Loading ...

Play interactive tourEdit tour

Analysis Report dHXjzn9Z5w

Overview

General Information

Sample Name:dHXjzn9Z5w (renamed file extension from none to exe)
Analysis ID:252974
MD5:41ec65eaab4ecf4dc45d643158eadba0
SHA1:de7e34da2438db53ef4a96a567416f0f378beea2
SHA256:60532c23eaeadf51fc21c1ef29ceb5c15d1022d355e3327ca3321b7921a20535

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • dHXjzn9Z5w.exe (PID: 6716 cmdline: 'C:\Users\user\Desktop\dHXjzn9Z5w.exe' MD5: 41EC65EAAB4ECF4DC45D643158EADBA0)
    • dHXjzn9Z5w.exe (PID: 6880 cmdline: {path} MD5: 41EC65EAAB4ECF4DC45D643158EADBA0)
    • dHXjzn9Z5w.exe (PID: 6888 cmdline: {path} MD5: 41EC65EAAB4ECF4DC45D643158EADBA0)
    • dHXjzn9Z5w.exe (PID: 6900 cmdline: {path} MD5: 41EC65EAAB4ECF4DC45D643158EADBA0)
      • vbc.exe (PID: 6376 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6148 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • wuapihost.exe (PID: 6368 cmdline: C:\Windows\System32\wuapihost.exe -Embedding MD5: 85C9C161B102A164EC09A23CACDDD09E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
dHXjzn9Z5w.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x31f2e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.245466056.00000000000A2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x31d2e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000001.00000000.241717854.0000000000432000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x31d2e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      00000002.00000002.243481626.0000000000292000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x31d2e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.0.dHXjzn9Z5w.exe.a0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x31f2e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      3.0.dHXjzn9Z5w.exe.880000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x31f2e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      1.2.dHXjzn9Z5w.exe.430000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x31f2e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      2.0.dHXjzn9Z5w.exe.290000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x31f2e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      2.2.dHXjzn9Z5w.exe.290000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x31f2e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      Click to see the 11 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Suspicious Process CreationShow sources
      Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\dHXjzn9Z5w.exe, ParentProcessId: 6900, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', ProcessId: 6376

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Machine Learning detection for sampleShow sources
      Source: dHXjzn9Z5w.exeJoe Sandbox ML: detected
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmpBinary or memory string: autorun.inf
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmpBinary or memory string: [autorun]
      Source: dHXjzn9Z5w.exe, 00000003.00000002.482471810.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
      Source: dHXjzn9Z5w.exe, 00000003.00000002.482471810.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,7_2_00406EC3
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,8_2_00408441
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,8_2_00407E0E
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_0752FE8A

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.4:49729 -> 103.27.200.199:21
      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 103.27.200.199:35132
      Source: unknownFTP traffic detected: 103.27.200.199:21 -> 192.168.2.4:49729 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 15:59. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 15:59. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 15:59. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 15:59. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.277073029.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.277073029.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
      Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
      Source: vbc.exe, 00000008.00000003.276713952.0000000000AEC000.00000004.00000001.sdmpString found in binary or memory: ogle.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
      Source: vbc.exe, 00000008.00000003.276713952.0000000000AEC000.00000004.00000001.sdmpString found in binary or memory: ogle.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
      Source: unknownDNS traffic detected: queries for: 123.105.12.0.in-addr.arpa
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: dHXjzn9Z5w.exe, 00000003.00000002.487496780.0000000002EDC000.00000004.00000001.sdmpString found in binary or memory: http://ftp.triplelink.co.th
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: dHXjzn9Z5w.exe, 00000003.00000002.485618731.0000000002BE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: dHXjzn9Z5w.exeString found in binary or memory: http://tempuri.org/dbPlayersDataSet.xsd
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.482471810.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222810342.000000000092D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
      Source: dHXjzn9Z5w.exe, 00000000.00000003.221934519.000000000541E000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000000.00000003.221722259.000000000541E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: dHXjzn9Z5w.exe, 00000000.00000003.221934519.000000000541E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com?
      Source: dHXjzn9Z5w.exe, 00000000.00000003.221772991.000000000541E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com?Cg
      Source: dHXjzn9Z5w.exe, 00000000.00000003.221934519.000000000541E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comAC
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222626071.000000000541E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222011784.000000000541F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comers0BS
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222626071.000000000541E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.cometh
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222626071.000000000541E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlib
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261262952.00000000053F0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomo
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261262952.00000000053F0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldvaI
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: dHXjzn9Z5w.exe, 00000000.00000003.221319344.000000000541C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: dHXjzn9Z5w.exe, 00000000.00000003.221152064.00000000053FF000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn5
      Source: dHXjzn9Z5w.exe, 00000000.00000003.226580982.0000000005421000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000000.00000003.222681429.00000000053FA000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000000.00000003.222579195.00000000053FA000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000000.00000003.222276400.00000000053F3000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222681429.00000000053FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222500408.00000000053F7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222276400.00000000053F3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222377216.00000000053F7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0.
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222681429.00000000053FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222681429.00000000053FA000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000000.00000003.222579195.00000000053FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222681429.00000000053FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/I
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222500408.00000000053F7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222377216.00000000053F7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222681429.00000000053FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222681429.00000000053FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s-eV
      Source: dHXjzn9Z5w.exe, 00000000.00000003.222276400.00000000053F3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t-be
      Source: vbc.exe, vbc.exe, 00000008.00000002.277073029.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: dHXjzn9Z5w.exe, 00000003.00000002.485618731.0000000002BE1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
      Source: dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: dHXjzn9Z5w.exe, 00000000.00000002.261378317.0000000005560000.00000002.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.494521367.0000000005F00000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: vbc.exe, 00000008.00000002.277770275.0000000000758000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
      Source: vbc.exe, 00000008.00000002.277770275.0000000000758000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
      Source: vbc.exe, 00000008.00000002.277770275.0000000000758000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
      Source: vbc.exe, 00000008.00000003.276770462.0000000000AEB000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
      Source: vbc.exe, 00000008.00000002.277770275.0000000000758000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
      Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
      Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Contains functionality to log keystrokes (.Net Source)Show sources
      Source: 3.2.dHXjzn9Z5w.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,7_2_0040AC8A

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.482471810.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.482471810.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.485618731.0000000002BE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 3.2.dHXjzn9Z5w.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.dHXjzn9Z5w.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,8_2_00408836
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_0224C1240_2_0224C124
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_0224E5620_2_0224E562
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_0224E5700_2_0224E570
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E95FD00_2_06E95FD0
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E977B80_2_06E977B8
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E99F580_2_06E99F58
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E947380_2_06E94738
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E964D00_2_06E964D0
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E912E80_2_06E912E8
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E969480_2_06E96948
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E91EC70_2_06E91EC7
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E91ED80_2_06E91ED8
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E91EB30_2_06E91EB3
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E90E800_2_06E90E80
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E90E900_2_06E90E90
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E96E400_2_06E96E40
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E96E3D0_2_06E96E3D
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E957C90_2_06E957C9
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E95FC00_2_06E95FC0
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E957D80_2_06E957D8
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E977B00_2_06E977B0
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E99F490_2_06E99F49
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E947280_2_06E94728
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E957130_2_06E95713
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E964C80_2_06E964C8
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E90C480_2_06E90C48
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E90C580_2_06E90C58
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E99C280_2_06E99C28
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E99C380_2_06E99C38
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E9A5A80_2_06E9A5A8
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E912D80_2_06E912D8
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E94A010_2_06E94A01
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E94A100_2_06E94A10
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E910E00_2_06E910E0
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E908F80_2_06E908F8
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E950A80_2_06E950A8
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E950B80_2_06E950B8
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E980B00_2_06E980B0
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E9509B0_2_06E9509B
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E991C80_2_06E991C8
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E9693C0_2_06E9693C
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 3_2_0129B29C3_2_0129B29C
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 3_2_0129C3103_2_0129C310
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 3_2_0129B2903_2_0129B290
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 3_2_012999D03_2_012999D0
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 3_2_0129DFD03_2_0129DFD0
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 3_2_0752B4E03_2_0752B4E0
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 3_2_075200403_2_07520040
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 3_2_0752EEC83_2_0752EEC8
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 3_2_0752BDB03_2_0752BDB0
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 3_2_0752B1983_2_0752B198
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 3_2_075200063_2_07520006
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404DDB7_2_00404DDB
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040BD8A7_2_0040BD8A
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404E4C7_2_00404E4C
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404EBD7_2_00404EBD
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404F4E7_2_00404F4E
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004044198_2_00404419
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004045168_2_00404516
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004135388_2_00413538
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004145A18_2_004145A1
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040E6398_2_0040E639
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004337AF8_2_004337AF
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004399B18_2_004399B1
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043DAE78_2_0043DAE7
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00405CF68_2_00405CF6
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00403F858_2_00403F85
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00411F998_2_00411F99
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
      Source: dHXjzn9Z5w.exeBinary or memory string: OriginalFilename vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000000.00000002.245466056.00000000000A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerFGXk.exe4 vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000000.00000002.265177660.0000000008440000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000000.00000002.246774137.0000000002461000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000000.00000002.264881563.0000000008290000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exeBinary or memory string: OriginalFilename vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000001.00000000.241717854.0000000000432000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerFGXk.exe4 vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exeBinary or memory string: OriginalFilename vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000002.00000002.243481626.0000000000292000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerFGXk.exe4 vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exeBinary or memory string: OriginalFilename vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000003.00000002.485618731.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000003.00000002.482867804.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, 00000003.00000000.244282249.0000000000882000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerFGXk.exe4 vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exeBinary or memory string: OriginalFilenamerFGXk.exe4 vs dHXjzn9Z5w.exe
      Source: dHXjzn9Z5w.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000002.245466056.00000000000A2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000001.00000000.241717854.0000000000432000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000002.00000002.243481626.0000000000292000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000002.00000000.242867699.0000000000292000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000003.00000002.482471810.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 00000003.00000002.482471810.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.485618731.0000000002BE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000000.244282249.0000000000882000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000000.217315397.00000000000A2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000003.00000002.482936268.0000000000882000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000001.00000002.242043000.0000000000432000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: dHXjzn9Z5w.exe PID: 6716, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: dHXjzn9Z5w.exe PID: 6880, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: dHXjzn9Z5w.exe PID: 6888, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: dHXjzn9Z5w.exe PID: 6900, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0.0.dHXjzn9Z5w.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 3.0.dHXjzn9Z5w.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 1.2.dHXjzn9Z5w.exe.430000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 2.0.dHXjzn9Z5w.exe.290000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 2.2.dHXjzn9Z5w.exe.290000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 3.2.dHXjzn9Z5w.exe.880000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 1.0.dHXjzn9Z5w.exe.430000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 3.2.dHXjzn9Z5w.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 3.2.dHXjzn9Z5w.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 0.2.dHXjzn9Z5w.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: dHXjzn9Z5w.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 3.2.dHXjzn9Z5w.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
      Source: 3.2.dHXjzn9Z5w.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
      Source: 3.2.dHXjzn9Z5w.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
      Source: 3.2.dHXjzn9Z5w.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
      Source: 3.2.dHXjzn9Z5w.exe.400000.0.unpack, Form1.csBase64 encoded string: 'xZv2KTjDOGwMPewlL06/2/+cBh+3YNzZLNYqWwxyouAodILYLJV9xZ9CGhDaO0jH', 'G9O9EXxYbTKbu/JIqZ4FXWAEsGCT7RJ+/SHmPiE44HoRMOAUDNTRY4dL0xxXj+PX', 'yFzOCZnSHgqZgbtRiX7zTTL1Qt6D+8cCFAWN8MP9eKKls7OaJo1TF2n4j++JkQX9', 'LeVgD+CCM8vGOvvCfBCbKlOuO22U5biiPlXQ3m1iV5wOttbrqIGRlRjJtF3s2yy7JUW0Ja5O8CmF3VvxZqreIg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@12/4@5/2
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,8_2_00415AFD
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,8_2_00415F87
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,8_2_00411196
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,7_2_0040ED0B
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dHXjzn9Z5w.exe.logJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\holdermail.txtJump to behavior
      Source: dHXjzn9Z5w.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: dHXjzn9Z5w.exeBinary or memory string: SELECT FirstName, LastName FROM PlayerStats;
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.277073029.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
      Source: unknownProcess created: C:\Users\user\Desktop\dHXjzn9Z5w.exe 'C:\Users\user\Desktop\dHXjzn9Z5w.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\dHXjzn9Z5w.exe {path}
      Source: unknownProcess created: C:\Users\user\Desktop\dHXjzn9Z5w.exe {path}
      Source: unknownProcess created: C:\Users\user\Desktop\dHXjzn9Z5w.exe {path}
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
      Source: unknownProcess created: C:\Windows\System32\wuapihost.exe C:\Windows\System32\wuapihost.exe -Embedding
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess created: C:\Users\user\Desktop\dHXjzn9Z5w.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess created: C:\Users\user\Desktop\dHXjzn9Z5w.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess created: C:\Users\user\Desktop\dHXjzn9Z5w.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
      Source: dHXjzn9Z5w.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: dHXjzn9Z5w.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: dHXjzn9Z5w.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.485618731.0000000002BE1000.00000004.00000001.sdmp
      Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmp, vbc.exe
      Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: dHXjzn9Z5w.exe, 00000000.00000002.256789601.00000000034EE000.00000004.00000001.sdmp, dHXjzn9Z5w.exe, 00000003.00000002.490563145.0000000003BE1000.00000004.00000001.sdmp, vbc.exe

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 3.2.dHXjzn9Z5w.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.2.dHXjzn9Z5w.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.2.dHXjzn9Z5w.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.2.dHXjzn9Z5w.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Binary contains a suspicious time stampShow sources
      Source: initial sampleStatic PE information: 0xAB19B0B8 [Sat Dec 18 09:26:16 2060 UTC]
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,7_2_00403C3D
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E94253 push es; retf 0_2_06E94254
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E91BAB push esp; retf 0_2_06E91BB4
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 0_2_06E9508B push es; iretd 0_2_06E9508C
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 3_2_0129E672 push esp; ret 3_2_0129E679
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeCode function: 3_2_0129FF8B push eax; iretd 3_2_0129FF8D
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411879 push ecx; ret 7_2_00411889
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004118A0 push eax; ret 7_2_004118B4
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004118A0 push eax; ret 7_2_004118DC
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442871 push ecx; ret 8_2_00442881
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442A90 push eax; ret 8_2_00442AA4
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442A90 push eax; ret 8_2_00442ACC
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00446E54 push eax; ret 8_2_00446E61
      Source: initial sampleStatic PE information: section name: .text entropy: 7.65570427667

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Changes the view of files in windows explorer (hidden files and folders)Show sources
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_0040F64B
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dHXjzn9Z5w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      bar