Loading ...

Play interactive tourEdit tour

Analysis Report pagamento.exe

Overview

General Information

Sample Name:pagamento.exe
MD5:c4d3a7794534b46eb35452914a70f1bf
SHA1:ad29430108292835fde9f7f479168a08d8c8349e
SHA256:f9b3c9ef942b6104a1c080cd1fcb2c5324178f1c5c99392b6604896543485e54

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Maps a DLL or memory area into another process
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • pagamento.exe (PID: 4224 cmdline: 'C:\Users\user\Desktop\pagamento.exe' MD5: C4D3A7794534B46EB35452914A70F1BF)
    • RegAsm.exe (PID: 5992 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 1352 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • WerFault.exe (PID: 5728 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 2020 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b945:$key: HawkEyeKeylogger
  • 0x7db89:$salt: 099u787978786
  • 0x7bf86:$string1: HawkEye_Keylogger
  • 0x7cdd9:$string1: HawkEye_Keylogger
  • 0x7dae9:$string1: HawkEye_Keylogger
  • 0x7c36f:$string2: holdermail.txt
  • 0x7c38f:$string2: holdermail.txt
  • 0x7c2b1:$string3: wallet.dat
  • 0x7c2c9:$string3: wallet.dat
  • 0x7c2df:$string3: wallet.dat
  • 0x7d6ad:$string4: Keylog Records
  • 0x7d9c5:$string4: Keylog Records
  • 0x7dbe1:$string5: do not script -->
  • 0x7b92d:$string6: \pidloc.txt
  • 0x7b9bb:$string7: BSPLIT
  • 0x7b9cb:$string7: BSPLIT
00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
      • 0x7bfde:$hawkstr1: HawkEye Keylogger
      • 0x7ce1f:$hawkstr1: HawkEye Keylogger
      • 0x7d14e:$hawkstr1: HawkEye Keylogger
      • 0x7d2a9:$hawkstr1: HawkEye Keylogger
      • 0x7d40c:$hawkstr1: HawkEye Keylogger
      • 0x7d685:$hawkstr1: HawkEye Keylogger
      • 0x7bb6c:$hawkstr2: Dear HawkEye Customers!
      • 0x7d1a1:$hawkstr2: Dear HawkEye Customers!
      • 0x7d2f8:$hawkstr2: Dear HawkEye Customers!
      • 0x7d45f:$hawkstr2: Dear HawkEye Customers!
      • 0x7bc8d:$hawkstr3: HawkEye Logger Details:
      00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b725:$key: HawkEyeKeylogger
      • 0x7d969:$salt: 099u787978786
      • 0x7bd66:$string1: HawkEye_Keylogger
      • 0x7cbb9:$string1: HawkEye_Keylogger
      • 0x7d8c9:$string1: HawkEye_Keylogger
      • 0x7c14f:$string2: holdermail.txt
      • 0x7c16f:$string2: holdermail.txt
      • 0x7c091:$string3: wallet.dat
      • 0x7c0a9:$string3: wallet.dat
      • 0x7c0bf:$string3: wallet.dat
      • 0x7d48d:$string4: Keylog Records
      • 0x7d7a5:$string4: Keylog Records
      • 0x7d9c1:$string5: do not script -->
      • 0x7b70d:$string6: \pidloc.txt
      • 0x7b79b:$string7: BSPLIT
      • 0x7b7ab:$string7: BSPLIT
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.pagamento.exe.5d20000.2.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b925:$key: HawkEyeKeylogger
      • 0x7db69:$salt: 099u787978786
      • 0x7bf66:$string1: HawkEye_Keylogger
      • 0x7cdb9:$string1: HawkEye_Keylogger
      • 0x7dac9:$string1: HawkEye_Keylogger
      • 0x7c34f:$string2: holdermail.txt
      • 0x7c36f:$string2: holdermail.txt
      • 0x7c291:$string3: wallet.dat
      • 0x7c2a9:$string3: wallet.dat
      • 0x7c2bf:$string3: wallet.dat
      • 0x7d68d:$string4: Keylog Records
      • 0x7d9a5:$string4: Keylog Records
      • 0x7dbc1:$string5: do not script -->
      • 0x7b90d:$string6: \pidloc.txt
      • 0x7b99b:$string7: BSPLIT
      • 0x7b9ab:$string7: BSPLIT
      0.2.pagamento.exe.5d20000.2.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        0.2.pagamento.exe.5d20000.2.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          0.2.pagamento.exe.5d20000.2.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
          • 0x7bfbe:$hawkstr1: HawkEye Keylogger
          • 0x7cdff:$hawkstr1: HawkEye Keylogger
          • 0x7d12e:$hawkstr1: HawkEye Keylogger
          • 0x7d289:$hawkstr1: HawkEye Keylogger
          • 0x7d3ec:$hawkstr1: HawkEye Keylogger
          • 0x7d665:$hawkstr1: HawkEye Keylogger
          • 0x7bb4c:$hawkstr2: Dear HawkEye Customers!
          • 0x7d181:$hawkstr2: Dear HawkEye Customers!
          • 0x7d2d8:$hawkstr2: Dear HawkEye Customers!
          • 0x7d43f:$hawkstr2: Dear HawkEye Customers!
          • 0x7bc6d:$hawkstr3: HawkEye Logger Details:
          3.2.RegAsm.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x7b925:$key: HawkEyeKeylogger
          • 0x7db69:$salt: 099u787978786
          • 0x7bf66:$string1: HawkEye_Keylogger
          • 0x7cdb9:$string1: HawkEye_Keylogger
          • 0x7dac9:$string1: HawkEye_Keylogger
          • 0x7c34f:$string2: holdermail.txt
          • 0x7c36f:$string2: holdermail.txt
          • 0x7c291:$string3: wallet.dat
          • 0x7c2a9:$string3: wallet.dat
          • 0x7c2bf:$string3: wallet.dat
          • 0x7d68d:$string4: Keylog Records
          • 0x7d9a5:$string4: Keylog Records
          • 0x7dbc1:$string5: do not script -->
          • 0x7b90d:$string6: \pidloc.txt
          • 0x7b99b:$string7: BSPLIT
          • 0x7b9ab:$string7: BSPLIT
          Click to see the 3 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: pagamento.exeVirustotal: Detection: 42%Perma Link
          Source: pagamento.exeReversingLabs: Detection: 31%
          Source: 3.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 3.2.RegAsm.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 0.2.pagamento.exe.5d20000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 0.2.pagamento.exe.5d20000.2.unpackAvira: Label: SPR/Tool.MailPassView.473

          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpBinary or memory string: [autorun]
          Source: RegAsm.exe, 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
          Source: RegAsm.exe, 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]

          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_07C49F70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_07C47ED0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_07C4A430

          Source: unknownDNS traffic detected: query: 231.58.0.0.in-addr.arpa replaycode: Name error (3)
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: unknownDNS traffic detected: queries for: 231.58.0.0.in-addr.arpa
          Source: pagamento.exeString found in binary or memory: http://169.254.169.254/metadata/instance/compute
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: RegAsm.exe, 00000003.00000002.1089445408.0000000002EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: RegAsm.exe, 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: RegAsm.exe, 00000003.00000002.1089445408.0000000002EB0000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: RegAsm.exe, 00000003.00000002.1094548573.0000000006116000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Contains functionality to log keystrokes (.Net Source)Show sources
          Source: 0.2.pagamento.exe.5d20000.2.unpack, Form1.cs.Net Code: HookKeyboard
          Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
          Contains functionality to register a low level keyboard hookShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07C4679C SetWindowsHookExA 0000000D,00000000,?,?3_2_07C4679C
          Installs a global keyboard hookShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
          Source: pagamento.exe, 00000000.00000002.1476916043.00000000012C0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1479372039.0000000005D22000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.1479372039.0000000005D22000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1477327587.0000000004060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.1477327587.0000000004060000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.1089445408.0000000002EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.pagamento.exe.5d20000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.pagamento.exe.5d20000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_03041C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_03041C09
          Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_030400AD NtOpenSection,NtMapViewOfSection,0_2_030400AD
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0530B29C3_2_0530B29C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0530DFB03_2_0530DFB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_053099D03_2_053099D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_076700403_2_07670040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07C45EB83_2_07C45EB8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07C455E83_2_07C455E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07C4B4803_2_07C4B480
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07C4A4403_2_07C4A440
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07C49B503_2_07C49B50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07C492E83_2_07C492E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07C4B4713_2_07C4B471
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07C4B4733_2_07C4B473
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07C49B403_2_07C49B40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07C452A03_2_07C452A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07C400063_2_07C40006
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 2020
          Source: pagamento.exe, 00000000.00000002.1479553173.0000000005DA2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs pagamento.exe
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs pagamento.exe
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs pagamento.exe
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs pagamento.exe
          Source: pagamento.exe, 00000000.00000002.1478897697.00000000054E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemDvaThazTsSBULLc.river.exe4 vs pagamento.exe
          Source: pagamento.exe, 00000000.00000002.1476916043.00000000012C0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs pagamento.exe
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1479372039.0000000005D22000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000000.00000002.1479372039.0000000005D22000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1477327587.0000000004060000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000000.00000002.1477327587.0000000004060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.1089445408.0000000002EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.pagamento.exe.5d20000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0.2.pagamento.exe.5d20000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: pagamento.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 0.2.pagamento.exe.5d20000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 0.2.pagamento.exe.5d20000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 0.2.pagamento.exe.5d20000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 0.2.pagamento.exe.5d20000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
          Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.pagamento.exe.5d20000.2.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhXZYZBYnwDnophI6j9cBllsmTxkGzx+Eg2D6FEzCA4y5FccpoQzhIj9/TPKhkBsuTw==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhXZYZBYnwDnophI6j9cBllsmTxkGzx+Eg2D6FEzCA4y5FccpoQzhIj9/TPKhkBsuTw==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/6@1/0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1352
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA53A.tmpJump to behavior
          Source: pagamento.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\pagamento.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: pagamento.exeVirustotal: Detection: 42%
          Source: pagamento.exeReversingLabs: Detection: 31%
          Source: unknownProcess created: C:\Users\user\Desktop\pagamento.exe 'C:\Users\user\Desktop\pagamento.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 2020
          Source: C:\Users\user\Desktop\pagamento.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: pagamento.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: pagamento.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: System.Runtime.Remoting.pdb(E source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000003.00000002.1098059291.000000000871A000.00000004.00000010.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000003.00000002.1098059291.000000000871A000.00000004.00000010.sdmp
          Source: Binary string: .pdb0 source: RegAsm.exe, 00000003.00000002.1098059291.000000000871A000.00000004.00000010.sdmp
          Source: Binary string: Accessibility.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: System.ni.pdbRSDS source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: Accessibility.pdbd source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000003.00000002.1088421043.0000000001087000.00000004.00000001.sdmp
          Source: Binary string: System.Management.ni.pdbRSDSJ source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: System.Configuration.ni.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000003.00000002.1097706593.0000000007CC7000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.pdb source: RegAsm.exe, 00000003.00000002.1097537693.0000000007C74000.00000004.00000001.sdmp
          Source: Binary string: System.Drawing.pdbA source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: mscorlib.pdbBTM\TM NTM_CorDllMainmscoree.dll source: RegAsm.exe, 00000003.00000002.1088421043.0000000001087000.00000004.00000001.sdmp
          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmp
          Source: Binary string: System.Runtime.Remoting.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: System.Configuration.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.PDBqnh source: RegAsm.exe, 00000003.00000002.1098059291.000000000871A000.00000004.00000010.sdmp
          Source: Binary string: System.Xml.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: System.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: (Pqn0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000003.00000002.1098059291.000000000871A000.00000004.00000010.sdmp
          Source: Binary string: System.Core.ni.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: System.Windows.Forms.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000003.00000002.1088421043.0000000001087000.00000004.00000001.sdmp, WERA53A.tmp.dmp.6.dr
          Source: Binary string: System.Management.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: System.Drawing.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: mscorlib.ni.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1089445408.0000000002EB0000.00000004.00000001.sdmp
          Source: Binary string: System.Management.ni.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: System.Core.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmp
          Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000003.00000002.1088421043.0000000001087000.00000004.00000001.sdmp
          Source: Binary string: .pdb source: RegAsm.exe, 00000003.00000002.1098059291.000000000871A000.00000004.00000010.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: RegAsm.exe, 00000003.00000002.1098059291.000000000871A000.00000004.00000010.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.PDBb source: RegAsm.exe, 00000003.00000002.1097537693.0000000007C74000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb source: WERA53A.tmp.dmp.6.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERA53A.tmp.dmp.6.dr

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 0.2.pagamento.exe.5d20000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.pagamento.exe.5d20000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.pagamento.exe.5d20000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.pagamento.exe.5d20000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BD63F7 push edi; retf 0_2_00BD63FE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0530E672 push esp; ret 3_2_0530E679
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07C4D1A9 push esp; retf 3_2_07C4D1AA
          Source: initial sampleStatic PE information: section name: .text entropy: 7.15399492811

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Changes the view of files in windows explorer (hidden files and folders)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Source: C:\Users\user\Desktop\pagamento.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 300000Jump to behavior
          Source: C:\Users\user\Desktop\pagamento.exe TID: 1416Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5160Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5196Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3660Thread sleep time: -140000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3852Thread sleep time: -300000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformationJump to behavior

          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07C4BD40 LdrInitializeThunk,3_2_07C4BD40
          Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_030400AD mov ecx, dword ptr fs:[00000030h]0_2_030400AD
          Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_030400AD mov eax, dword ptr fs:[00000030h]0_2_030400AD
          Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_030401CB mov eax, dword ptr fs:[00000030h]0_2_030401CB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          .NET source code references suspicious native API functionsShow sources
          Source: 0.2.pagamento.exe.5d20000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 0.2.pagamento.exe.5d20000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 3.2.RegAsm.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\pagamento.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
          Source: C:\Users\user\Desktop\pagamento.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
          Source: pagamento.exe, 00000000.00000002.1477093530.0000000001A60000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: pagamento.exe, 00000000.00000002.1477093530.0000000001A60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: pagamento.exe, 00000000.00000002.1477093530.0000000001A60000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: pagamento.exe, 00000000.00000002.1477093530.0000000001A60000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Source: C:\Users\user\Desktop\pagamento.exeQueries volume information: C:\Users\user\Desktop\pagamento.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected MailPassViewShow sources
          Source: Yara matchFile source: 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1479372039.0000000005D22000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.1090607794.0000000003EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1477327587.0000000004060000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1352, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: pagamento.exe PID: 4224, type: MEMORY
          Source: Yara matchFile source: 0.2.pagamento.exe.5d20000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Yara detected WebBrowserPassView password recovery toolShow sources
          Source: Yara matchFile source: 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1479372039.0000000005D22000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.1090607794.0000000003EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1477327587.0000000004060000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1352, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: pagamento.exe PID: 4224, type: MEMORY
          Source: Yara matchFile source: 0.2.pagamento.exe.5d20000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected HawkEye RatShow sources
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: pagamento.exe, 00000000.00000002.1479119822.00000000055BB000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: RegAsm.exe, 00000003.00000002.1089445408.0000000002EB0000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
          Source: RegAsm.exe, 00000003.00000002.1089445408.0000000002EB0000.00000004.00000001.sdmpString found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
          Source: RegAsm.exe, 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: RegAsm.exe, 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: RegAsm.exe, 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: RegAsm.exe, 00000003.00000002.1087535545.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Replication Through Removable Media1Windows Management Instrumentation1Hidden Files and Directories1Process Injection112Masquerading11Input Capture311Virtualization/Sandbox Evasion4Replication Through Removable Media1Input Capture311Data Encrypted11Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Replication Through Removable MediaExecution through API1Port MonitorsAccessibility FeaturesHidden Files and Directories1Network SniffingProcess Discovery2Remote ServicesClipboard Data1Exfiltration Over Other Network MediumRemote Access Tools1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionSoftware Packing13Input CapturePeripheral Device Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDisabling Security Tools1Credentials in FilesSecurity Software Discovery3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
          Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessModify Registry1Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion4Brute ForceSystem Information Discovery22Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
          Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection112Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDeobfuscate/Decode Files or Information1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessObfuscated Files or Information31Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
          Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationDLL Side-Loading1KeychainProcess DiscoveryTaint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.