Loading ...

Play interactive tourEdit tour

Analysis Report Att1.scr

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:210722
Start date:25.02.2020
Start time:08:28:05
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 18m 49s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Att1.scr (renamed file extension from scr to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:25
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.troj.spyw.evad.winEXE@21/6@4/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 29% (good quality ratio 27%)
  • Quality average: 78.1%
  • Quality standard deviation: 29.5%
HCA Information:
  • Successful, ratio: 91%
  • Number of executed functions: 344
  • Number of non-executed functions: 168
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, TiWorker.exe, wermgr.exe, MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe, svchost.exe, TrustedInstaller.exe
  • Excluded IPs from analysis (whitelisted): 205.185.216.42, 205.185.216.10, 8.248.131.254, 8.248.123.254, 8.248.113.254, 67.27.233.126, 8.253.95.120, 13.107.4.50, 93.184.221.240, 52.158.208.111, 8.253.207.121, 8.241.9.254, 8.253.204.249, 8.253.207.120, 67.27.235.126, 8.253.95.121, 8.241.9.126
  • Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, wu.ec.azureedge.net, 2-01-3cf7-0009.cdx.cedexis.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, cds.d2s7q6s2.hwcdn.net, download.windowsupdate.com, Edge-Prod-FRA.env.au.au-msedge.net, wu.azureedge.net, afdap.au.au-msedge.net, au.au-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, au.c-0001.c-msedge.net, auto.au.download.windowsupdate.com.c.footprint.net, elasticShed.au.au-msedge.net, watson.telemetry.microsoft.com, wu.wpc.apr-52dd2.edgecastdns.net
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
Errors:
  • Sigma syntax error: One detector has no map or list, Rule: Stop Windows Service

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
HawkEye
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Windows Management Instrumentation21Registry Run Keys / Startup Folder1Process Injection112Software Packing31Credential Dumping1System Time Discovery1Remote File Copy1Data from Local System1Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScripting111Hidden Files and Directories1Application Shimming1Disabling Security Tools1Credentials in Files1Peripheral Device Discovery1Replication Through Removable Media1Email Collection1Exfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExecution through API11Application Shimming1Path InterceptionDeobfuscate/Decode Files or Information11Input Capture11Account Discovery1Windows Remote ManagementInput Capture11Automated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExecution through Module Load1System FirmwareDLL Search Order HijackingScripting111Credentials in Registry2Security Software Discovery261Logon ScriptsClipboard Data1Data EncryptedStandard Cryptographic Protocol12SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationGraphical User Interface1Shortcut ModificationFile System Permissions WeaknessObfuscated Files or Information31Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferRemote Access Tools1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceMasquerading11Brute ForceSystem Information Discovery29Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Non-Application Layer Protocol2Jamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskHidden Files and Directories1Two-Factor Authentication InterceptionVirtualization/Sandbox Evasion14Pass the HashEmail CollectionExfiltration Over Command and Control ChannelStandard Application Layer Protocol13Rogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionVirtualization/Sandbox Evasion14Bash HistoryProcess Discovery4Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection112Input PromptApplication Window Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainSystem Owner/User Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsIndicator Removal from ToolsPrivate KeysRemote System Discovery1Replication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe
Masquerade as Legitimate ApplicationRegsvr32New ServiceBypass User Account ControlIndicator Removal on HostSecurityd MemorySystem Network Configuration Discovery1Pass the TicketMan in the BrowserAlternate Network MediumsCustom Command and Control ProtocolDisk Content Wipe

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\subfolder\filename.scrAvira: detection malicious, Label: HEUR/AGEN.1045811
Antivirus detection for sampleShow sources
Source: Att1.exeAvira: detection malicious, Label: HEUR/AGEN.1045811
Found malware configurationShow sources
Source: filename.scr.1060.14.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Source: filename.scr.3300.4.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "", "ByHost: ": "smtp.mbjenterprise-th.com:587", "Password: ": "", "From: ": ""}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\subfolder\filename.scrVirustotal: Detection: 81%Perma Link
Source: C:\Users\user\subfolder\filename.scrReversingLabs TitaniumCloud: Detection: 83%
Multi AV Scanner detection for submitted fileShow sources
Source: Att1.exeVirustotal: Detection: 81%Perma Link
Source: Att1.exeReversingLabs TitaniumCloud: Detection: 83%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\subfolder\filename.scrJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Att1.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 14.2.filename.scr.400000.1.unpackAvira: Label: TR/Hijacker.A.31
Source: 14.2.filename.scr.400000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
Source: 14.2.filename.scr.2c36000.3.unpackAvira: Label: TR/Hijacker.A.31
Source: 14.2.filename.scr.2c36000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
Source: 4.2.filename.scr.60000.0.unpackAvira: Label: TR/Inject.vcoldi
Source: 11.2.filename.scr.60000.0.unpackAvira: Label: TR/Inject.vcoldi
Source: 4.3.filename.scr.60000.0.unpackAvira: Label: TR/Inject.vcoldi
Source: 11.3.filename.scr.60000.0.unpackAvira: Label: TR/Inject.vcoldi
Source: 11.2.filename.scr.400000.2.unpackAvira: Label: TR/Hijacker.A.31
Source: 11.2.filename.scr.400000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
Source: 4.2.filename.scr.400000.2.unpackAvira: Label: TR/Hijacker.A.31
Source: 4.2.filename.scr.400000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
Source: 14.2.filename.scr.2450000.2.unpackAvira: Label: TR/Inject.vcoldi
Source: 4.2.filename.scr.2bc6000.3.unpackAvira: Label: TR/Hijacker.A.31
Source: 4.2.filename.scr.2bc6000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
Source: 11.2.filename.scr.2b36000.3.unpackAvira: Label: TR/Hijacker.A.31
Source: 11.2.filename.scr.2b36000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
Source: 14.3.filename.scr.2450000.0.unpackAvira: Label: TR/Inject.vcoldi

Spreading:

barindex
May infect USB drivesShow sources
Source: filename.scrBinary or memory string: autorun.inf
Source: filename.scrBinary or memory string: [autorun]
Source: filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
Source: filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
Source: filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpBinary or memory string: autorun.inf
Source: filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpBinary or memory string: [autorun]
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,5_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,6_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,6_2_00407E0E

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_02465B71
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_02468C01
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then call 02461B20h4_2_0246850C
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_0246850C
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_02466711
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_02460728
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then mov esp, ebp4_2_02464830
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_02466039
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_024614C0
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_02465CCE
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then call 02461B20h4_2_024685F6
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_024685F6
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_02469AF1
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_024617F8
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_02469C87
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_0246938E
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_024692A4
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then jmp 02461A73h4_2_024619A0
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then jmp 02461A73h4_2_024619B0
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_024688BB
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then call 02461B20h4_2_02467DB8
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_02467DB8
Source: C:\Users\user\subfolder\filename.scrCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_007A0728

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.5:49784 -> 208.91.199.224:587
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49784 -> 208.91.199.224:587
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
Uses SMTP (mail sending)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49784 -> 208.91.199.224:587
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: filename.scr, 00000004.00000002.3786007992.0000000002BC6000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.2146654998.0000000000400000.00000040.00000001.sdmp, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: filename.scr, 00000004.00000002.3786007992.0000000002BC6000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.2146654998.0000000000400000.00000040.00000001.sdmp, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 00000006.00000003.2144966221.000000000210D000.00000004.00000001.sdmpString found in binary or memory: file:///C:/Users/user/subfolder/filename.vbshttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000003.2144966221.000000000210D000.00000004.00000001.sdmpString found in binary or memory: file:///C:/Users/user/subfolder/filename.vbshttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: filename.scr, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: 246.229.1.0.in-addr.arpa
Urls found in memory or binary dataShow sources
Source: filename.scr, 00000004.00000002.3786007992.0000000002BC6000.00000004.00000001.sdmp, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: filename.scr, 0000000B.00000002.2182959811.000000001EE90000.00000004.00000001.sdmp, filename.scr, 0000000E.00000002.2207244393.000000001EF30000.00000004.00000001.sdmpString found in binary or memory: http://foo.com/fooT
Source: filename.scr, 00000004.00000002.3786007992.0000000002BC6000.00000004.00000001.sdmp, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: filename.scr, 00000004.00000002.3786971565.000000001F030000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
Source: filename.scrString found in binary or memory: http://whatismyipaddress.com/
Source: filename.scr, 00000004.00000002.3786007992.0000000002BC6000.00000004.00000001.sdmp, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: filename.scr, 00000004.00000002.3786971565.000000001F030000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: filename.scr, 00000004.00000002.3790275365.00000000216E6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: filename.scr, vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
Source: filename.scr, 00000004.00000002.3786971565.000000001F030000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
Source: filename.scr, 00000004.00000002.3786971565.000000001F030000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
Source: filename.scr, vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to log keystrokes (.Net Source)Show sources
Source: 11.2.filename.scr.400000.2.unpack, Form1.cs.Net Code: HookKeyboard
Source: 14.2.filename.scr.400000.1.unpack, Form1.cs.Net Code: HookKeyboard
Contains functionality for read data from the clipboardShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,5_2_0040AC8A
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: Att1.exe, 00000000.00000002.2084455431.00000000008D0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3786007992.0000000002BC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.3786007992.0000000002BC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3788911460.0000000020030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.3788911460.0000000020030000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000003.2202358310.0000000002450000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000003.2202358310.0000000002450000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3782590319.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.3782590319.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3781903446.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.3781903446.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2183111592.000000001FE90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.2183111592.000000001FE90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2178888189.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.2178888189.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2181993869.0000000002B36000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.2181993869.0000000002B36000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3784221716.0000000002388000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.3784221716.0000000002388000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000003.2175366202.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.2175366202.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.2207403663.000000001FF30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.2207403663.000000001FF30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.2204156967.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.2204156967.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.2205190837.0000000002450000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.2205190837.0000000002450000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000003.2116852246.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000003.2116852246.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3786971565.000000001F030000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.3.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.3.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.filename.scr.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.filename.scr.400000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.3.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.3.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.3.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.3.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.filename.scr.2b36000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.filename.scr.2b36000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.filename.scr.2450000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.filename.scr.2450000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.filename.scr.2c36000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.filename.scr.2c36000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.filename.scr.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.filename.scr.400000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.filename.scr.2c36000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.filename.scr.2c36000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.filename.scr.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.filename.scr.400000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.3.filename.scr.2450000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.filename.scr.2450000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.3.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.3.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.filename.scr.2bc6000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.filename.scr.2bc6000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.filename.scr.2bc6000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.filename.scr.2bc6000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.3.filename.scr.2450000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.filename.scr.2450000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.filename.scr.2b36000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.filename.scr.2b36000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.filename.scr.2450000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.filename.scr.2450000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Potential malicious VBS script found (suspicious strings)Show sources
Source: C:\Users\user\Desktop\Att1.exeDropped file: Set Wsh32 = CreateObject("WScript.Shell")Jump to dropped file
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02375FF2 NtProtectVirtualMemory,0_2_02375FF2
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02376066 NtProtectVirtualMemory,0_2_02376066
Source: C:\Users\user\subfolder\filename.scrCode function: 3_2_02B95FF2 NtProtectVirtualMemory,3_2_02B95FF2
Source: C:\Users\user\subfolder\filename.scrCode function: 3_2_02B96066 NtProtectVirtualMemory,3_2_02B96066
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,6_2_00408836
Source: C:\Users\user\subfolder\filename.scrCode function: 8_2_008D5FF2 NtProtectVirtualMemory,8_2_008D5FF2
Source: C:\Users\user\subfolder\filename.scrCode function: 8_2_008D6066 NtProtectVirtualMemory,8_2_008D6066
Source: C:\Users\user\subfolder\filename.scrCode function: 13_2_02245FF2 NtProtectVirtualMemory,13_2_02245FF2
Source: C:\Users\user\subfolder\filename.scrCode function: 13_2_02246066 NtProtectVirtualMemory,13_2_02246066
Detected potential crypto functionShow sources
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_000F649F4_2_000F649F
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_000FD1F04_2_000FD1F0
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_000FD69E4_2_000FD69E
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_000F66CE4_2_000F66CE
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_00100BF84_2_00100BF8
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_0040D4264_2_0040D426
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_0040D5234_2_0040D523
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_0041D5AE4_2_0041D5AE
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_004176464_2_00417646
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_004429BE4_2_004429BE
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_00446AF44_2_00446AF4
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_0046ABFC4_2_0046ABFC
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_00463C4D4_2_00463C4D
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_00463CBE4_2_00463CBE
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_0040ED034_2_0040ED03
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_00463D2F4_2_00463D2F
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_00463DC04_2_00463DC0
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_0040CF924_2_0040CF92
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_0041AFA64_2_0041AFA6
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_024660484_2_02466048
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_024657584_2_02465758
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_02467A604_2_02467A60
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_024670944_2_02467094
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_024670984_2_02467098
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_02461D984_2_02461D98
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_02467DB84_2_02467DB8
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_0043C7BC4_2_0043C7BC
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_02461DA84_2_02461DA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404DDB5_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040BD8A5_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404E4C5_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404EBD5_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404F4E5_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004044196_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004045166_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004135386_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004145A16_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040E6396_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004337AF6_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004399B16_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0043DAE76_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00405CF66_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00403F856_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00411F996_2_00411F99
Source: C:\Users\user\subfolder\filename.scrCode function: 11_2_000F649F11_2_000F649F
Source: C:\Users\user\subfolder\filename.scrCode function: 11_2_000FD1F011_2_000FD1F0
Source: C:\Users\user\subfolder\filename.scrCode function: 11_2_000FD69E11_2_000FD69E
Source: C:\Users\user\subfolder\filename.scrCode function: 11_2_000F66CE11_2_000F66CE
Source: C:\Users\user\subfolder\filename.scrCode function: 11_2_00100BF811_2_00100BF8
Source: C:\Users\user\subfolder\filename.scrCode function: 14_2_0006D1F014_2_0006D1F0
Source: C:\Users\user\subfolder\filename.scrCode function: 14_2_00070BF814_2_00070BF8
Source: C:\Users\user\subfolder\filename.scrCode function: 14_2_0006649F14_2_0006649F
Source: C:\Users\user\subfolder\filename.scrCode function: 14_2_0006D69E14_2_0006D69E
Source: C:\Users\user\subfolder\filename.scrCode function: 14_2_000666CE14_2_000666CE
Source: C:\Users\user\subfolder\filename.scrCode function: 14_2_001490FF14_2_001490FF
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
Source: C:\Users\user\subfolder\filename.scrCode function: String function: 000FA9AB appears 36 times
Source: C:\Users\user\subfolder\filename.scrCode function: String function: 000F23F0 appears 62 times
Source: C:\Users\user\subfolder\filename.scrCode function: String function: 0044BA9D appears 35 times
Source: C:\Users\user\subfolder\filename.scrCode function: String function: 000623F0 appears 31 times
PE file contains strange resourcesShow sources
Source: Att1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename.scr.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: Att1.exe, 00000000.00000000.2064829681.00000000005EB000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTRuciolato.exe vs Att1.exe
Source: Att1.exe, 00000000.00000002.2084837571.0000000002440000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Att1.exe
Source: Att1.exe, 00000000.00000002.2084837571.0000000002440000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Att1.exe
Source: Att1.exe, 00000000.00000002.2086088732.0000000002EB0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Att1.exe
Source: Att1.exe, 00000000.00000002.2084441028.00000000008C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Att1.exe
Source: Att1.exeBinary or memory string: OriginalFilenameTRuciolato.exe vs Att1.exe
Yara signature matchShow sources
Source: 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3786007992.0000000002BC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.3786007992.0000000002BC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3788911460.0000000020030000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.3788911460.0000000020030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000003.2202358310.0000000002450000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000003.2202358310.0000000002450000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3782590319.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.3782590319.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3781903446.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.3781903446.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2183111592.000000001FE90000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000002.2183111592.000000001FE90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2178888189.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000002.2178888189.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2181993869.0000000002B36000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000002.2181993869.0000000002B36000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3784221716.0000000002388000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.3784221716.0000000002388000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000003.2175366202.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000003.2175366202.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.2207403663.000000001FF30000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.2207403663.000000001FF30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.2204156967.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.2204156967.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.2205190837.0000000002450000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.2205190837.0000000002450000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.2116852246.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000003.2116852246.0000000000060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3786971565.000000001F030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.3.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.3.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.filename.scr.400000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.filename.scr.400000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.3.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.3.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.3.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.3.filename.scr.60000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.filename.scr.2b36000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.filename.scr.2b36000.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.filename.scr.2450000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.filename.scr.2450000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.filename.scr.2c36000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.filename.scr.2c36000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.filename.scr.400000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.filename.scr.400000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.filename.scr.2c36000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.filename.scr.2c36000.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.filename.scr.400000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.filename.scr.400000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.3.filename.scr.2450000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.3.filename.scr.2450000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.3.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.3.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.filename.scr.2bc6000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.filename.scr.2bc6000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.filename.scr.2bc6000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.filename.scr.2bc6000.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.3.filename.scr.2450000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.3.filename.scr.2450000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.filename.scr.2b36000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.filename.scr.2b36000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.filename.scr.2450000.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.filename.scr.2450000.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.filename.scr.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 11.2.filename.scr.400000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 11.2.filename.scr.400000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 11.2.filename.scr.400000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 11.2.filename.scr.400000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
Source: 14.2.filename.scr.400000.1.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 14.2.filename.scr.400000.1.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 14.2.filename.scr.400000.1.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 14.2.filename.scr.400000.1.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
.NET source code contains long base64-encoded stringsShow sources
Source: 11.2.filename.scr.400000.2.unpack, Form1.csBase64 encoded string: 'Vd+Drjg7HN8ytI5bKJoGxUqBDDQFHuZMWMlPNS6YOmNX70ggc9RJemI0f/8dwtJc', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 14.2.filename.scr.400000.1.unpack, Form1.csBase64 encoded string: 'Vd+Drjg7HN8ytI5bKJoGxUqBDDQFHuZMWMlPNS6YOmNX70ggc9RJemI0f/8dwtJc', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@21/6@4/3
Contains functionality for error loggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,6_2_00415AFD
Contains functionality to check free disk spaceShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,6_2_00415F87
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,6_2_00411196
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,5_2_0040ED0B
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Att1.exeFile created: C:\Users\user\subfolderJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\subfolder\filename.scrMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Creates temporary filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\holdermail.txtJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\subfolder\filename.vbs'
PE file has an executable .text section and no other executable sectionShow sources
Source: Att1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\Att1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\subfolder\filename.scrSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Queries a list of all open handlesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\subfolder\filename.scrWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\Att1.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Att1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\subfolder\filename.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\subfolder\filename.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\subfolder\filename.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\subfolder\filename.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\subfolder\filename.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\subfolder\filename.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
SQL strings found in memory and binary dataShow sources
Source: filename.scr, vbc.exe, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: filename.scr, vbc.exe, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: filename.scr, 00000004.00000002.3786007992.0000000002BC6000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.2146654998.0000000000400000.00000040.00000001.sdmp, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: filename.scr, vbc.exe, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: filename.scr, vbc.exe, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: filename.scr, vbc.exe, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: filename.scr, vbc.exe, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Sample is known by AntivirusShow sources
Source: Att1.exeVirustotal: Detection: 81%
Source: Att1.exeReversingLabs TitaniumCloud: Detection: 83%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Att1.exeFile read: C:\Users\user\Desktop\Att1.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Att1.exe 'C:\Users\user\Desktop\Att1.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\subfolder\filename.vbs'
Source: unknownProcess created: C:\Users\user\subfolder\filename.scr 'C:\Users\user\subfolder\filename.scr' /S
Source: unknownProcess created: C:\Users\user\subfolder\filename.scr 'C:\Users\user\subfolder\filename.scr' /S
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\subfolder\filename.vbs' -BN
Source: unknownProcess created: C:\Users\user\subfolder\filename.scr C:\Users\user\subfolder\filename.scr
Source: unknownProcess created: C:\Users\user\subfolder\filename.scr C:\Users\user\subfolder\filename.scr
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\subfolder\filename.vbs' -BN
Source: unknownProcess created: C:\Users\user\subfolder\filename.scr C:\Users\user\subfolder\filename.scr
Source: unknownProcess created: C:\Users\user\subfolder\filename.scr C:\Users\user\subfolder\filename.scr
Source: C:\Users\user\Desktop\Att1.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\subfolder\filename.vbs' Jump to behavior
Source: C:\Users\user\Desktop\Att1.exeProcess created: C:\Users\user\subfolder\filename.scr 'C:\Users\user\subfolder\filename.scr' /SJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess created: C:\Users\user\subfolder\filename.scr 'C:\Users\user\subfolder\filename.scr' /SJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\subfolder\filename.scr C:\Users\user\subfolder\filename.scrJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess created: C:\Users\user\subfolder\filename.scr C:\Users\user\subfolder\filename.scrJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\subfolder\filename.scr C:\Users\user\subfolder\filename.scr
Source: C:\Users\user\subfolder\filename.scrProcess created: C:\Users\user\subfolder\filename.scr C:\Users\user\subfolder\filename.scr
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\Att1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\subfolder\filename.scrFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
PE file has a big code sizeShow sources
Source: Att1.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Submission file is bigger than most known malware samplesShow sources
Source: Att1.exeStatic file information: File size 2039808 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Users\user\subfolder\filename.scrFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
PE file has a big raw sectionShow sources
Source: Att1.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1e8000
Binary contains paths to debug symbolsShow sources
Source: Binary string: rC:\Windows\System.Runtime.Remoting.pdb source: filename.scr, 00000004.00000002.3793385111.00000000244AB000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdbQ source: filename.scr, 00000004.00000002.3783797525.000000000091B000.00000004.00000020.sdmp
Source: Binary string: .pdbJ$ source: filename.scr, 00000004.00000002.3793385111.00000000244AB000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb[ source: filename.scr, 00000004.00000002.3783797525.000000000091B000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb_ source: filename.scr, 00000004.00000002.3782233701.0000000000130000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Runtime.Remoting.pdb source: filename.scr, 00000004.00000002.3782233701.0000000000130000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: filename.scr, 00000004.00000002.3793385111.00000000244AB000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: filename.scr, 00000004.00000002.3783797525.000000000091B000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: filename.scr, 00000004.00000002.3782233701.0000000000130000.00000004.00000040.sdmp
Source: Binary string: System.Runtime.Remoting.pdbmoting.pdbpdbing.pdbg\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb: source: filename.scr, 00000004.00000002.3793385111.00000000244AB000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb0| source: filename.scr, 00000004.00000002.3782233701.0000000000130000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: filename.scr, 00000004.00000002.3783797525.000000000091B000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: filename.scr, 00000004.00000002.3782233701.0000000000130000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: filename.scr, vbc.exe, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb source: filename.scr, 00000004.00000002.3793385111.00000000244AB000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: filename.scr, 00000004.00000002.3783797525.000000000091B000.00000004.00000020.sdmp
Source: Binary string: System.pdb source: filename.scr, 00000004.00000002.3782233701.0000000000130000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: filename.scr, 00000004.00000002.3789724726.00000000213D0000.00000002.00000001.sdmp
Source: Binary string: \??\C:\Windows\System.Runtime.Remoting.pdb source: filename.scr, 00000004.00000002.3783797525.000000000091B000.00000004.00000020.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: filename.scr, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: filename.scr, vbc.exe, filename.scr, 0000000B.00000002.2179359933.0000000000402000.00000040.00000001.sdmp, filename.scr, 0000000E.00000002.2206402422.0000000002C36000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb H source: filename.scr, 00000004.00000002.3793385111.00000000244AB000.00000004.00000001.sdmp
Source: Binary string: em.Runtime.Remoting.pdb source: filename.scr, 00000004.00000002.3782233701.0000000000130000.00000004.00000040.sdmp
Source: Binary string: indows\System.Runtime.Remoting.pdbpdbing.pdb source: filename.scr, 00000004.00000002.3782233701.0000000000130000.00000004.00000040.sdmp
Source: Binary string: symbols\dll\System.Runtime.Remoting.pdbyI source: filename.scr, 00000004.00000002.3793385111.00000000244AB000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\System.pdbm source: filename.scr, 00000004.00000002.3783644360.00000000008BB000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbe source: filename.scr, 00000004.00000002.3783797525.000000000091B000.00000004.00000020.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\subfolder\filename.scrUnpacked PE file: 4.2.filename.scr.400000.2.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\subfolder\filename.scrUnpacked PE file: 11.2.filename.scr.400000.2.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\subfolder\filename.scrUnpacked PE file: 14.2.filename.scr.400000.1.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\subfolder\filename.scrUnpacked PE file: 4.2.filename.scr.400000.2.unpack
Source: C:\Users\user\subfolder\filename.scrUnpacked PE file: 11.2.filename.scr.400000.2.unpack
Source: C:\Users\user\subfolder\filename.scrUnpacked PE file: 14.2.filename.scr.400000.1.unpack
.NET source code contains potential unpackerShow sources
Source: 11.2.filename.scr.400000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.filename.scr.400000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.filename.scr.400000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.filename.scr.400000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.filename.scr.400000.1.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.filename.scr.400000.1.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.filename.scr.400000.1.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.filename.scr.400000.1.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,5_2_00403C3D
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_00411048 push ecx; retf 0_2_0041104A
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_0040EE4E push ebx; retf 0_2_0040EE4F
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_00410256 pushad ; iretd 0_2_00410257
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_00414070 pushfd ; ret 0_2_00414071
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_004110FC push ecx; retf 0_2_004110FE
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_0237424A push FFFFFFB9h; retf 0_2_02374253
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02375AE5 pushfd ; retn 001Ch0_2_02375AFD
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02374322 push FFFFFFB9h; retf 0_2_0237436A
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02374322 push FFFFFFB9h; retf 0_2_0237438E
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02374361 push FFFFFFB9h; retf 0_2_0237436A
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02374382 push FFFFFFB9h; retf 0_2_0237438E
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_0237403E push FFFFFFB9h; retf 0_2_02374047
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_0237405F push FFFFFFB9h; retf 0_2_0237406B
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02374165 push FFFFFFB9h; retf 0_2_02374171
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02374144 push FFFFFFB9h; retf 0_2_0237414D
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02374674 push FFFFFFB9h; retf 0_2_0237467D
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02374695 push FFFFFFB9h; retf 0_2_023746A1
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_0237446C push FFFFFFB9h; retf 0_2_02374475
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_0237A4A4 push ebx; ret 0_2_0237A4AE
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_0237448D push FFFFFFB9h; retf 0_2_02374499
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_0237457D push FFFFFFB9h; retf 0_2_02374586
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02374546 push FFFFFFB9h; retf 0_2_023745AA
Source: C:\Users\user\subfolder\filename.scrCode function: 3_2_02B95AE5 pushfd ; retn 001Ch3_2_02B95AFD
Source: C:\Users\user\subfolder\filename.scrCode function: 3_2_02B9424A push FFFFFFB9h; retf 3_2_02B94253
Source: C:\Users\user\subfolder\filename.scrCode function: 3_2_02B94382 push FFFFFFB9h; retf 3_2_02B9438E
Source: C:\Users\user\subfolder\filename.scrCode function: 3_2_02B94322 push FFFFFFB9h; retf 3_2_02B9436A
Source: C:\Users\user\subfolder\filename.scrCode function: 3_2_02B94322 push FFFFFFB9h; retf 3_2_02B9438E
Source: C:\Users\user\subfolder\filename.scrCode function: 3_2_02B94361 push FFFFFFB9h; retf 3_2_02B9436A
Source: C:\Users\user\subfolder\filename.scrCode function: 3_2_02B9403E push FFFFFFB9h; retf 3_2_02B94047
Source: C:\Users\user\subfolder\filename.scrCode function: 3_2_02B9405F push FFFFFFB9h; retf 3_2_02B9406B
Source: C:\Users\user\subfolder\filename.scrCode function: 3_2_02B94165 push FFFFFFB9h; retf 3_2_02B94171

Persistence and Installation Behavior:

barindex
Drops PE files with a suspicious file extensionShow sources
Source: C:\Users\user\Desktop\Att1.exeFile created: C:\Users\user\subfolder\filename.scrJump to dropped file
Drops PE filesShow sources
Source: C:\Users\user\Desktop\Att1.exeFile created: C:\Users\user\subfolder\filename.scrJump to dropped file

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Registry Key NameJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Registry Key NameJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)Show sources
Source: C:\Users\user\subfolder\filename.scrKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_0040F64B
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Att1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Att1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Att1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Att1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Att1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder\filename.scrProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,6_2_00408836
Contains functionality to detect virtual machines (SLDT)Show sources
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_00177E51 sldt word ptr [eax]4_2_00177E51
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\subfolder\filename.scrThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\subfolder\filename.scrThread delayed: delay time: 180000Jump to behavior
Source: C:\Users\user\subfolder\filename.scrThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\subfolder\filename.scrThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\subfolder\filename.scrThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\subfolder\filename.scrThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\subfolder\filename.scrThread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\subfolder\filename.scrWindow / User API: threadDelayed 3374Jump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\subfolder\filename.scrAPI coverage: 4.2 %
Source: C:\Users\user\subfolder\filename.scrAPI coverage: 4.2 %
Source: C:\Users\user\subfolder\filename.scrAPI coverage: 4.2 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\subfolder\filename.scr TID: 1520Thread sleep count: 56 > 30Jump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 2900Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3064Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 4440Thread sleep time: -140000s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 1216Thread sleep time: -180000s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -100000s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -99906s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -99813s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -99656s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -99563s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -99438s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -99344s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -99203s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -99094s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -99000s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -98859s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -98750s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -98656s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -98453s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -98297s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -98203s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -98000s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 2900Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 3896Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 4196Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\subfolder\filename.scr TID: 692Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\subfolder\filename.scrWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\subfolder\filename.scrLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,5_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,6_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,6_2_00407E0E
Contains functionality to query system informationShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004161B0 memset,GetSystemInfo,6_2_004161B0
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: filename.scr, 00000004.00000002.3792518623.0000000023840000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Att1.exeBinary or memory string: ~qKJIHGFsrutwv'
Source: filename.scr, 00000004.00000002.3792518623.0000000023840000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: filename.scr, 00000004.00000002.3792518623.0000000023840000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: filename.scr, 00000004.00000002.3783644360.00000000008BB000.00000004.00000020.sdmp, filename.scr, 0000000E.00000002.2204862808.0000000000873000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: filename.scr, 00000004.00000002.3792518623.0000000023840000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\subfolder\filename.scrAPI call chain: ExitProcess graph end nodegraph_4-55696
Queries a list of all running processesShow sources
Source: C:\Users\user\subfolder\filename.scrProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\Att1.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\subfolder\filename.scrThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\subfolder\filename.scrThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\subfolder\filename.scrThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\subfolder\filename.scrThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\subfolder\filename.scrThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\subfolder\filename.scrThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\subfolder\filename.scrThread information set: HideFromDebugger
Source: C:\Users\user\subfolder\filename.scrThread information set: HideFromDebugger
Source: C:\Users\user\subfolder\filename.scrThread information set: HideFromDebugger
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_0237B34A LdrInitializeThunk,0_2_0237B34A
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_000F1904 IsDebuggerPresent,OutputDebugStringW,4_2_000F1904
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,6_2_00408836
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,5_2_00403C3D
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_0237AB02 mov eax, dword ptr fs:[00000030h]0_2_0237AB02
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_0237AB58 mov eax, dword ptr fs:[00000030h]0_2_0237AB58
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02373F51 mov eax, dword ptr fs:[00000030h]0_2_02373F51
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02373FC1 mov eax, dword ptr fs:[00000030h]0_2_02373FC1
Source: C:\Users\user\Desktop\Att1.exeCode function: 0_2_02376580 mov eax, dword ptr fs:[00000030h]0_2_02376580
Source: C:\Users\user\subfolder\filename.scrCode function: 3_2_02B93FC1 mov eax, dword ptr fs:[00000030h]3_2_02B93FC1
Source: C:\Users\user\subfolder\filename.scrCode function: 3_2_02B93F51 mov eax, dword ptr fs:[00000030h]3_2_02B93F51
Source: C:\Users\user\subfolder\filename.scrCode function: 3_2_02B96580 mov eax, dword ptr fs:[00000030h]3_2_02B96580
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_000F146C mov eax, dword ptr fs:[00000030h]4_2_000F146C
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_000F7900 mov eax, dword ptr fs:[00000030h]4_2_000F7900
Source: C:\Users\user\subfolder\filename.scrCode function: 8_2_008D6580 mov eax, dword ptr fs:[00000030h]8_2_008D6580
Source: C:\Users\user\subfolder\filename.scrCode function: 8_2_008D3FC1 mov eax, dword ptr fs:[00000030h]8_2_008D3FC1
Source: C:\Users\user\subfolder\filename.scrCode function: 8_2_008D3F51 mov eax, dword ptr fs:[00000030h]8_2_008D3F51
Source: C:\Users\user\subfolder\filename.scrCode function: 11_2_000F146C mov eax, dword ptr fs:[00000030h]11_2_000F146C
Source: C:\Users\user\subfolder\filename.scrCode function: 11_2_000F7900 mov eax, dword ptr fs:[00000030h]11_2_000F7900
Source: C:\Users\user\subfolder\filename.scrCode function: 13_2_02243F51 mov eax, dword ptr fs:[00000030h]13_2_02243F51
Source: C:\Users\user\subfolder\filename.scrCode function: 13_2_02243FC1 mov eax, dword ptr fs:[00000030h]13_2_02243FC1
Source: C:\Users\user\subfolder\filename.scrCode function: 13_2_02246580 mov eax, dword ptr fs:[00000030h]13_2_02246580
Source: C:\Users\user\subfolder\filename.scrCode function: 14_2_0006146C mov eax, dword ptr fs:[00000030h]14_2_0006146C
Source: C:\Users\user\subfolder\filename.scrCode function: 14_2_00067900 mov eax, dword ptr fs:[00000030h]14_2_00067900
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_000FB288 GetProcessHeap,4_2_000FB288
Enables debug privilegesShow sources
Source: C:\Users\user\subfolder\filename.scrProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_000F2584 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_000F2584
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_000F22B9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_000F22B9
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_000F7330 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_000F7330
Source: C:\Users\user\subfolder\filename.scrCode function: 11_2_000F2584 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_000F2584
Source: C:\Users\user\subfolder\filename.scrCode function: 11_2_000F22B9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_000F22B9
Source: C:\Users\user\subfolder\filename.scrCode function: 11_2_000F7330 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_000F7330
Source: C:\Users\user\subfolder\filename.scrCode function: 14_2_000622B9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_000622B9
Source: C:\Users\user\subfolder\filename.scrCode function: 14_2_00067330 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00067330
Source: C:\Users\user\subfolder\filename.scrCode function: 14_2_00062584 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00062584
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\subfolder\filename.scrMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functionsShow sources
Source: 11.2.filename.scr.400000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 11.2.filename.scr.400000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 14.2.filename.scr.400000.1.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 14.2.filename.scr.400000.1.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Sample uses process hollowing techniqueShow sources
Source: C:\Users\user\subfolder\filename.scrSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
Source: C:\Users\user\subfolder\filename.scrSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Att1.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\subfolder\filename.vbs' Jump to behavior
Source: C:\Users\user\Desktop\Att1.exeProcess created: C:\Users\user\subfolder\filename.scr 'C:\Users\user\subfolder\filename.scr' /SJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess created: C:\Users\user\subfolder\filename.scr 'C:\Users\user\subfolder\filename.scr' /SJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\subfolder\filename.scr C:\Users\user\subfolder\filename.scrJump to behavior
Source: C:\Users\user\subfolder\filename.scrProcess created: C:\Users\user\subfolder\filename.scr C:\Users\user\subfolder\filename.scrJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\subfolder\filename.scr C:\Users\user\subfolder\filename.scr
Source: C:\Users\user\subfolder\filename.scrProcess created: C:\Users\user\subfolder\filename.scr C:\Users\user\subfolder\filename.scr
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: filename.scr, 00000004.00000002.3784070605.0000000000F30000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: filename.scr, 00000004.00000002.3784070605.0000000000F30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: filename.scr, 00000004.00000002.3784070605.0000000000F30000.00000002.00000001.sdmpBinary or memory string: Progman
Source: filename.scr, 00000004.00000002.3784070605.0000000000F30000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_000F210C cpuid 4_2_000F210C
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\subfolder\filename.scrQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\subfolder\filename.scrCode function: 4_2_000F244B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_000F244B
Contains functionality to quer