Loading ...

Play interactive tourEdit tour

Analysis Report SQ-DOC-78608244-20190005.7z.zip

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:214494
Start date:11.03.2020
Start time:04:25:53
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 12m 49s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:SQ-DOC-78608244-20190005.7z.zip
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:23
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.troj.spyw.evad.winZIP@26/8@0/0
EGA Information:
  • Successful, ratio: 71.4%
HDC Information:
  • Successful, ratio: 97.1% (good quality ratio 94.3%)
  • Quality average: 85.8%
  • Quality standard deviation: 23%
HCA Information:
  • Successful, ratio: 73%
  • Number of executed functions: 374
  • Number of non-executed functions: 207
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .zip
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Execution Graph export aborted for target RegAsm.exe, PID 4304 because it is empty
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Timeout during Intezer genetic analysis for unpackpe/22.2.vbc.exe.400000.0.unpack

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
HawkEye
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation111Application Shimming1Process Injection212Software Packing1Credential Dumping1System Time Discovery1Application Deployment SoftwareData from Local System1Data Encrypted11Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API11Port MonitorsApplication Shimming1Disabling Security Tools1Credentials in Files1Account Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumRemote Access Tools1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExecution through Module Load1Accessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information11Credentials in Registry2Security Software Discovery33Windows Remote ManagementClipboard Data1Automated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information3Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion13Account ManipulationSystem Information Discovery19Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection212Brute ForceVirtualization/Sandbox Evasion13Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionProcess Discovery4Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryApplication Window Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://a.pomf.cat/URL Reputation: Label: malware
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exeAvira: detection malicious, Label: TR/AD.Hawkexe.nsnlw
Found malware configurationShow sources
Source: vbc.exe.5040.16.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for domain / URLShow sources
Source: http://pomf.cat/upload.phpVirustotal: Detection: 8%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exeVirustotal: Detection: 35%Perma Link
Source: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exeReversingLabs: Detection: 42%
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 15.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040A1A7 FindFirstFileW,FindNextFileW,16_2_0040A1A7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,17_2_0040702D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0040A1A7 FindFirstFileW,FindNextFileW,22_2_0040A1A7

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 02C5055Fh1_2_02C500A0
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 0259055Fh7_2_025900A0

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: RegAsm.exe, 0000000F.00000002.2780395675.00000000035D9000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.2200897651.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.2626756673.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: RegAsm.exe, 0000000F.00000002.2780395675.00000000035D9000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.2200897651.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.2626756673.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000010.00000003.2199857069.0000000002290000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.2626155609.00000000021B0000.00000004.00000001.sdmpString found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000010.00000003.2199857069.0000000002290000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.2626155609.00000000021B0000.00000004.00000001.sdmpString found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Urls found in memory or binary dataShow sources
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
Source: RegAsm.exe, 0000000F.00000002.2776920588.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: vbc.exe, 00000010.00000002.2200833750.0000000000192000.00000004.00000010.sdmp, vbc.exe, 00000016.00000002.2626688101.0000000000192000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
Source: vbc.exeString found in binary or memory: http://www.nirsoft.net/
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
Source: vbc.exe, 00000016.00000002.2627303033.00000000007E0000.00000004.00000020.sdmpString found in binary or memory: https://go.microsoft.D
Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 0000000F.00000002.2780395675.00000000035D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.2776920588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4304, type: MEMORY
Source: Yara matchFile source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality for read data from the clipboardShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040FDCB OpenClipboard,GetLastError,DeleteFileW,16_2_0040FDCB

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000011.00000002.2410105125.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000000F.00000002.2780395675.00000000035D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000F.00000002.2776920588.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000F.00000002.2778589808.00000000016E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 4304, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 15.2.RegAsm.exe.16e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 15.2.RegAsm.exe.16e0000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Binary is likely a compiled AutoIt script fileShow sources
Source: 7za.exe, 00000008.00000003.2085398452.0000000002CF0000.00000004.00000001.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: 7za.exe, 00000008.00000003.2085398452.0000000002CF0000.00000004.00000001.sdmpString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: SQ-DOC-78608244-20190005.pdf.exe, 0000000C.00000000.2089537643.000000000114E000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: SQ-DOC-78608244-20190005.pdf.exe, 0000000C.00000000.2089537643.000000000114E000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: SQ-DOC-78608244-20190005.pdf.exe.8.drString found in binary or memory: This is a third-party compiled AutoIt script.
Source: SQ-DOC-78608244-20190005.pdf.exe.8.drString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Contains functionality to call native functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,16_2_0040A5A9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,22_2_0040A5A9
Detected potential crypto functionShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 1_2_02C500A01_2_02C500A0
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 1_2_02C500901_2_02C50090
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 7_2_025900A07_2_025900A0
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 7_2_025900907_2_02590090
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D396815_2_056D3968
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056DA1E015_2_056DA1E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D79B815_2_056D79B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D1C5815_2_056D1C58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D74C015_2_056D74C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056DD08115_2_056DD081
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D0C9115_2_056D0C91
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D8B5015_2_056D8B50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D4FE015_2_056D4FE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D7E5015_2_056D7E50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056DD65015_2_056DD650
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056DC63815_2_056DC638
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056DDA1415_2_056DDA14
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D256915_2_056D2569
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D257815_2_056D2578
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056DC93015_2_056DC930
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D99E215_2_056D99E2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D79C815_2_056D79C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056DC9DF15_2_056DC9DF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D698015_2_056D6980
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056DD87B15_2_056DD87B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D082815_2_056D0828
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056DD40815_2_056DD408
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056DD41815_2_056DD418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056DC8E115_2_056DC8E1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D38F115_2_056D38F1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D38D015_2_056D38D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D60A015_2_056D60A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D60B015_2_056D60B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D74B015_2_056D74B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D3B6815_2_056D3B68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D8B4015_2_056D8B40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D3B5815_2_056D3B58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D7F3215_2_056D7F32
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D1BFD15_2_056D1BFD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D53C815_2_056D53C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D2FC815_2_056D2FC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D43C015_2_056D43C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D3FD815_2_056D3FD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056DD7A615_2_056DD7A6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D53B815_2_056D53B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D2FB815_2_056D2FB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D078415_2_056D0784
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056DD64115_2_056DD641
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056DCA4015_2_056DCA40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D7E0015_2_056D7E00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004360CE16_2_004360CE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040509C16_2_0040509C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040519916_2_00405199
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0043C2D016_2_0043C2D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0044040616_2_00440406
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040451D16_2_0040451D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004045FF16_2_004045FF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040458E16_2_0040458E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040469016_2_00404690
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00414A5116_2_00414A51
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404C0816_2_00404C08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00406C8E16_2_00406C8E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00415DF316_2_00415DF3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00416E5C16_2_00416E5C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00410FE416_2_00410FE4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00404DE517_2_00404DE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00404E5617_2_00404E56
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00404EC717_2_00404EC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00404F5817_2_00404F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_0040BF6B17_2_0040BF6B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_004360CE22_2_004360CE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0040509C22_2_0040509C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0040519922_2_00405199
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0043C2D022_2_0043C2D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0044040622_2_00440406
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0040451D22_2_0040451D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_004045FF22_2_004045FF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0040458E22_2_0040458E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0040469022_2_00404690
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00414A5122_2_00414A51
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00404C0822_2_00404C08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00406C8E22_2_00406C8E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00415DF322_2_00415DF3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00416E5C22_2_00416E5C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00410FE422_2_00410FE4
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00445190 appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416849 appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444C5E appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0040924D appears 62 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444C70 appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0042FF22 appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004166E8 appears 68 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416A91 appears 176 times
PE file contains strange resourcesShow sources
Source: SQ-DOC-78608244-20190005.pdf.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SQ-DOC-78608244-20190005.pdf.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SQ-DOC-78608244-20190005.pdf.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SQ-DOC-78608244-20190005.pdf.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SQ-DOC-78608244-20190005.pdf.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SQ-DOC-78608244-20190005.pdf.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Yara signature matchShow sources
Source: SQ-DOC-78608244-20190005.7z, type: SAMPLEMatched rule: SUSP_RAR_with_PDF_Script_Obfuscation date = 2019-04-06, hash1 = b629b46b009a1c2306178e289ad0a3d9689d4b45c3d16804599f23c90c6bca5b, author = Florian Roth, description = Detects RAR file with suspicious .pdf extension prefix to trick users, reference = Internal Research
Source: 00000011.00000002.2410105125.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000000F.00000002.2780395675.00000000035D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.2776920588.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.2778589808.00000000016E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: Process Memory Space: RegAsm.exe PID: 4304, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\ik3tcyzc.jme\SQ-DOC-78608244-20190005.7z, type: DROPPEDMatched rule: SUSP_RAR_with_PDF_Script_Obfuscation date = 2019-04-06, hash1 = b629b46b009a1c2306178e289ad0a3d9689d4b45c3d16804599f23c90c6bca5b, author = Florian Roth, description = Detects RAR file with suspicious .pdf extension prefix to trick users, reference = Internal Research
Source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 15.2.RegAsm.exe.16e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 15.2.RegAsm.exe.16e0000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 15.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 15.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
Source: 15.2.RegAsm.exe.400000.0.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 15.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
.NET source code contains many API calls related to securityShow sources
Source: 15.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.RegAsm.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 15.2.RegAsm.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 15.2.RegAsm.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 15.2.RegAsm.exe.400000.0.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winZIP@26/8@0/0
Contains functionality for error loggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004183B8 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,16_2_004183B8
Contains functionality to check free disk spaceShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00418842 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,16_2_00418842
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,16_2_00413C19
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004149B0 FindResourceW,SizeofResource,LoadResource,LockResource,16_2_004149B0
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4588:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\99eddb1a-cb33-4045-a444-beedbae8f23b
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3068:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\jq15gcxe.on4Jump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries a list of all open handlesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Reads ini filesShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
SQL strings found in memory and binary dataShow sources
Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 0000000F.00000002.2780395675.00000000035D9000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.2200897651.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.2626756673.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\SQ-DOC-78608244-20190005.7z.zip'
Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\ik3tcyzc.jme' 'C:\Users\user\Desktop\SQ-DOC-78608244-20190005.7z.zip'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\ik3tcyzc.jme\SQ-DOC-78608244-20190005.7z'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Temp\ik3tcyzc.jme\SQ-DOC-78608244-20190005.7z'
Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj' 'C:\Users\user\AppData\Local\Temp\ik3tcyzc.jme\SQ-DOC-78608244-20190005.7z'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpAFDF.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpA26D.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9663.tmp'
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\ik3tcyzc.jme' 'C:\Users\user\Desktop\SQ-DOC-78608244-20190005.7z.zip'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\ik3tcyzc.jme\SQ-DOC-78608244-20190005.7z'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Temp\ik3tcyzc.jme\SQ-DOC-78608244-20190005.7z'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj' 'C:\Users\user\AppData\Local\Temp\ik3tcyzc.jme\SQ-DOC-78608244-20190005.7z'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpAFDF.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpA26D.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9663.tmp'Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: SQ-DOC-78608244-20190005.7z.zipStatic file information: File size 1898315 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 0000000F.00000002.2780395675.00000000035D9000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: mscorrc.pdb source: RegAsm.exe, 0000000F.00000002.2783441699.0000000008500000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004449B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,16_2_004449B3
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_0160912C push ecx; retf 15_2_01609131
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_0160D1B8 push eax; iretd 15_2_0160D1B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_056D99E0 pushfd ; iretd 15_2_056D99E1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00445190 push eax; ret 16_2_004451A4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00445190 push eax; ret 16_2_004451CC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00449EB4 push eax; ret 16_2_00449EC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00444F79 push ecx; ret 16_2_00444F89
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00418534 push eax; ret 17_2_00418535
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00412341 push ecx; ret 17_2_00412351
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00412360 push eax; ret 17_2_00412374
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_00412360 push eax; ret 17_2_0041239C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00445190 push eax; ret 22_2_004451A4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00445190 push eax; ret 22_2_004451CC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00449EB4 push eax; ret 22_2_00449EC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00444F79 push ecx; ret 22_2_00444F89

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00403BC7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,16_2_00403BC7
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,16_2_0040A5A9
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 604800000Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exeWindow / User API: threadDelayed 481Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3116Thread sleep count: 64 > 30Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3116Thread sleep time: -32000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4708Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4648Thread sleep count: 59 > 30Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 1768Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1708Thread sleep count: 327 > 30Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1708Thread sleep time: -327000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3068Thread sleep time: -604800000s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040A1A7 FindFirstFileW,FindNextFileW,16_2_0040A1A7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,17_2_0040702D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0040A1A7 FindFirstFileW,FindNextFileW,22_2_0040A1A7
Contains functionality to query system informationShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 1_2_011CB042 GetSystemInfo,1_2_011CB042
Queries a list of all running processesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,16_2_0040A5A9
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004449B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,16_2_004449B3
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functionsShow sources
Source: 15.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe protection: execute and read and writeJump to behavior
Sample uses process hollowing techniqueShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\ik3tcyzc.jme' 'C:\Users\user\Desktop\SQ-DOC-78608244-20190005.7z.zip'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\ik3tcyzc.jme\SQ-DOC-78608244-20190005.7z'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Temp\ik3tcyzc.jme\SQ-DOC-78608244-20190005.7z'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj' 'C:\Users\user\AppData\Local\Temp\ik3tcyzc.jme\SQ-DOC-78608244-20190005.7z'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpAFDF.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpA26D.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9663.tmp'Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: RegAsm.exe, 0000000F.00000002.2778881771.0000000001B70000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: RegAsm.exe, 0000000F.00000002.2778881771.0000000001B70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000F.00000002.2778881771.0000000001B70000.00000002.00000001.sdmpBinary or memory string: Progman
Source: 7za.exe, 00000008.00000003.2085398452.0000000002CF0000.00000004.00000001.sdmp, SQ-DOC-78608244-20190005.pdf.exe, 0000000C.00000000.2089537643.000000000114E000.00000002.00020000.sdmp, SQ-DOC-78608244-20190005.pdf.exe.8.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: RegAsm.exe, 0000000F.00000002.2778881771.0000000001B70000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00418906 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,16_2_00418906
Contains functionality to query the account / user nameShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 17_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,17_2_004073B6
Contains functionality to query windows versionShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00409218 GetVersionExW,16_2_00409218
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: avguard.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: avp.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: avgui.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: mbam.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
Source: RegAsm.exe, 0000000F.00000002.2780343702.00000000035C0000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

Stealing of Sensitive Information:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 0000000F.00000002.2780395675.00000000035D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.2776920588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4304, type: MEMORY
Source: Yara matchFile source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.dbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\places.sqliteJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to steal Instant Messenger accounts or passwordsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword17_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword17_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword17_2_004033B1
Yara detected WebBrowserPassView password recovery toolShow sources
Source: Yara matchFile source: 00000016.00000002.2626756673.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.2193913469.0000000004E33000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.2780395675.00000000035D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.2200897651.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.2782109093.0000000007141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.2778589808.00000000016E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5040, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4304, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4728, type: MEMORY
Source: Yara matchFile source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.RegAsm.exe.16e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.RegAsm.exe.16e0000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye RatShow sources
Source: RegAsm.exe, 0000000F.00000002.2776920588.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 0000000F.00000002.2780395675.00000000035D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.2776920588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4304, type: MEMORY
Source: Yara matchFile source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 214494 Sample: SQ-DOC-78608244-20190005.7z.zip Startdate: 11/03/2020 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 8 other signatures 2->53 11 unarchiver.exe 5 2->11         started        process3 process4 13 cmd.exe 1 2 11->13         started        15 7za.exe 2 11->15         started        process5 17 unarchiver.exe 5 13->17         started        19 conhost.exe 13->19         started        21 conhost.exe 15->21         started        process6 23 cmd.exe 1 17->23         started        25 7za.exe 2 17->25         started        file7 28 SQ-DOC-78608244-20190005.pdf.exe 23->28         started        31 conhost.exe 23->31         started        45 C:\Users\...\SQ-DOC-78608244-20190005.pdf.exe, PE32 25->45 dropped 33 conhost.exe 25->33         started        process8 signatures9 67 Antivirus detection for dropped file 28->67 69 Multi AV Scanner detection for dropped file 28->69 71 Maps a DLL or memory area into another process 28->71 35 RegAsm.exe 8 28->35         started        process10 signatures11 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 35->55 57 Sample uses process hollowing technique 35->57 38 vbc.exe 35->38         started        41 vbc.exe 12 35->41         started        43 vbc.exe 12 35->43         started        process12 signatures13 59 Tries to steal Instant Messenger accounts or passwords 38->59 61 Tries to steal Mail credentials (via file access) 38->61 63 Tries to steal Mail credentials (via file registry) 41->63 65 Tries to harvest and steal browser information (history, passwords, etc) 43->65

Simulations

Behavior and APIs

TimeTypeDescription
04:28:07API Interceptor2x Sleep call for process: RegAsm.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe100%AviraTR/AD.Hawkexe.nsnlw
C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe36%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe42%ReversingLabsScript-AutoIt.Trojan.Injector

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
15.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://a.pomf.cat/6%VirustotalBrowse
https://a.pomf.cat/100%URL Reputationmalware
http://pomf.cat/upload.php&https://a.pomf.cat/0%Avira URL Cloudsafe
https://go.microsoft.D0%Avira URL Cloudsafe
http://pomf.cat/upload.php8%VirustotalBrowse
http://pomf.cat/upload.php0%Avira URL Cloudsafe
http://pomf.cat/upload.phpCContent-Disposition:0%Avira URL Cloudsafe

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SQ-DOC-78608244-20190005.7zSUSP_RAR_with_PDF_Script_ObfuscationDetects RAR file with suspicious .pdf extension prefix to trick usersFlorian Roth
  • 0x4d:$s5: .pdf.exe
  • 0x1cf668:$s5: .pdf.exe

PCAP (Network Traffic)

No yara matches

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\ik3tcyzc.jme\SQ-DOC-78608244-20190005.7zSUSP_RAR_with_PDF_Script_ObfuscationDetects RAR file with suspicious .pdf extension prefix to trick usersFlorian Roth
  • 0x4d:$s5: .pdf.exe
  • 0x1cf668:$s5: .pdf.exe

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.2626756673.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    0000000F.00000003.2193913469.0000000004E33000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000011.00000002.2410105125.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x147b0:$a1: logins.json
      • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x14f34:$s4: \mozsqlite3.dll
      • 0x137a4:$s5: SMTP Password
      0000000F.00000002.2780395675.00000000035D9000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x8e4b7:$s2: _ScreenshotLogger
      • 0x8ea03:$s2: _ScreenshotLogger
      • 0x8e484:$s3: _PasswordStealer
      • 0x8e9d0:$s3: _PasswordStealer
      0000000F.00000002.2780395675.00000000035D9000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        0000000F.00000002.2780395675.00000000035D9000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          0000000F.00000002.2776920588.0000000000402000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
          • 0x80e68:$s2: _ScreenshotLogger
          • 0x80e35:$s3: _PasswordStealer
          0000000F.00000002.2776920588.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            00000010.00000002.2200897651.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              0000000F.00000002.2782109093.0000000007141000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                0000000F.00000002.2778589808.00000000016E0000.00000004.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                • 0x6b8fa:$a1: logins.json
                • 0x6b85a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                • 0x6c07e:$s4: \mozsqlite3.dll
                • 0x6a8ee:$s5: SMTP Password
                0000000F.00000002.2778589808.00000000016E0000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                  Process Memory Space: vbc.exe PID: 5040JoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    Process Memory Space: RegAsm.exe PID: 4304MAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
                    • 0x1af6e:$s2: _ScreenshotLogger
                    • 0x1b5da:$s2: _ScreenshotLogger
                    • 0x1be7e:$s2: _ScreenshotLogger
                    • 0x1cc3a:$s2: _ScreenshotLogger
                    • 0xe2cba:$s2: _ScreenshotLogger
                    • 0x1af17:$s3: _PasswordStealer
                    • 0x1b583:$s3: _PasswordStealer
                    • 0x1be27:$s3: _PasswordStealer
                    • 0x1cbe3:$s3: _PasswordStealer
                    • 0xe2c63:$s3: _PasswordStealer
                    Process Memory Space: RegAsm.exe PID: 4304JoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                      Process Memory Space: RegAsm.exe PID: 4304JoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                        Process Memory Space: vbc.exe PID: 4728JoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          17.2.vbc.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                          • 0x147b0:$a1: logins.json
                          • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                          • 0x14f34:$s4: \mozsqlite3.dll
                          • 0x137a4:$s5: SMTP Password
                          15.2.RegAsm.exe.400000.0.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
                          • 0x81068:$s2: _ScreenshotLogger
                          • 0x81035:$s3: _PasswordStealer
                          15.2.RegAsm.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                            15.2.RegAsm.exe.400000.0.unpackHawkEyev9HawkEye v9 Payloadditekshen
                            • 0x81035:$str1: _PasswordStealer
                            • 0x81046:$str2: _KeyStrokeLogger
                            • 0x81068:$str3: _ScreenshotLogger
                            • 0x81057:$str4: _ClipboardLogger
                            • 0x8107a:$str5: _WebCamLogger
                            • 0x8118f:$str6: _AntiVirusKiller
                            • 0x8117d:$str7: _ProcessElevation
                            • 0x81144:$str8: _DisableCommandPrompt
                            • 0x8124a:$str9: _WebsiteBlocker
                            • 0x8125a:$str9: _WebsiteBlocker
                            • 0x81130:$str10: _DisableTaskManager
                            • 0x811ab:$str11: _AntiDebugger
                            • 0x81235:$str12: _WebsiteVisitorSites
                            • 0x8115a:$str13: _DisableRegEdit
                            • 0x811b9:$str14: _ExecutionDelay
                            • 0x810de:$str15: _InstallStartupPersistance
                            17.2.vbc.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                            • 0x131b0:$a1: logins.json
                            • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                            • 0x13934:$s4: \mozsqlite3.dll
                            • 0x121a4:$s5: SMTP Password
                            16.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                              22.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                                15.2.RegAsm.exe.16e0000.1.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                                • 0x6b8fa:$a1: logins.json
                                • 0x6b85a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                                • 0x6c07e:$s4: \mozsqlite3.dll
                                • 0x6a8ee:$s5: SMTP Password
                                15.2.RegAsm.exe.16e0000.1.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                                  22.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                                    16.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                                      15.2.RegAsm.exe.16e0000.1.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                                      • 0x69afa:$a1: logins.json
                                      • 0x69a5a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                                      • 0x6a27e:$s4: \mozsqlite3.dll
                                      • 0x68aee:$s5: SMTP Password
                                      15.2.RegAsm.exe.16e0000.1.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security

                                        Sigma Overview


                                        System Summary:

                                        barindex
                                        Sigma detected: Suspicious Double ExtensionShow sources
                                        Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe, CommandLine: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe, ParentCommandLine: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3424, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\ibaufc5p.ayj\SQ-DOC-78608244-20190005.pdf.exe, ProcessId: 1880
                                        Sigma detected: Suspicious Process CreationShow sources
                                        Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpAFDF.tmp', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpAFDF.tmp', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 4304, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpAFDF.tmp', ProcessId: 5040

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASN

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Screenshots

                                        Thumbnails

                                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.