Loading ...

Play interactive tourEdit tour

Analysis Report 17.09.2020- FINAL DA.exe

Overview

General Information

Sample Name:17.09.2020- FINAL DA.exe
Analysis ID:286941
MD5:53a515580bc09167af097991b1b007c8
SHA1:e4ac36fcbf1dcf8b9a297850c820faf18255281b
SHA256:28753bd34049059e094796e4480f184cb0fdec4f5ca2ba0ffc5cc79bb3a7c1a6
Tags:exe

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected Keylogger Generic
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • 17.09.2020- FINAL DA.exe (PID: 6624 cmdline: 'C:\Users\user\Desktop\17.09.2020- FINAL DA.exe' MD5: 53A515580BC09167AF097991B1B007C8)
    • 17.09.2020- FINAL DA.exe (PID: 6656 cmdline: 'C:\Users\user\Desktop\17.09.2020- FINAL DA.exe' MD5: 53A515580BC09167AF097991B1B007C8)
      • vbc.exe (PID: 6740 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp801A.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 3456 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp872B.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • 17.09.2020- FINAL DA.exe (PID: 6668 cmdline: 'C:\Users\user\Desktop\17.09.2020- FINAL DA.exe' 2 6656 4159484 MD5: 53A515580BC09167AF097991B1B007C8)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.471643052.000000000049F000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x81150:$s2: _ScreenshotLogger
  • 0x8111d:$s3: _PasswordStealer
00000001.00000002.471643052.000000000049F000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000000.00000002.212656674.0000000004412000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x80e68:$s2: _ScreenshotLogger
    • 0x80e35:$s3: _PasswordStealer
    00000000.00000002.212656674.0000000004412000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000001.00000002.473791465.00000000021C0000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x81068:$s2: _ScreenshotLogger
      • 0x81035:$s3: _PasswordStealer
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.17.09.2020- FINAL DA.exe.43a0000.2.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0xf2e68:$s2: _ScreenshotLogger
      • 0xf2e35:$s3: _PasswordStealer
      0.2.17.09.2020- FINAL DA.exe.43a0000.2.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        0.2.17.09.2020- FINAL DA.exe.43a0000.2.unpackHawkEyev9HawkEye v9 Payloadditekshen
        • 0xf2e35:$str1: _PasswordStealer
        • 0xf2e46:$str2: _KeyStrokeLogger
        • 0xf2e68:$str3: _ScreenshotLogger
        • 0xf2e57:$str4: _ClipboardLogger
        • 0xf2e7a:$str5: _WebCamLogger
        • 0xf2f8f:$str6: _AntiVirusKiller
        • 0xf2f7d:$str7: _ProcessElevation
        • 0xf2f44:$str8: _DisableCommandPrompt
        • 0xf304a:$str9: _WebsiteBlocker
        • 0xf305a:$str9: _WebsiteBlocker
        • 0xf2f30:$str10: _DisableTaskManager
        • 0xf2fab:$str11: _AntiDebugger
        • 0xf3035:$str12: _WebsiteVisitorSites
        • 0xf2f5a:$str13: _DisableRegEdit
        • 0xf2fb9:$str14: _ExecutionDelay
        • 0xf2ede:$str15: _InstallStartupPersistance
        3.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          3.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            Click to see the 28 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 17.09.2020- FINAL DA.exeAvira: detected
            Found malware configurationShow sources
            Source: vbc.exe.3456.16.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv"], "Version": ""}
            Multi AV Scanner detection for domain / URLShow sources
            Source: http://pomf.cat/upload.phpVirustotal: Detection: 10%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: 17.09.2020- FINAL DA.exeVirustotal: Detection: 50%Perma Link
            Source: 17.09.2020- FINAL DA.exeReversingLabs: Detection: 56%
            Machine Learning detection for sampleShow sources
            Source: 17.09.2020- FINAL DA.exeJoe Sandbox ML: detected
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpackAvira: Label: TR/Dropper.Gen
            Source: 1.2.17.09.2020- FINAL DA.exe.2340000.3.unpackAvira: Label: TR/Dropper.Gen
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 0.2.17.09.2020- FINAL DA.exe.43a0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpackAvira: Label: TR/Dropper.Gen
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00408D20 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408D20
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00405BE0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405BE0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040A1A7 FindFirstFileW,FindNextFileW,3_2_0040A1A7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,16_2_0040702D
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.226169604.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.226169604.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000003.00000003.226048505.0000000000A59000.00000004.00000001.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srffile:///C:/jbxinitvm.au3file://192.168.2.1/temp/Office16.x86.en-US.ISOres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000003.00000003.226048505.0000000000A59000.00000004.00000001.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srffile:///C:/jbxinitvm.au3file://192.168.2.1/temp/Office16.x86.en-US.ISOres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
            Source: 17.09.2020- FINAL DA.exeString found in binary or memory: http://pomf.cat/upload.php
            Source: 17.09.2020- FINAL DA.exe, 00000000.00000002.212656674.0000000004412000.00000040.00000001.sdmp, 17.09.2020- FINAL DA.exe, 00000001.00000002.471643052.000000000049F000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
            Source: vbc.exe, 00000003.00000002.226153694.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
            Source: vbc.exe, vbc.exe, 00000010.00000002.358577300.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
            Source: vbc.exe, 00000003.00000003.226048505.0000000000A59000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000001.00000002.471643052.000000000049F000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.212656674.0000000004412000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.473791465.00000000021C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.473930629.00000000022B2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.474015013.0000000002342000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.212791393.00000000044AF000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.478119051.0000000002B39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.471256653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17.09.2020- FINAL DA.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17.09.2020- FINAL DA.exe PID: 6656, type: MEMORY
            Source: Yara matchFile source: 0.2.17.09.2020- FINAL DA.exe.43a0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.21c0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.2340000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.21c0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, type: UNPACKEDPE
            Yara detected Keylogger GenericShow sources
            Source: Yara matchFile source: Process Memory Space: 17.09.2020- FINAL DA.exe PID: 6656, type: MEMORY
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040FDCB OpenClipboard,GetLastError,DeleteFileW,3_2_0040FDCB
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00424C58 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00424C58
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0043A784 GetKeyboardState,0_2_0043A784

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000001.00000002.471643052.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000000.00000002.212656674.0000000004412000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.473791465.00000000021C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.473791465.00000000021C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000001.00000002.473930629.00000000022B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.474015013.0000000002342000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000000.00000002.212791393.00000000044AF000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000010.00000002.358577300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000001.00000002.478119051.0000000002B39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.471256653.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: 17.09.2020- FINAL DA.exe PID: 6624, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: 17.09.2020- FINAL DA.exe PID: 6656, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.17.09.2020- FINAL DA.exe.43a0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.17.09.2020- FINAL DA.exe.43a0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 1.2.17.09.2020- FINAL DA.exe.21c0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.17.09.2020- FINAL DA.exe.21c0000.1.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 1.2.17.09.2020- FINAL DA.exe.2340000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.17.09.2020- FINAL DA.exe.2340000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 1.2.17.09.2020- FINAL DA.exe.25e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 1.2.17.09.2020- FINAL DA.exe.21c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.17.09.2020- FINAL DA.exe.21c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.17.09.2020- FINAL DA.exe.25e0000.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00458784 NtdllDefWindowProc_A,0_2_00458784
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0043D6BC NtdllDefWindowProc_A,GetCapture,0_2_0043D6BC
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00458F00 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00458F00
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00458FB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00458FB0
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0044D1BC GetSubMenu,SaveDC,RestoreDC,72EBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044D1BC
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0042FE90 NtdllDefWindowProc_A,0_2_0042FE90
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_00498159 NtCreateSection,1_2_00498159
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C2AC9F NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_04C2AC9F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,3_2_0040A5A9
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0040C3400_2_0040C340
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00452DE00_2_00452DE0
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0044D1BC0_2_0044D1BC
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0046724C0_2_0046724C
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_00444A261_2_00444A26
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_004919761_2_00491976
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_0049713D1_2_0049713D
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_004E1D0E1_2_004E1D0E
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C274C01_2_04C274C0
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C27E501_2_04C27E50
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C208281_2_04C20828
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C2A1E21_2_04C2A1E2
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C24FE01_2_04C24FE0
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C279B81_2_04C279B8
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C28B501_2_04C28B50
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C239681_2_04C23968
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C274B21_2_04C274B2
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C260B01_2_04C260B0
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C208031_2_04C20803
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C27E011_2_04C27E01
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C21C3B1_2_04C21C3B
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C243C01_2_04C243C0
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C253C81_2_04C253C8
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C22FC81_2_04C22FC8
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C23FC81_2_04C23FC8
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C279C81_2_04C279C8
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C23FD81_2_04C23FD8
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C269801_2_04C26980
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C253B71_2_04C253B7
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C22FB91_2_04C22FB9
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C28B401_2_04C28B40
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C239571_2_04C23957
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C23B5A1_2_04C23B5A
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C23B681_2_04C23B68
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C225681_2_04C22568
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C225781_2_04C22578
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_04C27F321_2_04C27F32
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 2_2_0040C3402_2_0040C340
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004360CE3_2_004360CE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040509C3_2_0040509C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004051993_2_00405199
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0043C2D03_2_0043C2D0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004404063_2_00440406
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040451D3_2_0040451D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004045FF3_2_004045FF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040458E3_2_0040458E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004046903_2_00404690
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00414A513_2_00414A51
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00404C083_2_00404C08
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00406C8E3_2_00406C8E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00415DF33_2_00415DF3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00416E5C3_2_00416E5C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00410FE43_2_00410FE4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404DE516_2_00404DE5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404E5616_2_00404E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404EC716_2_00404EC7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404F5816_2_00404F58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040BF6B16_2_0040BF6B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00445190 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416849 appears 66 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0040924D appears 31 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004166E8 appears 34 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416A91 appears 88 times
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: String function: 0040C9E4 appears 31 times
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: String function: 00406A94 appears 58 times
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: String function: 00404430 appears 92 times
            Source: 17.09.2020- FINAL DA.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: 17.09.2020- FINAL DA.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: 17.09.2020- FINAL DA.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 17.09.2020- FINAL DA.exe, 00000000.00000002.212656674.0000000004412000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs 17.09.2020- FINAL DA.exe
            Source: 17.09.2020- FINAL DA.exe, 00000000.00000002.209199612.00000000023C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 17.09.2020- FINAL DA.exe
            Source: 17.09.2020- FINAL DA.exeBinary or memory string: OriginalFilename vs 17.09.2020- FINAL DA.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.471643052.000000000049F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs 17.09.2020- FINAL DA.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.483963676.0000000007920000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmiutils.dll.muij% vs 17.09.2020- FINAL DA.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 17.09.2020- FINAL DA.exe
            Source: 00000001.00000002.471643052.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.212656674.0000000004412000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.473791465.00000000021C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.473791465.00000000021C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000001.00000002.473930629.00000000022B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.474015013.0000000002342000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.212791393.00000000044AF000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000010.00000002.358577300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000001.00000002.478119051.0000000002B39000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.471256653.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: Process Memory Space: 17.09.2020- FINAL DA.exe PID: 6624, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: Process Memory Space: 17.09.2020- FINAL DA.exe PID: 6656, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.17.09.2020- FINAL DA.exe.43a0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.17.09.2020- FINAL DA.exe.43a0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 1.2.17.09.2020- FINAL DA.exe.21c0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.17.09.2020- FINAL DA.exe.21c0000.1.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 1.2.17.09.2020- FINAL DA.exe.2340000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.17.09.2020- FINAL DA.exe.2340000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 1.2.17.09.2020- FINAL DA.exe.25e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 1.2.17.09.2020- FINAL DA.exe.21c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.17.09.2020- FINAL DA.exe.21c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.17.09.2020- FINAL DA.exe.25e0000.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/2@0/0
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00421830 GetLastError,FormatMessageA,0_2_00421830
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00408E98 GetDiskFreeSpaceA,0_2_00408E98
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,3_2_00413C19
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_004146E8 FindResourceA,0_2_004146E8
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMutant created: \Sessions\1\BaseNamedObjects\604778dc-40aa-4fab-99c8-600b5cda8a50
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeFile created: C:\Users\user\AppData\Local\Temp\ef7d346d-eb6f-adde-cee7-07d2bbaab9d3Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.226169604.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: 17.09.2020- FINAL DA.exeVirustotal: Detection: 50%
            Source: 17.09.2020- FINAL DA.exeReversingLabs: Detection: 56%
            Source: unknownProcess created: C:\Users\user\Desktop\17.09.2020- FINAL DA.exe 'C:\Users\user\Desktop\17.09.2020- FINAL DA.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\17.09.2020- FINAL DA.exe 'C:\Users\user\Desktop\17.09.2020- FINAL DA.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\17.09.2020- FINAL DA.exe 'C:\Users\user\Desktop\17.09.2020- FINAL DA.exe' 2 6656 4159484
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp801A.tmp'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp872B.tmp'
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess created: C:\Users\user\Desktop\17.09.2020- FINAL DA.exe 'C:\Users\user\Desktop\17.09.2020- FINAL DA.exe' Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess created: C:\Users\user\Desktop\17.09.2020- FINAL DA.exe 'C:\Users\user\Desktop\17.09.2020- FINAL DA.exe' 2 6656 4159484Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp801A.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp872B.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: 17.09.2020- FINAL DA.exeStatic file information: File size 1142784 > 1048576
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 17.09.2020- FINAL DA.exe, 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: 17.09.2020- FINAL DA.exe, 00000001.00000002.480983916.0000000002D1F000.00000004.00000001.sdmp, vbc.exe

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeUnpacked PE file: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
            Detected unpacking (creates a PE file in dynamic memory)Show sources
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeUnpacked PE file: 1.2.17.09.2020- FINAL DA.exe.2340000.3.unpack
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeUnpacked PE file: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0046D730 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0046D730
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00444B40 push 00444BCDh; ret 0_2_00444BC5
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00482040 push 00482066h; ret 0_2_0048205E
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00472060 push 0047208Ch; ret 0_2_00472084
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00482008 push 00482034h; ret 0_2_0048202C
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00474134 push 00474160h; ret 0_2_00474158
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0047C274 push 0047C2A0h; ret 0_2_0047C298
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0046C22C push 0046C258h; ret 0_2_0046C250
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0047C2C0 push 0047C2ECh; ret 0_2_0047C2E4
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_004722F4 push 00472320h; ret 0_2_00472318
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0042A2B4 push 0042A2E0h; ret 0_2_0042A2D8
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0040C340 push 0040C78Ch; ret 0_2_0040C784
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_004703C0 push 004703ECh; ret 0_2_004703E4
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0041E45A push 0041E502h; ret 0_2_0041E4FA
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0041E45C push 0041E502h; ret 0_2_0041E4FA
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0046A48C push 0046A4B8h; ret 0_2_0046A4B0
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00472498 push 004724C4h; ret 0_2_004724BC
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00428550 push 0042857Ch; ret 0_2_00428574
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0041E566 push 0041E88Ch; ret 0_2_0041E884
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0043A524 push ecx; mov dword ptr [esp], ecx0_2_0043A528
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0046C5F4 push 0046C620h; ret 0_2_0046C618
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_004705F4 push 00470620h; ret 0_2_00470618
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0047267C push 004726A8h; ret 0_2_004726A0
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0040C610 push 0040C78Ch; ret 0_2_0040C784
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_004066CA push 0040671Dh; ret 0_2_00406715
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_004066CC push 0040671Dh; ret 0_2_00406715
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_004286E8 push 00428714h; ret 0_2_0042870C
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0047A7F8 push 0047A824h; ret 0_2_0047A81C
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0040C78E push 0040C7FFh; ret 0_2_0040C7F7
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0040C790 push 0040C7FFh; ret 0_2_0040C7F7
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0047A798 push 0047A7C4h; ret 0_2_0047A7BC
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0041E860 push 0041E88Ch; ret 0_2_0041E884
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0045880C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_0045880C
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00428920 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00428920
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0043ED90 IsIconic,GetCapture,0_2_0043ED90
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00458F00 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00458F00
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00458FB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00458FB0
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0043F638 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0043F638
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00455888 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00455888
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0043FF54 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043FF54
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0046D730 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0046D730
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect sleep reduction / modificationsShow sources
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00433C540_2_00433C54
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,3_2_0040A5A9
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_00457DB0
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeWindow / User API: threadDelayed 806Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00433C540_2_00433C54
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exe TID: 6708Thread sleep count: 215 > 30Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exe TID: 6708Thread sleep time: -215000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exe TID: 6660Thread sleep count: 112 > 30Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exe TID: 6660Thread sleep time: -112000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exe TID: 6748Thread sleep time: -80600s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00481EA0 GetSystemTime followed by cmp: cmp word ptr [esp+08h], 07dfh and CTI: jnc 00481EC6h0_2_00481EA0
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00408D20 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408D20
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00405BE0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405BE0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040A1A7 FindFirstFileW,FindNextFileW,3_2_0040A1A7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,16_2_0040702D
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00421DC0 GetSystemInfo,0_2_00421DC0
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess queried: DebugFlagsJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess queried: DebugFlagsJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_004936F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_004936F3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,3_2_0040A5A9
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00481D40 VirtualProtect ?,0000F7A0,00000104,?,00000000,0000F7A0,00003000,000000040_2_00481D40
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_0046D730 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0046D730
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_00497412 mov eax, dword ptr fs:[00000030h]1_2_00497412
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_004974D0 mov eax, dword ptr fs:[00000030h]1_2_004974D0
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00481F2C KiUserExceptionDispatcher,IntersectClipRect,GetSystemMetrics,GetSystemMetrics,ExitProcess,IntersectClipRect,RtlAddVectoredExceptionHandler,IntersectClipRect,0_2_00481F2C
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_00492746 SetUnhandledExceptionFilter,1_2_00492746
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_004936F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_004936F3
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_00495D7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00495D7F
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 1_2_00493BB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00493BB5
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory protected: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            .NET source code references suspicious native API functionsShow sources
            Source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, u202d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, u202d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, u202d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Allocates memory in foreign processesShow sources
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeSection loaded: unknown target: C:\Users\user\Desktop\17.09.2020- FINAL DA.exe protection: execute and read and writeJump to behavior
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 446000Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 455000Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 28F008Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 393008Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess created: C:\Users\user\Desktop\17.09.2020- FINAL DA.exe 'C:\Users\user\Desktop\17.09.2020- FINAL DA.exe' Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp801A.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp872B.tmp'Jump to behavior
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.473707304.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.473707304.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.473707304.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.473707304.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405D98
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: GetLocaleInfoA,0_2_0040A008
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: GetLocaleInfoA,GetACP,0_2_0040B310
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405EA4
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: GetLocaleInfoA,0_2_00409FBC
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: GetLocaleInfoA,1_2_00496A4A
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA,2_2_00405D98
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00402980 GetSystemTime,0_2_00402980
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,16_2_004073B6
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeCode function: 0_2_00444B40 GetVersion,0_2_00444B40
            Source: C:\Users\user\Desktop\17.09.2020- FINAL DA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: avguard.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: avp.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: avgui.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: mbam.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.478105601.0000000002B33000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000001.00000002.471643052.000000000049F000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.212656674.0000000004412000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.473791465.00000000021C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.473930629.00000000022B2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.474015013.0000000002342000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.212791393.00000000044AF000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.478119051.0000000002B39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.471256653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17.09.2020- FINAL DA.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17.09.2020- FINAL DA.exe PID: 6656, type: MEMORY
            Source: Yara matchFile source: 0.2.17.09.2020- FINAL DA.exe.43a0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.21c0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.2340000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.21c0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, type: UNPACKEDPE
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 00000001.00000002.480983916.0000000002D1F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.209434228.0000000004393000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.358577300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.483501131.0000000006661000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 3456, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17.09.2020- FINAL DA.exe PID: 6656, type: MEMORY
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.25e0000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.25e0000.4.unpack, type: UNPACKEDPE
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword16_2_00402D74
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword16_2_00402D74
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword16_2_004033B1
            Yara detected WebBrowserPassView password recovery toolShow sources
            Source: Yara matchFile source: 00000001.00000002.474568060.00000000025E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.209434228.0000000004393000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.483501131.0000000006661000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.478391166.0000000002BE2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.226169604.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6740, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17.09.2020- FINAL DA.exe PID: 6656, type: MEMORY
            Source: Yara matchFile source: 3.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.25e0000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.25e0000.4.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Detected HawkEye RatShow sources
            Source: 17.09.2020- FINAL DA.exe, 00000000.00000002.212656674.0000000004412000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Source: 17.09.2020- FINAL DA.exe, 00000001.00000002.471643052.000000000049F000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000001.00000002.471643052.000000000049F000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.212656674.0000000004412000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.473791465.00000000021C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.473930629.00000000022B2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.474015013.0000000002342000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.212791393.00000000044AF000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.478119051.0000000002B39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.471256653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17.09.2020- FINAL DA.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17.09.2020- FINAL DA.exe PID: 6656, type: MEMORY
            Source: Yara matchFile source: 0.2.17.09.2020- FINAL DA.exe.43a0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.21c0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.2340000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.22b0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.21c0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.17.09.2020- FINAL DA.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.17.09.2020- FINAL DA.exe.4410000.3.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation111Application Shimming1Application Shimming1Disable or Modify Tools11Input Capture11System Time Discovery11Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API11Boot or Logon Initialization ScriptsProcess Injection512Deobfuscate/Decode Files or Information11Credentials in Registry2Account Discovery1Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Credentials In Files1File and Directory Discovery1SMB/Windows Admin SharesInput Capture11Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing31NTDSSystem Information Discovery19Distributed Component Object ModelClipboard Data2Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion13LSA SecretsSecurity Software Discovery37SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection512Cached Domain CredentialsVirtualization/Sandbox Evasion13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncProcess Discovery4Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 286941