.nirsoft.net/
Source: BrowsingHistoryView.exe, 00000000.00000002.6158037759.0000000000197000.00000004.sdmpString found in binary or memory: http://www.nirsoft.net46
Source: BrowsingHistoryView.exe, 00000000.00000002.6162528927.00000000025B7000.00000004.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: BrowsingHistoryView.exe, 00000000.00000002.6162528927.00000000025B7000.00000004.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/strun/Be9

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_0040F0E8 OpenClipboard,0_2_0040F0E8

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_00409ED0 NtQuerySystemInformation,NtQuerySystemInformation,0_2_00409ED0
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_00409F44 memset,CreateFileW,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,CloseHandle,0_2_00409F44
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_00409ED0 NtQuerySystemInformation,0_1_00409ED0
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_004326710_2_00432671
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_004150630_2_00415063
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_0043F0140_2_0043F014
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_0043A3EF0_2_0043A3EF
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_0043D76D0_2_0043D76D
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_004217C90_2_004217C9
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_004079B60_2_004079B6
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_00413ACB0_2_00413ACB
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_0043BC0D0_2_0043BC0D
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_0043AF500_2_0043AF50
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_004326710_1_00432671
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_004150630_1_00415063
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_0043F0140_1_0043F014
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_0043A3EF0_1_0043A3EF
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_0043D76D0_1_0043D76D
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_004217C90_1_004217C9
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_004079B60_1_004079B6
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_00413ACB0_1_00413ACB
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_0043BC0D0_1_0043BC0D
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_0043AF500_1_0043AF50
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: String function: 004087A3 appears 48 times
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: String function: 004145EC appears 36 times
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: String function: 00445240 appears 50 times
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: String function: 00423B2E appears 86 times
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: String function: 00444B8A appears 34 times
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: String function: 00414A64 appears 156 times
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: String function: 00414723 appears 56 times
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: String function: 00415D16 appears 40 times
PE file contains strange resourcesShow sources
Source: BrowsingHistoryView.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BrowsingHistoryView.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BrowsingHistoryView.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BrowsingHistoryView.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BrowsingHistoryView.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BrowsingHistoryView.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BrowsingHistoryView.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BrowsingHistoryView.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BrowsingHistoryView.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BrowsingHistoryView.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BrowsingHistoryView.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: BrowsingHistoryView.exeBinary or memory string: OriginalFileName vs BrowsingHistoryView.exe
Source: BrowsingHistoryView.exe, 00000000.00000000.4919506235.0000000000446000.00000002.sdmpBinary or memory string: )CREATE TABLE BINARYAUTOINCREMENT not allowed on WITHOUT ROWID tablesPRIMARY KEY missing on table %stableTABLECREATE %s %.*sUPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%dtbl_name='%q' AND type!='trigger'sqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'sqlite_stattable %s may not be droppedtblforeign key on %s should reference only one column of table %Tnumber of columns in foreign key does not match the number of columns in the referenced tableunknown column "%s" in foreign key definitionindexcannot create a TEMP index on non-TEMP table "%s"altertab_table %s may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dtable %s has no column named %sconflicting ON CONFLICT clauses specified UNIQUECREATE%s INDEX %.*sINSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'no such index: %Sindex associated with UNIQUE or PRIMARY KEY constraint cannot be droppedDELETE FROM %Q.%
Source: BrowsingHistoryView.exe, 00000000.00000002.6186558926.0000000004720000.00000002.sdmpBinary or memory string: OriginalFilenameuser32j% vs BrowsingHistoryView.exe
Source: BrowsingHistoryView.exe, 00000000.00000002.6186604645.0000000004730000.00000002.sdmpBinary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs BrowsingHistoryView.exe
Source: BrowsingHistoryView.exeBinary or memory string: )CREATE TABLE BINARYAUTOINCREMENT not allowed on WITHOUT ROWID tablesPRIMARY KEY missing on table %stableTABLECREATE %s %.*sUPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%dtbl_name='%q' AND type!='trigger'sqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'sqlite_stattable %s may not be droppedtblforeign key on %s should reference only one column of table %Tnumber of columns in foreign key does not match the number of columns in the referenced tableunknown column "%s" in foreign key definitionindexcannot create a TEMP index on non-TEMP table "%s"altertab_table %s may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dtable %s has no column named %sconflicting ON CONFLICT clauses specified UNIQUECREATE%s INDEX %.*sINSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'no such index: %Sindex associated with UNIQUE or PRIMARY KEY constraint cannot be droppedDELETE FROM %Q.%
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeSection loaded: wow64log.dllJump to behavior
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: BrowsingHistoryView.exeBinary string: i@1j@dk@c1Anetmsg.dllUnknown Error\Error %d: %seditkernel32.dll...open %2.2X %s (%s)%2.2d-%2.2d-%4.4d %2.2d:%2.2d:%2.2dSystemTimeToTzSpecificLocalTimeTzSpecificLocalTimeToSystemTime\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%d*URL index.datdllhost.exetaskhost.exetaskhostex.exetaskhostw.exeC:\bhvContainersContainerIdNameContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:captionmenu_%ddialog_%dstringsgeneralsysdatetimepick32rtlcharsetTranslatorNameTranslatorURLVersion0RTL_lng.ini""
Classification labelShow sources
Source: classification engineClassification label: mal52.spyw.winEXE@1/0@0/0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_0041133B CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,0_2_0041133B
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_004443FF CoCreateInstance,0_2_004443FF
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_004127EE FindResourceW,SizeofResource,LoadResource,LockResource,0_2_004127EE
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\places.sqlite-walJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: BrowsingHistoryView.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Queries a list of all open handlesShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeSystem information queried: HandleInformationJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
SQL strings found in memory and binary dataShow sources
Source: BrowsingHistoryView.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Sample is known by AntivirusShow sources
Source: BrowsingHistoryView.exevirustotal: Detection: 12%
Sample might require command line arguments (.Net)Show sources
Source: BrowsingHistoryView.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Tries to open an application configuration file (.cfg)Show sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeFile opened: C:\Users\user\Desktop\BrowsingHistoryView.cfgJump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeWindow found: window name: msctls_updown32Jump to behavior
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)Show sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeWindow detected: Number of UI elements: 34
PE file contains a mix of resources often seen in goodwareShow sources
Source: BrowsingHistoryView.exeStatic PE information: section name: RT_CURSOR
Source: BrowsingHistoryView.exeStatic PE information: section name: RT_BITMAP
Source: BrowsingHistoryView.exeStatic PE information: section name: RT_ICON
Source: BrowsingHistoryView.exeStatic PE information: section name: RT_MENU
Source: BrowsingHistoryView.exeStatic PE information: section name: RT_DIALOG
Source: BrowsingHistoryView.exeStatic PE information: section name: RT_STRING
Source: BrowsingHistoryView.exeStatic PE information: section name: RT_ACCELERATOR
Source: BrowsingHistoryView.exeStatic PE information: section name: RT_GROUP_ICON
PE file contains a debug data directoryShow sources
Source: BrowsingHistoryView.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Projects\VS2005\BrowsingHistoryView\Release\BrowsingHistoryView.pdb source: BrowsingHistoryView.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_0041153E LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041153E
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_00445240 push eax; ret 0_2_00445254
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_00445240 push eax; ret 0_2_0044527C
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_00444EA1 push ecx; ret 0_2_00444EB1
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_00445240 push eax; ret 0_1_00445254
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_00445240 push eax; ret 0_1_0044527C
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_00444EA1 push ecx; ret 0_1_00444EB1

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-35776
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 03h and CTI: jne 00403A46h0_2_00403A04
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 02h and CTI: jne 00403A59h0_2_00403A04
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 04h and CTI: jne 00403A82h0_2_00403A04
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 05h and CTI: jne 00403A97h0_2_00403A04
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 03h and CTI: jne 00403A46h0_1_00403A04
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 02h and CTI: jne 00403A59h0_1_00403A04
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 04h and CTI: jne 00403A82h0_1_00403A04
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 05h and CTI: jne 00403A97h0_1_00403A04
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_004098C4 FindFirstFileW,FindNextFileW,0_2_004098C4
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_1_004098C4 FindFirstFileW,FindNextFileW,0_1_004098C4
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_00417D72 memset,GetSystemInfo,0_2_00417D72
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_0041153E LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041153E

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: BrowsingHistoryView.exe, 00000000.00000002.6160611077.0000000000C90000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: BrowsingHistoryView.exe, 00000000.00000002.6160611077.0000000000C90000.00000002.sdmpBinary or memory string: Progman
Source: BrowsingHistoryView.exe, 00000000.00000002.6160611077.0000000000C90000.00000002.sdmpBinary or memory string: Program ManagerUR

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_0040264F GetSystemTimeAsFileTime,0_2_0040264F
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeCode function: 0_2_0040876E GetVersionExW,0_2_0040876E

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\places.sqlite-walJump to behavior
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\places.sqlite-shmJump to behavior
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\places.sqliteJump to behavior
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\BrowsingHistoryView.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 126932 Sample: BrowsingHistoryView.exe Startdate: 28/04/2019 Architecture: WINDOWS Score: 52 8 Multi AV Scanner detection for submitted file 2->8 5 BrowsingHistoryView.exe 2 2->5         started        process3 signatures4 10 Tries to harvest and steal browser information (history, passwords, etc) 5->10

Simulations

Behavior and APIs

TimeTypeDescription
18:54:48API Interceptor3x Sleep call for process: BrowsingHistoryView.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
BrowsingHistoryView.exe12%virustotalBrowse
BrowsingHistoryView.exe8%metadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.nirsoft.net460%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.