Loading ...

Play interactive tourEdit tour

Analysis Report Health-ebook.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:229683
Start date:13.05.2020
Start time:01:42:49
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 17s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Health-ebook.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.troj.spyw.evad.winEXE@7/2@0/0
EGA Information:
  • Successful, ratio: 75%
HDC Information:
  • Successful, ratio: 96.9% (good quality ratio 94.1%)
  • Quality average: 85.8%
  • Quality standard deviation: 23%
HCA Information:
  • Successful, ratio: 65%
  • Number of executed functions: 223
  • Number of non-executed functions: 252
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 205.185.216.42, 205.185.216.10
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
HawkEye
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation111Application Shimming1Process Injection212Software Packing1Credential Dumping1System Time Discovery1Application Deployment SoftwareData from Local System1Data Encrypted11Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API11Port MonitorsApplication Shimming1Disabling Security Tools1Credentials in Files1Account Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumRemote Access Tools1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExecution through Module Load1Accessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information11Credentials in Registry2Security Software Discovery23Windows Remote ManagementClipboard Data1Automated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion12Account ManipulationSystem Information Discovery19Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection212Brute ForceVirtualization/Sandbox Evasion12Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionProcess Discovery4Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://a.pomf.cat/URL Reputation: Label: malware
Found malware configurationShow sources
Source: vbc.exe.4160.3.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for domain / URLShow sources
Source: https://a.pomf.cat/Virustotal: Detection: 7%Perma Link
Source: http://pomf.cat/upload.phpVirustotal: Detection: 11%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Health-ebook.exeVirustotal: Detection: 65%Perma Link
Source: Health-ebook.exeReversingLabs: Detection: 66%
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 2.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,3_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,3_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,5_2_0040702D

Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.21.91.29
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 40.90.137.125
Source: unknownTCP traffic detected without corresponding DNS query: 40.90.137.125
Source: unknownTCP traffic detected without corresponding DNS query: 40.90.137.125
Source: unknownTCP traffic detected without corresponding DNS query: 40.90.137.125
Source: unknownTCP traffic detected without corresponding DNS query: 84.53.167.113
Source: unknownTCP traffic detected without corresponding DNS query: 2.17.179.193
Source: unknownTCP traffic detected without corresponding DNS query: 2.17.179.193
Source: unknownTCP traffic detected without corresponding DNS query: 2.17.179.193
Source: unknownTCP traffic detected without corresponding DNS query: 84.53.167.113
Source: unknownTCP traffic detected without corresponding DNS query: 40.90.137.125
Source: unknownTCP traffic detected without corresponding DNS query: 40.90.137.125
Found strings which match to known social media urlsShow sources
Source: MSBuild.exe, 00000002.00000002.1395796534.00000000070B1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.850771263.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: MSBuild.exe, 00000002.00000002.1395796534.00000000070B1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.850771263.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 00000003.00000003.849731695.00000000023C0000.00000004.00000001.sdmpString found in binary or memory: file://192.168.2.1/all/install/schedule.txthttps://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000003.00000003.849731695.00000000023C0000.00000004.00000001.sdmpString found in binary or memory: file://192.168.2.1/all/install/schedule.txthttps://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Urls found in memory or binary dataShow sources
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
Source: MSBuild.exe, 00000002.00000002.1391429132.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: vbc.exe, 00000003.00000002.850668335.0000000000193000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, vbc.exe, 00000005.00000002.1058603253.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000002.00000002.1391429132.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1394323846.0000000003519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4640, type: MEMORY
Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality for read data from the clipboardShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,3_2_0040F078

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000002.00000002.1391429132.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000005.00000002.1058603253.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000002.00000002.1395389988.0000000005500000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000002.00000002.1394323846.0000000003519000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 4640, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 2.2.MSBuild.exe.5500000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 2.2.MSBuild.exe.5500000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Binary is likely a compiled AutoIt script fileShow sources
Source: Health-ebook.exe, 00000000.00000000.763227346.000000000047E000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: Health-ebook.exe, 00000000.00000000.763227346.000000000047E000.00000002.00020000.sdmpString found in binary or memory: @SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: Health-ebook.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: Health-ebook.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Contains functionality to call native functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056CACC8 NtUnmapViewOfSection,NtUnmapViewOfSection,2_2_056CACC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,3_2_0040978A
Detected potential crypto functionShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_016E9C882_2_016E9C88
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C75182_2_056C7518
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056CA1E32_2_056CA1E3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C55882_2_056C5588
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C49982_2_056C4998
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056CD0702_2_056CD070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C14422_2_056C1442
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C08012_2_056C0801
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C34D02_2_056C34D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C7F102_2_056C7F10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C13BB2_2_056C13BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C8B902_2_056C8B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056CD6002_2_056CD600
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C7A112_2_056C7A11
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C15762_2_056C1576
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C19772_2_056C1977
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C19402_2_056C1940
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C6D302_2_056C6D30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C390D2_2_056C390D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C75082_2_056C7508
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056CD5F02_2_056CD5F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C3DF32_2_056C3DF3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C41CB2_2_056C41CB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C45C02_2_056C45C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C19C12_2_056C19C1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C41D82_2_056C41D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C39DA2_2_056C39DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C4DA12_2_056C4DA1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C4DB02_2_056C4DB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C35802_2_056C3580
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C38682_2_056C3868
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C18462_2_056C1846
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056CD8242_2_056CD824
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C84392_2_056C8439
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C3C002_2_056C3C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C08172_2_056C0817
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C38B72_2_056C38B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C08B02_2_056C08B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C188B2_2_056C188B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C388B2_2_056C388B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C58802_2_056C5880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C58902_2_056C5890
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C57682_2_056C5768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056CD3682_2_056CD368
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C3B692_2_056C3B69
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C37772_2_056C3777
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056CD74F2_2_056CD74F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C37442_2_056C3744
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C27212_2_056C2721
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C27302_2_056C2730
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C3B0F2_2_056C3B0F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C37112_2_056C3711
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C37FA2_2_056C37FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056CD3A92_2_056CD3A9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C37B82_2_056C37B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056CD3B82_2_056CD3B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C1B8F2_2_056C1B8F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C8B802_2_056C8B80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C1A662_2_056C1A66
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C3A772_2_056C3A77
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C16712_2_056C1671
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C36712_2_056C3671
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C7A202_2_056C7A20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C6A232_2_056C6A23
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C3A3A2_2_056C3A3A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C3E002_2_056C3E00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C32182_2_056C3218
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C361B2_2_056C361B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C7EC12_2_056C7EC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C3AB42_2_056C3AB4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C369C2_2_056C369C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0044900F3_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004042EB3_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004142813_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004102913_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004063BB3_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004156243_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0041668D3_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040477F3_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040487C3_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0043589B3_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0043BA9D3_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0043FBD33_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404DE55_2_00404DE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404E565_2_00404E56
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404EC75_2_00404EC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404F585_2_00404F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040BF6B5_2_0040BF6B
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 67 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 32 times
PE file contains strange resourcesShow sources
Source: Health-ebook.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Health-ebook.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Health-ebook.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Health-ebook.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Health-ebook.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Health-ebook.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature matchShow sources
Source: 00000002.00000002.1391429132.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.1058603253.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000002.00000002.1395389988.0000000005500000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000002.00000002.1394323846.0000000003519000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: MSBuild.exe PID: 4640, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 2.2.MSBuild.exe.5500000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 2.2.MSBuild.exe.5500000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 2.2.MSBuild.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 2.2.MSBuild.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
Source: 2.2.MSBuild.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 2.2.MSBuild.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
.NET source code contains many API calls related to securityShow sources
Source: 2.2.MSBuild.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 2.2.MSBuild.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.MSBuild.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.MSBuild.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 2.2.MSBuild.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 2.2.MSBuild.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@7/2@0/0
Contains functionality for error loggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,3_2_00417BE9
Contains functionality to check free disk spaceShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,3_2_00418073
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,3_2_00413424
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource,3_2_004141E0
Creates mutexesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\677954c2-7b51-43fe-89fd-3bf95cda3391
Creates temporary filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile created: C:\Users\user\AppData\Local\Temp\e881d551-139f-c9e4-6140-ee1f6c79fdd8Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Health-ebook.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries a list of all open handlesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Reads ini filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Health-ebook.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
SQL strings found in memory and binary dataShow sources
Source: MSBuild.exe, 00000002.00000002.1395796534.00000000070B1000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: MSBuild.exe, 00000002.00000002.1395796534.00000000070B1000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000002.00000002.1395796534.00000000070B1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.850771263.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000002.00000002.1395796534.00000000070B1000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: MSBuild.exe, 00000002.00000002.1395796534.00000000070B1000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: MSBuild.exe, 00000002.00000002.1395796534.00000000070B1000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: MSBuild.exe, 00000002.00000002.1395796534.00000000070B1000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Sample is known by AntivirusShow sources
Source: Health-ebook.exeVirustotal: Detection: 65%
Source: Health-ebook.exeReversingLabs: Detection: 66%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Health-ebook.exe 'C:\Users\user\Desktop\Health-ebook.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpEA91.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDC84.tmp'
Source: C:\Users\user\Desktop\Health-ebook.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpEA91.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDC84.tmp'Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: Health-ebook.exeStatic file information: File size 2136576 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
PE file has a big raw sectionShow sources
Source: Health-ebook.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x140a00
PE file contains a mix of data directories often seen in goodwareShow sources
Source: Health-ebook.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Health-ebook.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Health-ebook.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Health-ebook.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Health-ebook.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Health-ebook.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
PE file contains a debug data directoryShow sources
Source: Health-ebook.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: MSBuild.exe, 00000002.00000002.1395796534.00000000070B1000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: MSBuild.exe, 00000002.00000002.1395796534.00000000070B1000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: mscorrc.pdb source: MSBuild.exe, 00000002.00000002.1396698066.00000000084E0000.00000002.00000001.sdmp
PE file contains a valid data directory to section mappingShow sources
Source: Health-ebook.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Health-ebook.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Health-ebook.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Health-ebook.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Health-ebook.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_004443B0
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_016E912E push ebp; retf 2_2_016E9145
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C2F1C push ss; retf 2_2_056C2F1D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056C2FA5 push ss; retf 2_2_056C2FA6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_056CBE04 push 8BFFFFFFh; retf 2_2_056CBE16
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00444975 push ecx; ret 3_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00444B90 push eax; ret 3_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00444B90 push eax; ret 3_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00448E74 push eax; ret 3_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0042CF44 push ebx; retf 0042h3_2_0042CF49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00412341 push ecx; ret 5_2_00412351
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00412360 push eax; ret 5_2_00412374
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00412360 push eax; ret 5_2_0041239C

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00443A61
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Health-ebook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Health-ebook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,3_2_0040978A
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5048Thread sleep count: 309 > 30Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5048Thread sleep time: -309000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3812Thread sleep count: 122 > 30Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3812Thread sleep time: -122000s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeLast function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,3_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,3_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,5_2_0040702D
Contains functionality to query system informationShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0041829C memset,GetSystemInfo,3_2_0041829C
Queries a list of all running processesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,3_2_0040978A
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_004443B0
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functionsShow sources
Source: 2.2.MSBuild.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\Health-ebook.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and writeJump to behavior
Sample uses process hollowing techniqueShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Health-ebook.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpEA91.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDC84.tmp'Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: MSBuild.exe, 00000002.00000002.1392701094.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000002.00000002.1392701094.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: MSBuild.exe, 00000002.00000002.1392701094.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: Health-ebook.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: MSBuild.exe, 00000002.00000002.1392701094.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,3_2_00418137
Contains functionality to query the account / user nameShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,5_2_004073B6
Contains functionality to query windows versionShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004083A1 GetVersionExW,3_2_004083A1
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: avguard.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: avp.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: avgui.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: mbam.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
Source: MSBuild.exe, 00000002.00000002.1394272674.0000000003500000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

Stealing of Sensitive Information:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000002.00000002.1391429132.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1394323846.0000000003519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4640, type: MEMORY
Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.dbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\6c4zjj0s.default\pkcs11.txtJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\pkcs11.txtJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.dbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\places.sqliteJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to steal Instant Messenger accounts or passwordsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword5_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword5_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword5_2_004033B1
Yara detected WebBrowserPassView password recovery toolShow sources
Source: Yara matchFile source: 00000002.00000002.1395389988.0000000005500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1395796534.00000000070B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000003.843205628.0000000004D73000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.850771263.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1394323846.0000000003519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4160, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4640, type: MEMORY
Source: Yara matchFile source: 3.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.MSBuild.exe.5500000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.MSBuild.exe.5500000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye RatShow sources
Source: MSBuild.exe, 00000002.00000002.1391429132.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000002.00000002.1391429132.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1394323846.0000000003519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4640, type: MEMORY
Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
01:43:37API Interceptor1x Sleep call for process: MSBuild.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Health-ebook.exe65%VirustotalBrowse
Health-ebook.exe67%ReversingLabsScript-AutoIt.Trojan.Injector

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
3.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1008636Download File
2.2.MSBuild.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://a.pomf.cat/8%VirustotalBrowse
https://a.pomf.cat/100%URL Reputationmalware
http://pomf.cat/upload.php&https://a.pomf.cat/0%Avira URL Cloudsafe
http://pomf.cat/upload.php11%VirustotalBrowse
http://pomf.cat/upload.php0%Avira URL Cloudsafe
http://pomf.cat/upload.phpCContent-Disposition:0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1391429132.0000000000402000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x87a2e:$s1: HawkEye Keylogger
  • 0x87a97:$s1: HawkEye Keylogger
  • 0x80e71:$s2: _ScreenshotLogger
  • 0x80e3e:$s3: _PasswordStealer
00000002.00000002.1391429132.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000005.00000002.1058603253.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
    • 0x147b0:$a1: logins.json
    • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
    • 0x14f34:$s4: \mozsqlite3.dll
    • 0x137a4:$s5: SMTP Password
    00000002.00000002.1395389988.0000000005500000.00000004.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
    • 0x6b4fa:$a1: logins.json
    • 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
    • 0x6bc7e:$s4: \mozsqlite3.dll
    • 0x6a4ee:$s5: SMTP Password
    00000002.00000002.1395389988.0000000005500000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000002.00000002.1395796534.00000000070B1000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000002.00000003.843205628.0000000004D73000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          00000003.00000002.850771263.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            00000002.00000002.1394323846.0000000003519000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
            • 0x8f470:$s1: HawkEye Keylogger
            • 0x8e564:$s2: _ScreenshotLogger
            • 0x8eab0:$s2: _ScreenshotLogger
            • 0x8e531:$s3: _PasswordStealer
            • 0x8ea7d:$s3: _PasswordStealer
            00000002.00000002.1394323846.0000000003519000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              00000002.00000002.1394323846.0000000003519000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                Process Memory Space: vbc.exe PID: 4160JoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                  Process Memory Space: MSBuild.exe PID: 4640MAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
                  • 0x11643:$s2: _ScreenshotLogger
                  • 0xb69bc:$s2: _ScreenshotLogger
                  • 0xb7015:$s2: _ScreenshotLogger
                  • 0xb78a9:$s2: _ScreenshotLogger
                  • 0xb859d:$s2: _ScreenshotLogger
                  • 0x115ec:$s3: _PasswordStealer
                  • 0xb6965:$s3: _PasswordStealer
                  • 0xb6fbe:$s3: _PasswordStealer
                  • 0xb7852:$s3: _PasswordStealer
                  • 0xb8546:$s3: _PasswordStealer
                  Process Memory Space: MSBuild.exe PID: 4640JoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    Process Memory Space: MSBuild.exe PID: 4640JoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      5.2.vbc.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                      • 0x147b0:$a1: logins.json
                      • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                      • 0x14f34:$s4: \mozsqlite3.dll
                      • 0x137a4:$s5: SMTP Password
                      5.2.vbc.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                      • 0x131b0:$a1: logins.json
                      • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                      • 0x13934:$s4: \mozsqlite3.dll
                      • 0x121a4:$s5: SMTP Password
                      3.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                        3.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                          2.2.MSBuild.exe.400000.0.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
                          • 0x87c2e:$s1: HawkEye Keylogger
                          • 0x87c97:$s1: HawkEye Keylogger
                          • 0x81071:$s2: _ScreenshotLogger
                          • 0x8103e:$s3: _PasswordStealer
                          2.2.MSBuild.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                            2.2.MSBuild.exe.400000.0.unpackHawkEyev9HawkEye v9 Payloadditekshen
                            • 0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
                            • 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
                            • 0x8103e:$str1: _PasswordStealer
                            • 0x8104f:$str2: _KeyStrokeLogger
                            • 0x81071:$str3: _ScreenshotLogger
                            • 0x81060:$str4: _ClipboardLogger
                            • 0x81083:$str5: _WebCamLogger
                            • 0x81198:$str6: _AntiVirusKiller
                            • 0x81186:$str7: _ProcessElevation
                            • 0x8114d:$str8: _DisableCommandPrompt
                            • 0x81253:$str9: _WebsiteBlocker
                            • 0x81263:$str9: _WebsiteBlocker
                            • 0x81139:$str10: _DisableTaskManager
                            • 0x811b4:$str11: _AntiDebugger
                            • 0x8123e:$str12: _WebsiteVisitorSites
                            • 0x81163:$str13: _DisableRegEdit
                            • 0x811c2:$str14: _ExecutionDelay
                            • 0x810e7:$str15: _InstallStartupPersistance
                            2.2.MSBuild.exe.5500000.1.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                            • 0x6b4fa:$a1: logins.json
                            • 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                            • 0x6bc7e:$s4: \mozsqlite3.dll
                            • 0x6a4ee:$s5: SMTP Password
                            2.2.MSBuild.exe.5500000.1.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                              2.2.MSBuild.exe.5500000.1.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                              • 0x696fa:$a1: logins.json
                              • 0x6965a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                              • 0x69e7e:$s4: \mozsqlite3.dll
                              • 0x686ee:$s5: SMTP Password
                              2.2.MSBuild.exe.5500000.1.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security

                                Sigma Overview


                                System Summary:

                                barindex
                                Sigma detected: Suspicious Process CreationShow sources
                                Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpEA91.tmp', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpEA91.tmp', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ParentProcessId: 4640, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpEA91.tmp', ProcessId: 4160

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.