Loading ...

Play interactive tourEdit tour

Analysis Report WORLD_HEALTH_ORGANISATION_PDF.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:215014
Start date:12.03.2020
Start time:16:15:47
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 17s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:WORLD_HEALTH_ORGANISATION_PDF.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@7/2@2/1
EGA Information:Failed
HDC Information:Failed
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 205.185.216.10, 205.185.216.42, 8.241.9.254, 8.238.31.254, 8.241.88.126, 8.238.37.126, 8.248.117.254
  • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net
  • Execution Graph export aborted for target RegAsm.exe, PID 712 because it is empty
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Timeout during Intezer genetic analysis for /opt/package/joesandbox/database/analysis/215014/sample/WORLD_HEALTH_ORGANISATION_PDF.exe
  • Timeout during Intezer genetic analysis for unpackpe/0.1.WORLD_HEALTH_ORGANISATION_PDF.exe.830000.0.unpack

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
HawkEye
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation511Winlogon Helper DLLProcess Injection112Masquerading1Credential DumpingVirtualization/Sandbox Evasion33Remote File Copy1Data from Local SystemData Encrypted11Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API1Port MonitorsAccessibility FeaturesSoftware Packing1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote Access Tools1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion33Credentials in FilesSecurity Software Discovery521Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection112Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDeobfuscate/Decode Files or Information1Brute ForceSystem Network Configuration Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information1Two-Factor Authentication InterceptionSystem Information Discovery13Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://a.pomf.cat/URL Reputation: Label: malware
Found malware configurationShow sources
Source: RegAsm.exe.712.6.memstrMalware Configuration Extractor: HawkEye {"Modules": ["browserpv", "mailpv", "WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for domain / URLShow sources
Source: http://pomf.cat/upload.phpVirustotal: Detection: 8%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: WORLD_HEALTH_ORGANISATION_PDF.exeVirustotal: Detection: 35%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 6.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: bot.whatismyipaddress.com
Source: unknownDNS query: name: bot.whatismyipaddress.com
Source: unknownDNS query: name: bot.whatismyipaddress.com
Source: unknownDNS query: name: bot.whatismyipaddress.com
Source: unknownDNS query: name: bot.whatismyipaddress.com
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: RegAsm.exe, 00000006.00000003.2245975990.0000000004B93000.00000004.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000006.00000003.2245975990.0000000004B93000.00000004.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: 203.215.12.0.in-addr.arpa
Urls found in memory or binary dataShow sources
Source: RegAsm.exe, 00000006.00000002.2256847981.0000000003339000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.2256847981.0000000003339000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
Source: RegAsm.exe, 00000006.00000002.2256847981.0000000003339000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.comx&
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
Source: RegAsm.exe, 00000006.00000002.2253406993.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: RegAsm.exe, 00000006.00000003.2245975990.0000000004B93000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000006.00000002.2253406993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.2256847981.0000000003339000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 712, type: MEMORY
Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000006.00000002.2253406993.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000006.00000002.2257522809.0000000005320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000006.00000002.2256847981.0000000003339000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 712, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 6.2.RegAsm.exe.5320000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 6.2.RegAsm.exe.5320000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Binary is likely a compiled AutoIt script fileShow sources
Source: WORLD_HEALTH_ORGANISATION_PDF.exe, 00000000.00000000.2082140431.00000000008DE000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: WORLD_HEALTH_ORGANISATION_PDF.exe, 00000000.00000000.2082140431.00000000008DE000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: WORLD_HEALTH_ORGANISATION_PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: WORLD_HEALTH_ORGANISATION_PDF.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: WORLD_HEALTH_ORGANISATION_PDF.exe
Detected potential crypto functionShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_015B36546_2_015B3654
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_015B36D56_2_015B36D5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D8B506_2_054D8B50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D39686_2_054D3968
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D79C86_2_054D79C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D4FEB6_2_054D4FEB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D1C586_2_054D1C58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D7E506_2_054D7E50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D08286_2_054D0828
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D74C06_2_054D74C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D0C9B6_2_054D0C9B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D8B486_2_054D8B48
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D395B6_2_054D395B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D3B686_2_054D3B68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D3B606_2_054D3B60
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D25786_2_054D2578
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D25736_2_054D2573
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D7F326_2_054D7F32
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D3FCF6_2_054D3FCF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D53C86_2_054D53C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D2FC86_2_054D2FC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D43C06_2_054D43C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D2FC36_2_054D2FC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D3FD86_2_054D3FD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D69886_2_054D6988
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D53B86_2_054D53B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D79BB6_2_054D79BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D43B16_2_054D43B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D7E486_2_054D7E48
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D1C536_2_054D1C53
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D08256_2_054D0825
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D60AE6_2_054D60AE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D74BB6_2_054D74BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D60B06_2_054D60B0
PE file contains strange resourcesShow sources
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Yara signature matchShow sources
Source: 00000006.00000002.2253406993.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.2257522809.0000000005320000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000006.00000002.2256847981.0000000003339000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegAsm.exe PID: 712, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 6.2.RegAsm.exe.5320000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 6.2.RegAsm.exe.5320000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 6.2.RegAsm.exe.400000.0.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 6.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 6.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
.NET source code contains many API calls related to securityShow sources
Source: 6.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.RegAsm.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 6.2.RegAsm.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 6.2.RegAsm.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 6.2.RegAsm.exe.400000.0.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@2/1
Creates files inside the user directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.logJump to behavior
Creates mutexesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\e2c20095-e9b9-4e9b-acff-55166fc9e9b3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Creates temporary filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\350081e4-1202-a5bc-5e10-1a7ba3c350a5Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Reads software policiesShow sources
Source: C:\Users\user\Desktop\WORLD_HEALTH_ORGANISATION_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
SQL strings found in memory and binary dataShow sources
Source: RegAsm.exe, 00000006.00000003.2245975990.0000000004B93000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: RegAsm.exe, 00000006.00000003.2245975990.0000000004B93000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000006.00000003.2245975990.0000000004B93000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000006.00000003.2245975990.0000000004B93000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: RegAsm.exe, 00000006.00000003.2245975990.0000000004B93000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: RegAsm.exe, 00000006.00000003.2245975990.0000000004B93000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: RegAsm.exe, 00000006.00000003.2245975990.0000000004B93000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Sample is known by AntivirusShow sources
Source: WORLD_HEALTH_ORGANISATION_PDF.exeVirustotal: Detection: 35%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\WORLD_HEALTH_ORGANISATION_PDF.exe 'C:\Users\user\Desktop\WORLD_HEALTH_ORGANISATION_PDF.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: C:\Users\user\Desktop\WORLD_HEALTH_ORGANISATION_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exeJump to behavior
Source: C:\Users\user\Desktop\WORLD_HEALTH_ORGANISATION_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exeJump to behavior
Source: C:\Users\user\Desktop\WORLD_HEALTH_ORGANISATION_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic file information: File size 2136064 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
PE file has a big raw sectionShow sources
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x140800
PE file contains a mix of data directories often seen in goodwareShow sources
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
PE file contains a debug data directoryShow sources
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RegAsm.exe, 00000006.00000003.2245975990.0000000004B93000.00000004.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000006.00000003.2245975990.0000000004B93000.00000004.00000001.sdmp
PE file contains a valid data directory to section mappingShow sources
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WORLD_HEALTH_ORGANISATION_PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_015B912C push ecx; retf 6_2_015B9131
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_015B42F4 push esp; retf 0002h6_2_015B431E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D2569 pushad ; retf 0002h6_2_054D256A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D0F68 push ebx; retf 0002h6_2_054D0F6A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D2710 pushad ; retf 0002h6_2_054D2712
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D99E0 pushfd ; iretd 6_2_054D99E1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D1191 push esp; retf 0002h6_2_054D1192
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D0EC9 push edx; retf 0002h6_2_054D0ECA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_054D0C91 push eax; retf 0002h6_2_054D0C92

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\WORLD_HEALTH_ORGANISATION_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\WORLD_HEALTH_ORGANISATION_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3Show sources
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 712, type: MEMORY
Queries memory information (via WMI often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Capacity FROM Win32_PhysicalMemory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT SystemBiosMajorVersion FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT SystemBiosMinorVersion FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ReleaseDate FROM Win32_BIOS
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Capacity FROM Win32_PhysicalMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Caption FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\WORLD_HEALTH_ORGANISATION_PDF.exeWindow / User API: threadDelayed 716Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\WORLD_HEALTH_ORGANISATION_PDF.exe TID: 4224Thread sleep count: 716 > 30Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4924Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2192Thread sleep time: -922337203685477s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: RegAsm.exe, 00000006.00000002.2258865791.00000000086E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000006.00000002.2258865791.00000000086E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 00000006.00000002.2258865791.00000000086E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000006.00000002.2258865791.00000000086E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functionsShow sources
Source: 6.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\WORLD_HEALTH_ORGANISATION_PDF.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe protection: execute and read and writeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\WORLD_HEALTH_ORGANISATION_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exeJump to behavior
Source: C:\Users\user\Desktop\WORLD_HEALTH_ORGANISATION_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exeJump to behavior
Source: C:\Users\user\Desktop\WORLD_HEALTH_ORGANISATION_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: WORLD_HEALTH_ORGANISATION_PDF.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: avguard.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: avp.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: avgui.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: mbam.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
Source: RegAsm.exe, 00000006.00000002.2256800444.0000000003320000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

Stealing of Sensitive Information:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000006.00000002.2253406993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.2256847981.0000000003339000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 712, type: MEMORY
Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected WebBrowserPassView password recovery toolShow sources
Source: Yara matchFile source: 00000006.00000003.2245975990.0000000004B93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.2257522809.0000000005320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 712, type: MEMORY
Source: Yara matchFile source: 6.2.RegAsm.exe.5320000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 6.2.RegAsm.exe.5320000.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye RatShow sources
Source: RegAsm.exe, 00000006.00000002.2253406993.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000006.00000002.2253406993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.2256847981.0000000003339000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 712, type: MEMORY
Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Malware Configuration

Threatname: HawkEye

{"Modules": ["browserpv", "mailpv", "WebBrowserPassView"], "Version": ""}

Behavior Graph

Simulations

Behavior and APIs

TimeTypeDescription
16:18:16API Interceptor2x Sleep call for process: RegAsm.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WORLD_HEALTH_ORGANISATION_PDF.exe35%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
6.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

Domains

SourceDetectionScannerLabelLink
203.215.12.0.in-addr.arpa0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://a.pomf.cat/6%VirustotalBrowse
https://a.pomf.cat/100%URL Reputationmalware
http://pomf.cat/upload.php&https://a.pomf.cat/0%Avira URL Cloudsafe
http://pomf.cat/upload.php8%VirustotalBrowse
http://pomf.cat/upload.php0%Avira URL Cloudsafe
http://bot.whatismyipaddress.comx&0%Avira URL Cloudsafe
http://pomf.cat/upload.phpCContent-Disposition:0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000003.2245975990.0000000004B93000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000006.00000002.2253406993.0000000000402000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x80e68:$s2: _ScreenshotLogger
    • 0x80e35:$s3: _PasswordStealer
    00000006.00000002.2253406993.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000006.00000002.2257522809.0000000005320000.00000004.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x6b8fa:$a1: logins.json
      • 0x6b85a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x6c07e:$s4: \mozsqlite3.dll
      • 0x6a8ee:$s5: SMTP Password
      00000006.00000002.2257522809.0000000005320000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000006.00000002.2256847981.0000000003339000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
        • 0x8e4b7:$s2: _ScreenshotLogger
        • 0x8ea03:$s2: _ScreenshotLogger
        • 0x8e484:$s3: _PasswordStealer
        • 0x8e9d0:$s3: _PasswordStealer
        00000006.00000002.2256847981.0000000003339000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Process Memory Space: RegAsm.exe PID: 712MAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
          • 0xe8a7e:$s2: _ScreenshotLogger
          • 0xe90df:$s2: _ScreenshotLogger
          • 0xe998a:$s2: _ScreenshotLogger
          • 0xea6ef:$s2: _ScreenshotLogger
          • 0x12e146:$s2: _ScreenshotLogger
          • 0xe8a27:$s3: _PasswordStealer
          • 0xe9088:$s3: _PasswordStealer
          • 0xe9933:$s3: _PasswordStealer
          • 0xea698:$s3: _PasswordStealer
          • 0x12e0ef:$s3: _PasswordStealer
          Process Memory Space: RegAsm.exe PID: 712JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Process Memory Space: RegAsm.exe PID: 712JoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Process Memory Space: RegAsm.exe PID: 712JoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                6.2.RegAsm.exe.400000.0.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
                • 0x81068:$s2: _ScreenshotLogger
                • 0x81035:$s3: _PasswordStealer
                6.2.RegAsm.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                  6.2.RegAsm.exe.400000.0.unpackHawkEyev9HawkEye v9 Payloadditekshen
                  • 0x81035:$str1: _PasswordStealer
                  • 0x81046:$str2: _KeyStrokeLogger
                  • 0x81068:$str3: _ScreenshotLogger
                  • 0x81057:$str4: _ClipboardLogger
                  • 0x8107a:$str5: _WebCamLogger
                  • 0x8118f:$str6: _AntiVirusKiller
                  • 0x8117d:$str7: _ProcessElevation
                  • 0x81144:$str8: _DisableCommandPrompt
                  • 0x8124a:$str9: _WebsiteBlocker
                  • 0x8125a:$str9: _WebsiteBlocker
                  • 0x81130:$str10: _DisableTaskManager
                  • 0x811ab:$str11: _AntiDebugger
                  • 0x81235:$str12: _WebsiteVisitorSites
                  • 0x8115a:$str13: _DisableRegEdit
                  • 0x811b9:$str14: _ExecutionDelay
                  • 0x810de:$str15: _InstallStartupPersistance
                  6.2.RegAsm.exe.5320000.1.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                  • 0x69afa:$a1: logins.json
                  • 0x69a5a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                  • 0x6a27e:$s4: \mozsqlite3.dll
                  • 0x68aee:$s5: SMTP Password
                  6.2.RegAsm.exe.5320000.1.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    6.2.RegAsm.exe.5320000.1.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                    • 0x6b8fa:$a1: logins.json
                    • 0x6b85a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                    • 0x6c07e:$s4: \mozsqlite3.dll
                    • 0x6a8ee:$s5: SMTP Password
                    6.2.RegAsm.exe.5320000.1.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      66.171.248.178signed contract.exeGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      https://myspeedwire.com/remittance_advice.jarGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      https://tomwilliams.co.ukGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F4docs2you.co.uk%2F&data=02%7C01%7Csupport%40itg.uk.com%7C07469a6d1bff4afc794908d7c44491e5%7C7ab2307ccfe545c782585c51433f1a0c%7C1%7C0%7C637193671106472354&sdata=rUChtmkIyO0NqlM4rMpdvA1Bfvqpg5mZKuuOIMS0%2Brg%3D&reserved=0Get hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      https://tomwilliams.co.ukGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      https://tomwilliams.co.ukGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      8FedEX25102018,doc.exeGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      58Doc00123.exeGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      53FedEX-201823101,PDF.exeGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      25FedEx-delivery,pdf.exeGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      61DHL Tracking Details.exeGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      61PURCHASE ORDER.exeGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      31DHL Tracking Details.exeGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      70Offer Best Price.exeGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      31Proof of Payment.exeGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      30Paid Invoice.exeGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      47DHL Tracking Details.exeGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      7DHL Tracking Details.exeGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      33PO.5555.DOC.docGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/
                      48RFQ HOLIDISis 2375.exeGet hashmaliciousBrowse
                      • bot.whatismyipaddress.com/

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      bot.whatismyipaddress.comsigned contract.exeGet hashmaliciousBrowse
                      • 66.171.248.178
                      https://myspeedwire.com/remittance_advice.jarGet hashmaliciousBrowse
                      • 66.171.248.178
                      https://tomwilliams.co.ukGet hashmaliciousBrowse
                      • 66.171.248.178
                      https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F4docs2you.co.uk%2F&data=02%7C01%7Csupport%40itg.uk.com%7C07469a6d1bff4afc794908d7c44491e5%7C7ab2307ccfe545c782585c51433f1a0c%7C1%7C0%7C637193671106472354&sdata=rUChtmkIyO0NqlM4rMpdvA1Bfvqpg5mZKuuOIMS0%2Brg%3D&reserved=0Get hashmaliciousBrowse
                      • 66.171.248.178
                      https://tomwilliams.co.ukGet hashmaliciousBrowse
                      • 66.171.248.178
                      https://tomwilliams.co.ukGet hashmaliciousBrowse
                      • 66.171.248.178
                      8FedEX25102018,doc.exeGet hashmaliciousBrowse
                      • 66.171.248.178
                      58Doc00123.exeGet hashmaliciousBrowse
                      • 66.171.248.178
                      53FedEX-201823101,PDF.exeGet hashmaliciousBrowse
                      • 66.171.248.178
                      25FedEx-delivery,pdf.exeGet hashmaliciousBrowse
                      • 66.171.248.178
                      61DHL Tracking Details.exeGet hashmaliciousBrowse
                      • 66.171.248.178
                      61PURCHASE ORDER.exeGet hashmaliciousBrowse
                      • 66.171.248.178
                      31DHL Tracking Details.exeGet hashmaliciousBrowse
                      • 66.171.248.178
                      70Offer Best Price.exeGet hashmaliciousBrowse
                      • 66.171.248.178
                      31Proof of Payment.exeGet hashmaliciousBrowse
                      • 66.171.248.178
                      30Paid Invoice.exeGet hashmaliciousBrowse
                      • 66.171.248.178
                      47DHL Tracking Details.exeGet hashmaliciousBrowse
                      • 66.171.248.178
                      7DHL Tracking Details.exeGet hashmaliciousBrowse
                      • 66.171.248.178
                      33PO.5555.DOC.docGet hashmaliciousBrowse
                      • 66.171.248.178
                      48RFQ HOLIDISis 2375.exeGet hashmaliciousBrowse
                      • 66.171.248.178

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      unknownhttp://lilyannlive.com/lilyannlive/skin/frontend/rwd/newlilyanmobile/images/m_payment_icons.pngGet hashmaliciousBrowse
                      • 195.22.26.248
                      http://lilyannlive.comGet hashmaliciousBrowse
                      • 195.22.26.248
                      #Ud83d#UdcdeFgcu.edu NewVoice.htmlGet hashmaliciousBrowse
                      • 104.250.166.65
                      Atlantico.htmlGet hashmaliciousBrowse
                      • 23.111.11.182
                      dhl1.xlsGet hashmaliciousBrowse
                      • 52.114.75.78
                      n#U00b04064_0009578551_20200312.xlsGet hashmaliciousBrowse
                      • 47.252.85.163
                      f211298392653.docGet hashmaliciousBrowse
                      • 52.114.132.73
                      COMPOUND.DOCGet hashmaliciousBrowse
                      • 52.114.77.33
                      ShippingInfo.jarGet hashmaliciousBrowse
                      • 62.108.37.6
                      ShippingInfo.jarGet hashmaliciousBrowse
                      • 62.108.37.6
                      BY3v6TwG62.exeGet hashmaliciousBrowse
                      • 192.168.2.111
                      wn9gv5Y2pz.exeGet hashmaliciousBrowse
                      • 35.244.218.203
                      JXPmBwv7ti.exeGet hashmaliciousBrowse
                      • 192.168.2.111
                      2dA29NPvVk.exeGet hashmaliciousBrowse
                      • 192.168.2.111
                      http://www.jdmastar.comGet hashmaliciousBrowse
                      • 104.26.10.36
                      http://www.jdmastar.comGet hashmaliciousBrowse
                      • 104.26.10.36
                      http://www.setthepacestlouis.com/index.shtmljulGet hashmaliciousBrowse
                      • 65.254.227.240
                      XkcoCuumQ9.exeGet hashmaliciousBrowse
                      • 192.168.2.111
                      bcl.exeGet hashmaliciousBrowse
                      • 176.123.3.104
                      o14YdVyqSi.exeGet hashmaliciousBrowse
                      • 192.168.2.111

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.