Loading ...

Play interactive tourEdit tour

Analysis Report 98764737722.PDF.exe

Overview

General Information

Sample Name:98764737722.PDF.exe
Analysis ID:252648
MD5:76fb3b8f5af85c90cd1d2552dc2e49e4
SHA1:484690708a692c055ebbe84b3ae7ded795a02463
SHA256:2be5f97b6c1e1a59e9e19b41de55ab517fcd423773ae51b3b4cd18bc0dbcd037

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 98764737722.PDF.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\98764737722.PDF.exe' MD5: 76FB3B8F5AF85C90CD1D2552DC2E49E4)
    • 98764737722.PDF.exe (PID: 6180 cmdline: {path} MD5: 76FB3B8F5AF85C90CD1D2552DC2E49E4)
      • vbc.exe (PID: 6652 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5872 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • wuapihost.exe (PID: 5620 cmdline: C:\Windows\System32\wuapihost.exe -Embedding MD5: 85C9C161B102A164EC09A23CACDDD09E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
98764737722.PDF.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0xd56f8:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.336661564.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000007.00000002.536069376.0000000002C51000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x39370:$hawkstr1: HawkEye Keylogger
    • 0x3d0d0:$hawkstr1: HawkEye Keylogger
    • 0x3d4ac:$hawkstr1: HawkEye Keylogger
    • 0x400e0:$hawkstr1: HawkEye Keylogger
    • 0x38e28:$hawkstr2: Dear HawkEye Customers!
    • 0x3d130:$hawkstr2: Dear HawkEye Customers!
    • 0x3d50c:$hawkstr2: Dear HawkEye Customers!
    • 0x38f56:$hawkstr3: HawkEye Logger Details:
    00000007.00000002.534741575.0000000000842000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0xd54f8:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    00000007.00000000.311067282.0000000000842000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0xd54f8:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    00000006.00000000.309663940.00000000001B2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0xd54f8:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    Click to see the 24 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    11.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      7.2.98764737722.PDF.exe.840000.1.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0xd56f8:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      6.0.98764737722.PDF.exe.1b0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0xd56f8:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      6.2.98764737722.PDF.exe.1b0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0xd56f8:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      0.2.98764737722.PDF.exe.2c0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0xd56f8:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      Click to see the 9 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Suspicious Double ExtensionShow sources
      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\98764737722.PDF.exe, NewProcessName: C:\Users\user\Desktop\98764737722.PDF.exe, OriginalFileName: C:\Users\user\Desktop\98764737722.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\98764737722.PDF.exe' , ParentImage: C:\Users\user\Desktop\98764737722.PDF.exe, ParentProcessId: 6952, ProcessCommandLine: {path}, ProcessId: 408
      Sigma detected: Suspicious Process CreationShow sources
      Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\98764737722.PDF.exe, ParentProcessId: 6180, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', ProcessId: 6652

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: 98764737722.PDF.exeAvira: detected
      Multi AV Scanner detection for submitted fileShow sources
      Source: 98764737722.PDF.exeVirustotal: Detection: 37%Perma Link
      Source: 7.2.98764737722.PDF.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
      Source: 7.2.98764737722.PDF.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmpBinary or memory string: autorun.inf
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmpBinary or memory string: [autorun]
      Source: 98764737722.PDF.exe, 00000007.00000002.534369182.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
      Source: 98764737722.PDF.exe, 00000007.00000002.534369182.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,10_2_00408441
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,10_2_00407E0E
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00406EC3

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.6:49741 -> 103.27.200.199:21
      Source: global trafficTCP traffic: 192.168.2.6:49742 -> 103.27.200.199:35755
      Source: Joe Sandbox ViewASN Name: BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH
      Source: unknownFTP traffic detected: 103.27.200.199:21 -> 192.168.2.6:49741 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 06:03. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 06:03. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 06:03. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 06:03. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000002.336661564.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000002.336661564.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
      Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
      Source: vbc.exe, 0000000A.00000003.336429638.0000000000AFC000.00000004.00000001.sdmpString found in binary or memory: le://192.168.2.1/temp/Office16.x86.en-US.ISOfile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
      Source: vbc.exe, 0000000A.00000003.336429638.0000000000AFC000.00000004.00000001.sdmpString found in binary or memory: le://192.168.2.1/temp/Office16.x86.en-US.ISOfile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
      Source: unknownDNS traffic detected: queries for: 251.111.0.0.in-addr.arpa
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: 98764737722.PDF.exe, 00000007.00000002.536807970.0000000002F26000.00000004.00000001.sdmpString found in binary or memory: http://ftp.triplelink.co.th
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: 98764737722.PDF.exe, 00000007.00000002.536069376.0000000002C51000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: 98764737722.PDF.exeString found in binary or memory: http://tempuri.org/dbPlayersDataSet.xsd
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.534369182.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: vbc.exe, vbc.exe, 0000000B.00000002.335352869.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: 98764737722.PDF.exe, 00000007.00000002.536069376.0000000002C51000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
      Source: 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: 98764737722.PDF.exe, 00000000.00000002.323766034.00000000058B0000.00000002.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.540574563.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: vbc.exe, 0000000A.00000003.336492600.0000000000AFB000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=000
      Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
      Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Contains functionality to log keystrokes (.Net Source)Show sources
      Source: 7.2.98764737722.PDF.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,10_2_0040D674

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000007.00000002.536069376.0000000002C51000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 00000007.00000002.534369182.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000007.00000002.534369182.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 7.2.98764737722.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 7.2.98764737722.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: 98764737722.PDF.exe
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,10_2_00408836
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_0262C1240_2_0262C124
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_0262E5620_2_0262E562
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_0262E5700_2_0262E570
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_071774600_2_07177460
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_0717A2900_2_0717A290
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_071749E80_2_071749E8
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_07179F580_2_07179F58
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_07170F700_2_07170F70
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_07170F600_2_07170F60
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_07177F900_2_07177F90
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_07177D700_2_07177D70
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_071715B80_2_071715B8
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_071715A90_2_071715A9
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_071774500_2_07177450
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_07174C900_2_07174C90
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_07174C800_2_07174C80
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_071782980_2_07178298
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_071782880_2_07178288
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_071721110_2_07172111
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_071709100_2_07170910
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_071709200_2_07170920
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_0717A9400_2_0717A940
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_071711B80_2_071711B8
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_071721A80_2_071721A8
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_071749D80_2_071749D8
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_071711C80_2_071711C8
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 7_2_0145B29C7_2_0145B29C
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 7_2_0145C3107_2_0145C310
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 7_2_014599D07_2_014599D0
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 7_2_0145DFD07_2_0145DFD0
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 7_2_05CFB4E07_2_05CFB4E0
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 7_2_05CFBDB07_2_05CFBDB0
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 7_2_05CFEEC87_2_05CFEEC8
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 7_2_05CFB1987_2_05CFB198
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040441910_2_00404419
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040451610_2_00404516
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0041353810_2_00413538
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_004145A110_2_004145A1
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040E63910_2_0040E639
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_004337AF10_2_004337AF
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_004399B110_2_004399B1
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0043DAE710_2_0043DAE7
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00405CF610_2_00405CF6
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00403F8510_2_00403F85
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00411F9910_2_00411F99
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00404DDB11_2_00404DDB
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040BD8A11_2_0040BD8A
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00404E4C11_2_00404E4C
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00404EBD11_2_00404EBD
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00404F4E11_2_00404F4E
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
      Source: 98764737722.PDF.exeBinary or memory string: OriginalFilename vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000000.00000002.327243692.00000000084E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000000.00000002.312423896.00000000002C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemDVpY.exe4 vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000000.00000002.326981868.0000000006D90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000000.00000002.315063643.0000000002881000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exeBinary or memory string: OriginalFilename vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000006.00000000.309663940.00000000001B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemDVpY.exe4 vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exeBinary or memory string: OriginalFilename vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000007.00000002.536069376.0000000002C51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000007.00000002.534741575.0000000000842000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemDVpY.exe4 vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000007.00000002.535780931.0000000000FBA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000007.00000002.534688762.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exeBinary or memory string: OriginalFilenamemDVpY.exe4 vs 98764737722.PDF.exe
      Source: 98764737722.PDF.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000007.00000002.536069376.0000000002C51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000007.00000002.534741575.0000000000842000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000007.00000000.311067282.0000000000842000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000006.00000000.309663940.00000000001B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000002.310164214.00000000001B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000002.312423896.00000000002C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000000.269980182.00000000002C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000007.00000002.534369182.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 00000007.00000002.534369182.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: Process Memory Space: 98764737722.PDF.exe PID: 6180, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: 98764737722.PDF.exe PID: 408, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: 98764737722.PDF.exe PID: 6952, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 7.2.98764737722.PDF.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 6.0.98764737722.PDF.exe.1b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 6.2.98764737722.PDF.exe.1b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0.2.98764737722.PDF.exe.2c0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 7.0.98764737722.PDF.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0.0.98764737722.PDF.exe.2c0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 7.2.98764737722.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 7.2.98764737722.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 98764737722.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 7.2.98764737722.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
      Source: 7.2.98764737722.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
      Source: 7.2.98764737722.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
      Source: 7.2.98764737722.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
      Source: 7.2.98764737722.PDF.exe.400000.0.unpack, Form1.csBase64 encoded string: 'xZv2KTjDOGwMPewlL06/2/+cBh+3YNzZLNYqWwxyouAodILYLJV9xZ9CGhDaO0jH', 'G9O9EXxYbTKbu/JIqZ4FXWAEsGCT7RJ+/SHmPiE44HoRMOAUDNTRY4dL0xxXj+PX', 'yFzOCZnSHgqZgbtRiX7zTTL1Qt6D+8cCFAWN8MP9eKKls7OaJo1TF2n4j++JkQX9', 'WJ3Xn2YvqubzUIgS3jaTjAaKaQkCT/ssn+GW9EwS1f7J2udbItuCdhqCphYVcmbQcDYPCf0loSL214DtcuTxjw==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@10/4@4/2
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,10_2_00415AFD
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,10_2_00415F87
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,10_2_00411196
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,10_2_00411EF8
      Source: C:\Users\user\Desktop\98764737722.PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\98764737722.PDF.exe.logJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\holderwb.txtJump to behavior
      Source: 98764737722.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\98764737722.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: 98764737722.PDF.exeBinary or memory string: SELECT FirstName, LastName FROM PlayerStats;
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000002.336661564.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
      Source: 98764737722.PDF.exeVirustotal: Detection: 37%
      Source: unknownProcess created: C:\Users\user\Desktop\98764737722.PDF.exe 'C:\Users\user\Desktop\98764737722.PDF.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\98764737722.PDF.exe {path}
      Source: unknownProcess created: C:\Users\user\Desktop\98764737722.PDF.exe {path}
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
      Source: unknownProcess created: C:\Windows\System32\wuapihost.exe C:\Windows\System32\wuapihost.exe -Embedding
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess created: C:\Users\user\Desktop\98764737722.PDF.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess created: C:\Users\user\Desktop\98764737722.PDF.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
      Source: 98764737722.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: 98764737722.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: 98764737722.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.536069376.0000000002C51000.00000004.00000001.sdmp
      Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmp, vbc.exe
      Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 98764737722.PDF.exe, 00000000.00000002.319525158.000000000390F000.00000004.00000001.sdmp, 98764737722.PDF.exe, 00000007.00000002.537138633.0000000003C51000.00000004.00000001.sdmp, vbc.exe

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 7.2.98764737722.PDF.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 7.2.98764737722.PDF.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 7.2.98764737722.PDF.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 7.2.98764737722.PDF.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Binary contains a suspicious time stampShow sources
      Source: initial sampleStatic PE information: 0xB024A4FD [Fri Aug 24 14:32:29 2063 UTC]
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_004422C7
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_07172A36 push cs; iretd 0_2_07172A38
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 0_2_07172A40 push cs; iretd 0_2_07172A42
      Source: C:\Users\user\Desktop\98764737722.PDF.exeCode function: 7_2_0145E673 push esp; ret 7_2_0145E679
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00442871 push ecx; ret 10_2_00442881
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00442A90 push eax; ret 10_2_00442AA4
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00442A90 push eax; ret 10_2_00442ACC
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00446E54 push eax; ret 10_2_00446E61
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00411879 push ecx; ret 11_2_00411889
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_004118A0 push eax; ret 11_2_004118B4
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_004118A0 push eax; ret 11_2_004118DC
      Source: initial sampleStatic PE information: section name: .text entropy: 7.66142086801

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Changes the view of files in windows explorer (hidden files and folders)Show sources
      Source: C:\Users\user\Desktop\98764737722.PDF.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: pdf.exeStatic PE information: 98764737722.PDF.exe
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_00441975
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: Process Memory Space: 98764737722.PDF.exe PID: 6952, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: 98764737722.PDF.exe, 00000000.00000002.319075254.00000000031E3000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: 98764737722.PDF.exe, 00000000.00000002.319075254.00000000031E3000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,10_2_00408836
      Source: C:\Users\user\Desktop\98764737722.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeThread delayed: delay time: 180000Jump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeWindow / User API: threadDelayed 429Jump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exe TID: 6956Thread sleep time: -38000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exe TID: 6976Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exe TID: 6520Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exe TID: 6592Thread sleep time: -120000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exe TID: 6468Thread sleep time: -140000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exe TID: 6488Thread sleep time: -85800s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exe TID: 416Thread sleep time: -180000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeLast function: Thread delayed
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,10_2_00408441
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,10_2_00407E0E
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00406EC3
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_004161B0 memset,GetSystemInfo,10_2_004161B0
      Source: 98764737722.PDF.exe, 00000000.00000002.319075254.00000000031E3000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: 98764737722.PDF.exe, 00000000.00000002.319075254.00000000031E3000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: 98764737722.PDF.exe, 00000000.00000002.319075254.00000000031E3000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: 98764737722.PDF.exe, 00000000.00000002.319075254.00000000031E3000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: 98764737722.PDF.exe, 00000000.00000002.319075254.00000000031E3000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: 98764737722.PDF.exe, 00000000.00000002.319075254.00000000031E3000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: 98764737722.PDF.exe, 00000000.00000002.319075254.00000000031E3000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: 98764737722.PDF.exe, 00000000.00000002.319075254.00000000031E3000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: 98764737722.PDF.exe, 00000007.00000002.535819685.0000000000FE4000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,10_2_00408836
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_004422C7
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\98764737722.PDF.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      bar