Loading ...

Play interactive tourEdit tour

Analysis Report PO9087665788.exe

Overview

General Information

Sample Name:PO9087665788.exe
Analysis ID:263230
MD5:105cab9441e63917a5c774c36ab801c6
SHA1:c343476262267c46ebee6cf8683de3620ca938d0
SHA256:60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO9087665788.exe (PID: 7068 cmdline: 'C:\Users\user\Desktop\PO9087665788.exe' MD5: 105CAB9441E63917A5C774C36AB801C6)
    • PO9087665788.exe (PID: 7088 cmdline: 'C:\Users\user\Desktop\PO9087665788.exe' MD5: 105CAB9441E63917A5C774C36AB801C6)
      • Windows Update.exe (PID: 4620 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: 105CAB9441E63917A5C774C36AB801C6)
        • Windows Update.exe (PID: 4484 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: 105CAB9441E63917A5C774C36AB801C6)
          • dw20.exe (PID: 6460 cmdline: dw20.exe -x -s 2516 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
          • vbc.exe (PID: 3400 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
            • WerFault.exe (PID: 6736 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 704 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
          • vbc.exe (PID: 3352 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
            • WerFault.exe (PID: 1376 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 704 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
          • WerFault.exe (PID: 6780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 2528 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 7080 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 105CAB9441E63917A5C774C36AB801C6)
  • WindowsUpdate.exe (PID: 5916 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 105CAB9441E63917A5C774C36AB801C6)
    • WindowsUpdate.exe (PID: 1760 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 105CAB9441E63917A5C774C36AB801C6)
      • Windows Update.exe (PID: 6312 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: 105CAB9441E63917A5C774C36AB801C6)
        • Windows Update.exe (PID: 5020 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: 105CAB9441E63917A5C774C36AB801C6)
  • WindowsUpdate.exe (PID: 7096 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 105CAB9441E63917A5C774C36AB801C6)
  • WindowsUpdate.exe (PID: 6724 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 105CAB9441E63917A5C774C36AB801C6)
    • WindowsUpdate.exe (PID: 4816 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 105CAB9441E63917A5C774C36AB801C6)
      • dw20.exe (PID: 5880 cmdline: dw20.exe -x -s 2720 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 4684 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.324190529.0000000003014000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000001.00000002.294696008.0000000002382000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b713:$key: HawkEyeKeylogger
    • 0x7d97d:$salt: 099u787978786
    • 0x7bd70:$string1: HawkEye_Keylogger
    • 0x7cbaf:$string1: HawkEye_Keylogger
    • 0x7d8dd:$string1: HawkEye_Keylogger
    • 0x7c145:$string2: holdermail.txt
    • 0x7c165:$string2: holdermail.txt
    • 0x7c087:$string3: wallet.dat
    • 0x7c09f:$string3: wallet.dat
    • 0x7c0b5:$string3: wallet.dat
    • 0x7d4a1:$string4: Keylog Records
    • 0x7d7b9:$string4: Keylog Records
    • 0x7d9d5:$string5: do not script -->
    • 0x7b6fb:$string6: \pidloc.txt
    • 0x7b789:$string7: BSPLIT
    • 0x7b799:$string7: BSPLIT
    00000001.00000002.294696008.0000000002382000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000001.00000002.294696008.0000000002382000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        00000001.00000002.294696008.0000000002382000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 225 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          34.2.WindowsUpdate.exe.2190000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x7b913:$key: HawkEyeKeylogger
          • 0x7db7d:$salt: 099u787978786
          • 0x7bf70:$string1: HawkEye_Keylogger
          • 0x7cdaf:$string1: HawkEye_Keylogger
          • 0x7dadd:$string1: HawkEye_Keylogger
          • 0x7c345:$string2: holdermail.txt
          • 0x7c365:$string2: holdermail.txt
          • 0x7c287:$string3: wallet.dat
          • 0x7c29f:$string3: wallet.dat
          • 0x7c2b5:$string3: wallet.dat
          • 0x7d6a1:$string4: Keylog Records
          • 0x7d9b9:$string4: Keylog Records
          • 0x7dbd5:$string5: do not script -->
          • 0x7b8fb:$string6: \pidloc.txt
          • 0x7b989:$string7: BSPLIT
          • 0x7b999:$string7: BSPLIT
          34.2.WindowsUpdate.exe.2190000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            34.2.WindowsUpdate.exe.2190000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              34.2.WindowsUpdate.exe.2190000.3.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                34.2.WindowsUpdate.exe.2190000.3.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
                • 0x7bfc8:$hawkstr1: HawkEye Keylogger
                • 0x7cdf5:$hawkstr1: HawkEye Keylogger
                • 0x7d124:$hawkstr1: HawkEye Keylogger
                • 0x7d27f:$hawkstr1: HawkEye Keylogger
                • 0x7d3e2:$hawkstr1: HawkEye Keylogger
                • 0x7d679:$hawkstr1: HawkEye Keylogger
                • 0x7bb3a:$hawkstr2: Dear HawkEye Customers!
                • 0x7d177:$hawkstr2: Dear HawkEye Customers!
                • 0x7d2ce:$hawkstr2: Dear HawkEye Customers!
                • 0x7d435:$hawkstr2: Dear HawkEye Customers!
                • 0x7bc5b:$hawkstr3: HawkEye Logger Details: