Loading ...

Play interactive tourEdit tour

Analysis Report gunzipped

Overview

General Information

Sample Name:gunzipped (renamed file extension from none to exe)
Analysis ID:252602
MD5:e6e39c09937084fa2518234dca885b0b
SHA1:68e4b304f8820c4c359527fc565294e242eeb707
SHA256:067fe961b8467627e2de7b7f1553b6e48b53c54fd65d18014fc3f3cc4660a9d3

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • gunzipped.exe (PID: 6888 cmdline: 'C:\Users\user\Desktop\gunzipped.exe' MD5: E6E39C09937084FA2518234DCA885B0B)
    • gunzipped.exe (PID: 6192 cmdline: {path} MD5: E6E39C09937084FA2518234DCA885B0B)
      • vbc.exe (PID: 6524 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 816 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • wuapihost.exe (PID: 3068 cmdline: C:\Windows\System32\wuapihost.exe -Embedding MD5: 85C9C161B102A164EC09A23CACDDD09E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
gunzipped.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x24c52:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.274786336.0000000000F52000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x24a52:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000006.00000002.543227131.00000000007D2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x24a52:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000006.00000002.547660714.0000000002EBA000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
  • 0x25d0:$hawkstr1: HawkEye Keylogger
  • 0x2088:$hawkstr2: Dear HawkEye Customers!
  • 0x21b6:$hawkstr3: HawkEye Logger Details:
00000006.00000000.306772645.00000000007D2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x24a52:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000006.00000002.548153449.0000000003C21000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    Click to see the 23 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    6.2.gunzipped.exe.7d0000.1.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x24c52:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    6.0.gunzipped.exe.7d0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x24c52:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    0.0.gunzipped.exe.f50000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x24c52:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    0.2.gunzipped.exe.f50000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x24c52:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    8.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      Click to see the 7 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Suspicious Process CreationShow sources
      Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\gunzipped.exe, ParentProcessId: 6192, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', ProcessId: 6524

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: gunzipped.exeVirustotal: Detection: 34%Perma Link
      Machine Learning detection for sampleShow sources
      Source: gunzipped.exeJoe Sandbox ML: detected
      Source: 6.2.gunzipped.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
      Source: 6.2.gunzipped.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmpBinary or memory string: autorun.inf
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmpBinary or memory string: [autorun]
      Source: gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
      Source: gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,8_2_00408441
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,8_2_00407E0E
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00406EC3
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_06F4A6F3
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_06F426D9
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_06F4A7DD
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_06F49CEF
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_06F4326B
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then call 0520A6E8h6_2_06F49A2A
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_06F49A2A
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_06F42B9A
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_06F42835
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_06F4A014
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then call 0520A6E8h6_2_06F491EB
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_06F491EB
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then call 0520A6E8h6_2_06F49940
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_06F49940
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_06F50193
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_06F50326

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.6:49734 -> 103.27.200.199:21
      Source: global trafficTCP traffic: 192.168.2.6:49739 -> 103.27.200.199:35022
      Source: Joe Sandbox ViewASN Name: BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH
      Source: unknownFTP traffic detected: 103.27.200.199:21 -> 192.168.2.6:49734 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 05:23. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 05:23. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 05:23. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 05:23. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.332471402.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.332471402.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
      Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
      Source: vbc.exe, 00000008.00000003.332287681.0000000000A2C000.00000004.00000001.sdmpString found in binary or memory: le://192.168.2.1/temp/Office16.x86.en-US.ISOfile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
      Source: vbc.exe, 00000008.00000003.332287681.0000000000A2C000.00000004.00000001.sdmpString found in binary or memory: le://192.168.2.1/temp/Office16.x86.en-US.ISOfile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
      Source: unknownDNS traffic detected: queries for: 75.103.13.0.in-addr.arpa
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: gunzipped.exe, 00000006.00000002.547389328.0000000002D2E000.00000004.00000001.sdmpString found in binary or memory: http://ftp.triplelink.co.th
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: gunzipped.exe, 00000006.00000002.546348501.0000000002C21000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: vbc.exe, vbc.exe, 00000009.00000002.331719557.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: gunzipped.exe, 00000006.00000002.547389328.0000000002D2E000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.546348501.0000000002C21000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
      Source: gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: gunzipped.exe, 00000000.00000002.321902406.00000000063A0000.00000002.00000001.sdmp, gunzipped.exe, 00000006.00000002.550878526.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: vbc.exe, 00000008.00000003.332318727.0000000000A2B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=000
      Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
      Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Contains functionality to log keystrokes (.Net Source)Show sources
      Source: 6.2.gunzipped.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,8_2_0040D674
      Source: gunzipped.exe, 00000000.00000002.312406709.0000000001649000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000006.00000002.547660714.0000000002EBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.547702522.0000000002ECA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.546348501.0000000002C21000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 6.2.gunzipped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.gunzipped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F4F678 NtResumeThread,6_2_06F4F678
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F4F7D8 NtWriteVirtualMemory,6_2_06F4F7D8
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F4F890 NtSetContextThread,6_2_06F4F890
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F4F673 NtResumeThread,6_2_06F4F673
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F4F7D3 NtWriteVirtualMemory,6_2_06F4F7D3
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F4F888 NtSetContextThread,6_2_06F4F888
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,8_2_00408836
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_0162C2D40_2_0162C2D4
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_0162E8E00_2_0162E8E0
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_0162E8F00_2_0162E8F0
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_0290B29C6_2_0290B29C
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_0290C3106_2_0290C310
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_029099D06_2_029099D0
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_0290DFD06_2_0290DFD0
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F4B6506_2_06F4B650
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F4BD886_2_06F4BD88
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F422B86_2_06F422B8
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F43BE86_2_06F43BE8
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F42BA86_2_06F42BA8
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F46B206_2_06F46B20
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F422A96_2_06F422A9
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F43BD76_2_06F43BD7
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F491EB6_2_06F491EB
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_0748B4E06_2_0748B4E0
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_0748EEC86_2_0748EEC8
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_0748BDB06_2_0748BDB0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004044198_2_00404419
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004045168_2_00404516
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004135388_2_00413538
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004145A18_2_004145A1
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040E6398_2_0040E639
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004337AF8_2_004337AF
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004399B18_2_004399B1
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043DAE78_2_0043DAE7
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00405CF68_2_00405CF6
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00403F858_2_00403F85
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00411F998_2_00411F99
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00404DDB9_2_00404DDB
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_0040BD8A9_2_0040BD8A
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00404E4C9_2_00404E4C
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00404EBD9_2_00404EBD
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00404F4E9_2_00404F4E
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
      Source: gunzipped.exe, 00000000.00000002.323672346.0000000007A10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs gunzipped.exe
      Source: gunzipped.exe, 00000000.00000002.315175234.0000000003AA6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs gunzipped.exe
      Source: gunzipped.exe, 00000000.00000002.313490498.0000000003561000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs gunzipped.exe
      Source: gunzipped.exe, 00000000.00000000.274862347.000000000101C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAfGNF.exeB vs gunzipped.exe
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs gunzipped.exe
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs gunzipped.exe
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs gunzipped.exe
      Source: gunzipped.exe, 00000000.00000002.312406709.0000000001649000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs gunzipped.exe
      Source: gunzipped.exe, 00000006.00000002.547794823.0000000002EDE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs gunzipped.exe
      Source: gunzipped.exe, 00000006.00000002.543194234.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs gunzipped.exe
      Source: gunzipped.exe, 00000006.00000000.306970511.000000000089C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAfGNF.exeB vs gunzipped.exe
      Source: gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs gunzipped.exe
      Source: gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs gunzipped.exe
      Source: gunzipped.exeBinary or memory string: OriginalFilenameAfGNF.exeB vs gunzipped.exe
      Source: gunzipped.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000000.274786336.0000000000F52000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000006.00000002.543227131.00000000007D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000006.00000002.547660714.0000000002EBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000000.306772645.00000000007D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000002.547702522.0000000002ECA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000002.546348501.0000000002C21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.309148692.0000000000F52000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: gunzipped.exe PID: 6192, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: gunzipped.exe PID: 6888, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 6.2.gunzipped.exe.7d0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 6.0.gunzipped.exe.7d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0.0.gunzipped.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0.2.gunzipped.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 6.2.gunzipped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 6.2.gunzipped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: gunzipped.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 6.2.gunzipped.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
      Source: 6.2.gunzipped.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
      Source: 6.2.gunzipped.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
      Source: 6.2.gunzipped.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
      Source: 6.2.gunzipped.exe.400000.0.unpack, Form1.csBase64 encoded string: 'xZv2KTjDOGwMPewlL06/2/+cBh+3YNzZLNYqWwxyouAodILYLJV9xZ9CGhDaO0jH', 'G9O9EXxYbTKbu/JIqZ4FXWAEsGCT7RJ+/SHmPiE44HoRMOAUDNTRY4dL0xxXj+PX', 'yFzOCZnSHgqZgbtRiX7zTTL1Qt6D+8cCFAWN8MP9eKKls7OaJo1TF2n4j++JkQX9', 'LeVgD+CCM8vGOvvCfBCbKlOuO22U5biiPlXQ3m1iV5wOttbrqIGRlRjJtF3s2yy7JUW0Ja5O8CmF3VvxZqreIg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@8/4@4/2
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,8_2_00415AFD
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,8_2_00415F87
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,8_2_00411196
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,8_2_00411EF8
      Source: C:\Users\user\Desktop\gunzipped.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gunzipped.exe.logJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\holderwb.txtJump to behavior
      Source: gunzipped.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.332471402.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
      Source: gunzipped.exeVirustotal: Detection: 34%
      Source: unknownProcess created: C:\Users\user\Desktop\gunzipped.exe 'C:\Users\user\Desktop\gunzipped.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\gunzipped.exe {path}
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
      Source: unknownProcess created: C:\Windows\System32\wuapihost.exe C:\Windows\System32\wuapihost.exe -Embedding
      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Users\user\Desktop\gunzipped.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
      Source: gunzipped.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: gunzipped.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.547794823.0000000002EDE000.00000004.00000001.sdmp
      Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, vbc.exe
      Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: gunzipped.exe, 00000000.00000002.317545620.00000000045EE000.00000004.00000001.sdmp, gunzipped.exe, 00000006.00000002.542806976.0000000000402000.00000040.00000001.sdmp, vbc.exe

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 6.2.gunzipped.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.gunzipped.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.gunzipped.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.gunzipped.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_004422C7
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_0290E673 push esp; ret 6_2_0290E679
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F405B0 pushfd ; retf 6_2_06F405B9
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F44B7B pushad ; retf 6_2_06F44B81
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F4D8FE push ss; retf 6_2_06F4D907
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F45038 pushfd ; retf 6_2_06F45045
      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 6_2_06F50006 push es; iretd 6_2_06F50014
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442871 push ecx; ret 8_2_00442881
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442A90 push eax; ret 8_2_00442AA4
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442A90 push eax; ret 8_2_00442ACC
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00446E54 push eax; ret 8_2_00446E61
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00411879 push ecx; ret 9_2_00411889
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_004118A0 push eax; ret 9_2_004118B4
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_004118A0 push eax; ret 9_2_004118DC
      Source: initial sampleStatic PE information: section name: .text entropy: 7.83648993633

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Changes the view of files in windows explorer (hidden files and folders)Show sources
      Source: C:\Users\user\Desktop\gunzipped.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_00441975
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: Process Memory Space: gunzipped.exe PID: 6888, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: gunzipped.exe, 00000000.00000002.315208358.0000000003AAD000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: gunzipped.exe, 00000000.00000002.315208358.0000000003AAD000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,8_2_00408836
      Source: C:\Users\user\Desktop\gunzipped.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeThread delayed: delay time: 180000Jump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeWindow / User API: threadDelayed 456Jump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exe TID: 6892Thread sleep time: -38000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exe TID: 6908Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exe TID: 6156Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exe TID: 6060Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exe TID: 6476Thread sleep time: -120000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exe TID: 6484Thread sleep time: -140000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exe TID: 6424Thread sleep time: -91200s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exe TID: 1376Thread sleep time: -180000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exeLast function: Thread delayed
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,8_2_00408441
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,8_2_00407E0E
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00406EC3
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004161B0 memset,GetSystemInfo,8_2_004161B0
      Source: gunzipped.exe, 00000000.00000002.315208358.0000000003AAD000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: gunzipped.exe, 00000000.00000002.315208358.0000000003AAD000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: gunzipped.exe, 00000000.00000002.315208358.0000000003AAD000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: gunzipped.exe, 00000000.00000002.315208358.0000000003AAD000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: gunzipped.exe, 00000000.00000002.315208358.0000000003AAD000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: gunzipped.exe, 00000000.00000002.315208358.0000000003AAD000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: gunzipped.exe, 00000000.00000002.315208358.0000000003AAD000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: gunzipped.exe, 00000000.00000002.315208358.0000000003AAD000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: C:\Users\user\Desktop\gunzipped.exeProcess information queried: ProcessInformationJump to behavior
      <
      Source: C:\Users\user\Desktop\gunzipped.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\gunzipped.exe