Loading ...

Play interactive tourEdit tour

Analysis Report honesty.exe

Overview

General Information

Sample Name:honesty.exe
MD5:73af4f718886ca0b3c6620ea30003a4f
SHA1:5cd52a3cf69441dbf9f1435fa42f4d26f36aadaa
SHA256:31392c7ea7bf96c542b942f353e74ab39f4fb9434d8381a3c558a80ba7204787

Most interesting Screenshot:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info

Classification

Startup

  • System is w7
  • honesty.exe (PID: 3796 cmdline: 'C:\Users\user\Desktop\honesty.exe' MD5: 73AF4F718886CA0B3C6620EA30003A4F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: honesty.exeString found in binary or memory: http://www.macromedia.com
Source: honesty.exeString found in binary or memory: https://http://application/futuresplashapplication/x-shockwave-flash.spl.swfShockwaveFlash.Shockwave

Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004052F0 OpenClipboard,GetClipboardData,CloseClipboard,0_2_004052F0
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004052F0 OpenClipboard,GetClipboardData,CloseClipboard,0_2_004052F0
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0040AAC0 GetKeyState,GetKeyState,GetKeyState,GetCursorPos,WindowFromPoint,ScreenToClient,GetClientRect,GetSubMenu,SetFocus,LoadMenuA,GetSubMenu,DeleteMenu,DeleteMenu,DeleteMenu,DeleteMenu,DeleteMenu,DeleteMenu,DeleteMenu,DeleteMenu,DeleteMenu,DeleteMenu,DeleteMenu,DeleteMenu,DeleteMenu,DeleteMenu,DeleteMenu,DeleteMenu,ClientToScreen,TrackPopupMenu,DestroyMenu,GetCapture,GetDC,SelectPalette,SelectPalette,RealizePalette,SelectPalette,ReleaseDC,GetDC,SelectPalette,SelectPalette,RealizePalette,SelectPalette,RealizePalette,SelectPalette,ReleaseDC,DeleteObject,0_2_0040AAC0

Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0040C8300_2_0040C830
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004188F00_2_004188F0
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004170900_2_00417090
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004308900_2_00430890
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004111000_2_00411100
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0040C9300_2_0040C930
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0041B1300_2_0041B130
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004041900_2_00404190
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0042C19D0_2_0042C19D
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0042D2500_2_0042D250
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0040CA600_2_0040CA60
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0040AAC00_2_0040AAC0
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0042BAE00_2_0042BAE0
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0042CAB00_2_0042CAB0
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0041BB000_2_0041BB00
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004113300_2_00411330
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_00410B800_2_00410B80
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0040EB900_2_0040EB90
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0042C4040_2_0042C404
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004194D00_2_004194D0
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0041CD600_2_0041CD60
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004325600_2_00432560
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_00410D700_2_00410D70
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004065000_2_00406500
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_00430D200_2_00430D20
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004295D00_2_004295D0
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004115800_2_00411580
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004135800_2_00413580
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004026200_2_00402620
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0041B6800_2_0041B680
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004106A00_2_004106A0
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0042D7500_2_0042D750
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_00410F600_2_00410F60
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_00418F300_2_00418F30
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_004137A00_2_004137A0
Source: honesty.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: honesty.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: honesty.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: honesty.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: honesty.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: honesty.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: honesty.exe, 00000000.00000000.764383620.00440000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSwFlsh32.exe4 vs honesty.exe
Source: honesty.exe, 00000000.00000002.1211945123.00350000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs honesty.exe
Source: honesty.exe, 00000000.00000002.1211970703.00370000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameMMDevAPI.Dll.MUIj% vs honesty.exe
Source: honesty.exe, 00000000.00000002.1211987527.00390000.00000008.00000001.sdmpBinary or memory string: OriginalFilenamemsacm32.acm.muij% vs honesty.exe
Source: honesty.exe, 00000000.00000002.1211963073.00360000.00000008.00000001.sdmpBinary or memory string: OriginalFilenamewdmaud.drv.muij% vs honesty.exe
Source: honesty.exeBinary or memory string: OriginalFilenameSwFlsh32.exe4 vs honesty.exe
Source: classification engineClassification label: clean5.winEXE@1/0@0/0
Source: honesty.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\honesty.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\honesty.exeFile read: C:\Users\user\Desktop\honesty.exeJump to behavior
Source: C:\Users\user\Desktop\honesty.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD773740-B187-4974-A1D5-E0FF91372277}\InprocServer32Jump to behavior
Source: honesty.exeStatic file information: File size 32473484 > 1048576

Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0040A540 LoadLibraryA,GetProcAddress,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,0_2_0040A540
Source: honesty.exeStatic PE information: section name: .data1

Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_00409720 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,PostMessageA,PostMessageA,0_2_00409720

Source: C:\Users\user\Desktop\honesty.exeAPI call chain: ExitProcess graph end nodegraph_0-20500

Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_0040A540 LoadLibraryA,GetProcAddress,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,0_2_0040A540

Source: honesty.exe, 00000000.00000002.1212256462.00710000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: honesty.exe, 00000000.00000002.1212256462.00710000.00000002.00000001.sdmpBinary or memory string: Progman
Source: honesty.exe, 00000000.00000002.1212256462.00710000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_00401D50 cpuid 0_2_00401D50
Source: C:\Users\user\Desktop\honesty.exeCode function: 0_2_00409190 GetVersionExA,LoadStringA,GetOpenFileNameA,0_2_00409190

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through API1Application Shimming1Process Injection1Process Injection1Input Capture1Process Discovery1Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsApplication Shimming1Binary PaddingNetwork SniffingSystem Information Discovery12Remote ServicesClipboard Data2Exfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.