Loading ...

Play interactive tourEdit tour

Analysis Report 071020207659825.PDF.exe

Overview

General Information

Sample Name:071020207659825.PDF.exe
Analysis ID:294447
MD5:8d77adea84c3a48380dba70b8e60ec09
SHA1:b0954b73cc877071f3d4f5b30693b6cb5267dc0d
SHA256:21359248fdd77b3fb66b1910399bbf0f3433e47cd97bc8a6244716e34280c877
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Keylogger Generic
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • 071020207659825.PDF.exe (PID: 6820 cmdline: 'C:\Users\user\Desktop\071020207659825.PDF.exe' MD5: 8D77ADEA84C3A48380DBA70B8E60EC09)
    • 071020207659825.PDF.exe (PID: 6840 cmdline: 'C:\Users\user\Desktop\071020207659825.PDF.exe' MD5: 8D77ADEA84C3A48380DBA70B8E60EC09)
      • vbc.exe (PID: 204 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 4012 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b719:$key: HawkEyeKeylogger
  • 0x7d917:$salt: 099u787978786
  • 0x7bd32:$string1: HawkEye_Keylogger
  • 0x7cb85:$string1: HawkEye_Keylogger
  • 0x7d877:$string1: HawkEye_Keylogger
  • 0x7c11b:$string2: holdermail.txt
  • 0x7c13b:$string2: holdermail.txt
  • 0x7c05d:$string3: wallet.dat
  • 0x7c075:$string3: wallet.dat
  • 0x7c08b:$string3: wallet.dat
  • 0x7d459:$string4: Keylog Records
  • 0x7d771:$string4: Keylog Records
  • 0x7d96f:$string5: do not script -->
  • 0x7b701:$string6: \pidloc.txt
  • 0x7b767:$string7: BSPLIT
  • 0x7b777:$string7: BSPLIT
00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bd8a:$hawkstr1: HawkEye Keylogger
        • 0x7cbcb:$hawkstr1: HawkEye Keylogger
        • 0x7cefa:$hawkstr1: HawkEye Keylogger
        • 0x7d055:$hawkstr1: HawkEye Keylogger
        • 0x7d1b8:$hawkstr1: HawkEye Keylogger
        • 0x7d431:$hawkstr1: HawkEye Keylogger
        • 0x7b918:$hawkstr2: Dear HawkEye Customers!
        • 0x7cf4d:$hawkstr2: Dear HawkEye Customers!
        • 0x7d0a4:$hawkstr2: Dear HawkEye Customers!
        • 0x7d20b:$hawkstr2: Dear HawkEye Customers!
        • 0x7ba39:$hawkstr3: HawkEye Logger Details:
        Click to see the 51 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          3.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            1.2.071020207659825.PDF.exe.2080000.1.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x79b19:$key: HawkEyeKeylogger
            • 0x7bd17:$salt: 099u787978786
            • 0x7a132:$string1: HawkEye_Keylogger
            • 0x7af85:$string1: HawkEye_Keylogger
            • 0x7bc77:$string1: HawkEye_Keylogger
            • 0x7a51b:$string2: holdermail.txt
            • 0x7a53b:$string2: holdermail.txt
            • 0x7a45d:$string3: wallet.dat
            • 0x7a475:$string3: wallet.dat
            • 0x7a48b:$string3: wallet.dat
            • 0x7b859:$string4: Keylog Records
            • 0x7bb71:$string4: Keylog Records
            • 0x7bd6f:$string5: do not script -->
            • 0x79b01:$string6: \pidloc.txt
            • 0x79b67:$string7: BSPLIT
            • 0x79b77:$string7: BSPLIT
            1.2.071020207659825.PDF.exe.2080000.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              1.2.071020207659825.PDF.exe.2080000.1.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                Click to see the 34 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Double ExtensionShow sources
                Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: 'C:\Users\user\Desktop\071020207659825.PDF.exe' , CommandLine: 'C:\Users\user\Desktop\071020207659825.PDF.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\071020207659825.PDF.exe, NewProcessName: C:\Users\user\Desktop\071020207659825.PDF.exe, OriginalFileName: C:\Users\user\Desktop\071020207659825.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\071020207659825.PDF.exe' , ParentImage: C:\Users\user\Desktop\071020207659825.PDF.exe, ParentProcessId: 6820, ProcessCommandLine: 'C:\Users\user\Desktop\071020207659825.PDF.exe' , ProcessId: 6840

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus / Scanner detection for submitted sampleShow sources
                Source: 071020207659825.PDF.exeAvira: detected
                Found malware configurationShow sources
                Source: vbc.exe.4012.4.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
                Multi AV Scanner detection for submitted fileShow sources
                Source: 071020207659825.PDF.exeReversingLabs: Detection: 56%
                Machine Learning detection for sampleShow sources
                Source: 071020207659825.PDF.exeJoe Sandbox ML: detected
                Source: 1.2.071020207659825.PDF.exe.2080000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 1.2.071020207659825.PDF.exe.2240000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.071020207659825.PDF.exe.2240000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.071020207659825.PDF.exe.22d0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.071020207659825.PDF.exe.22d0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 0.2.071020207659825.PDF.exe.2860000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 0.2.071020207659825.PDF.exe.2860000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.071020207659825.PDF.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.071020207659825.PDF.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.1.071020207659825.PDF.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.1.071020207659825.PDF.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 071020207659825.PDF.exe, 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: 071020207659825.PDF.exe, 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: 071020207659825.PDF.exeBinary or memory string: autorun.inf
                Source: 071020207659825.PDF.exeBinary or memory string: [autorun]
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_00408AE8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408AE8
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_00405B6C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405B6C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,3_2_00406EC3
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,4_2_00408441
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,4_2_00407E0E

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.5:49740 -> 103.27.200.199:21
                May check the online IP address of the machineShow sources
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: global trafficTCP traffic: 192.168.2.5:49741 -> 103.27.200.199:35954
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                Source: Joe Sandbox ViewASN Name: BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH
                Source: unknownFTP traffic detected: 103.27.200.199:21 -> 192.168.2.5:49740 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 17:55. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 17:55. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 17:55. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 17:55. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: vbc.exe, 00000004.00000003.291259302.000000000054E000.00000004.00000001.sdmpString found in binary or memory: &ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000004.00000003.291259302.000000000054E000.00000004.00000001.sdmpString found in binary or memory: &ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.yahoo.com (Yahoo)
                Source: 071020207659825.PDF.exe, 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmp, 071020207659825.PDF.exe, 00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000004.00000002.292018887.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: 071020207659825.PDF.exe, 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmp, 071020207659825.PDF.exe, 00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000004.00000002.292018887.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: 071020207659825.PDF.exe, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: unknownDNS traffic detected: queries for: 51.143.5.0.in-addr.arpa
                Source: 071020207659825.PDF.exe, 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmp, 071020207659825.PDF.exe, 00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: 071020207659825.PDF.exe, 00000001.00000003.250542904.000000000510C000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                Source: 071020207659825.PDF.exe, 00000001.00000003.245701808.000000000510D000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipedia
                Source: 071020207659825.PDF.exe, 00000001.00000003.245995970.0000000005135000.00000004.00000001.sdmp, 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: 071020207659825.PDF.exe, 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmp, 071020207659825.PDF.exe, 00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: vbc.exe, 00000004.00000002.293429734.000000000077C000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                Source: 071020207659825.PDF.exe, 00000001.00000002.518798136.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                Source: 071020207659825.PDF.exeString found in binary or memory: http://whatismyipaddress.com/
                Source: 071020207659825.PDF.exe, 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmp, 071020207659825.PDF.exe, 00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: 071020207659825.PDF.exe, 00000001.00000003.254518910.0000000005112000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: 071020207659825.PDF.exe, 00000001.00000002.520215880.000000000510B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comas
                Source: 071020207659825.PDF.exe, 00000001.00000002.520215880.000000000510B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                Source: 071020207659825.PDF.exe, 00000001.00000003.245823972.0000000005135000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: 071020207659825.PDF.exe, 00000001.00000003.248724464.000000000510D000.00000004.00000001.sdmp, 071020207659825.PDF.exe, 00000001.00000003.248046113.0000000005111000.00000004.00000001.sdmp, 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: 071020207659825.PDF.exe, 00000001.00000003.248046113.0000000005111000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnLog
                Source: 071020207659825.PDF.exe, 00000001.00000003.248724464.000000000510D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnMG
                Source: 071020207659825.PDF.exe, 00000001.00000003.248724464.000000000510D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnqG
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: 071020207659825.PDF.exe, 00000001.00000003.247058269.0000000005135000.00000004.00000001.sdmpString found in binary or memory: http://www.itcfonts.
                Source: 071020207659825.PDF.exe, 00000001.00000003.251255043.000000000510B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: 071020207659825.PDF.exe, 00000001.00000003.250928675.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//tphO
                Source: 071020207659825.PDF.exe, 00000001.00000003.251255043.000000000510B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/CO
                Source: 071020207659825.PDF.exe, 00000001.00000003.251255043.000000000510B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/LO
                Source: 071020207659825.PDF.exe, 00000001.00000003.250735493.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/MO
                Source: 071020207659825.PDF.exe, 00000001.00000003.251255043.000000000510B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/QO
                Source: 071020207659825.PDF.exe, 00000001.00000003.250928675.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
                Source: 071020207659825.PDF.exe, 00000001.00000003.250928675.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ZO
                Source: 071020207659825.PDF.exe, 00000001.00000003.251255043.000000000510B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/al
                Source: 071020207659825.PDF.exe, 00000001.00000003.251067034.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/hO
                Source: 071020207659825.PDF.exe, 00000001.00000003.251255043.000000000510B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: 071020207659825.PDF.exe, 00000001.00000003.251255043.000000000510B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/ZO
                Source: 071020207659825.PDF.exe, 00000001.00000003.251255043.000000000510B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/hO
                Source: 071020207659825.PDF.exe, 00000001.00000003.251255043.000000000510B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vO
                Source: 071020207659825.PDF.exe, 00000001.00000003.255987412.0000000005112000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                Source: vbc.exe, 00000004.00000002.293414364.0000000000768000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMhbx
                Source: vbc.exe, vbc.exe, 00000004.00000002.292018887.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: 071020207659825.PDF.exe, 00000001.00000002.518798136.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: 071020207659825.PDF.exe, 00000001.00000002.520363183.0000000005310000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: vbc.exe, 00000004.00000002.293429734.000000000077C000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01r
                Source: vbc.exe, 00000004.00000003.290489006.000000000212C000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.293429734.000000000077C000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                Source: vbc.exe, 00000004.00000003.290489006.000000000212C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
                Source: vbc.exe, 00000004.00000002.293429734.000000000077C000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
                Source: vbc.exe, 00000004.00000003.290489006.000000000212C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
                Source: vbc.exe, 00000004.00000002.293429734.000000000077C000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
                Source: vbc.exe, 00000004.00000002.293429734.000000000077C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
                Source: vbc.exe, 00000004.00000003.291259302.000000000054E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-yo
                Source: vbc.exe, 00000004.00000003.290489006.000000000212C000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                Source: 071020207659825.PDF.exe, vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: 071020207659825.PDF.exe, 00000001.00000002.518798136.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                Source: 071020207659825.PDF.exe, 00000001.00000002.518798136.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                Source: 071020207659825.PDF.exe, vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: vbc.exe, 00000004.00000002.293429734.000000000077C000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
                Source: vbc.exe, 00000004.00000002.293429734.000000000077C000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.511343201.00000000022D2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.509516419.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.511229624.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.511056478.0000000002080000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000001.241114286.0000000000497000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.245350386.0000000002862000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.518798136.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 071020207659825.PDF.exe PID: 6820, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 071020207659825.PDF.exe PID: 6840, type: MEMORY
                Source: Yara matchFile source: 1.2.071020207659825.PDF.exe.2080000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.071020207659825.PDF.exe.2080000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.071020207659825.PDF.exe.22d0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.071020207659825.PDF.exe.2240000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.1.071020207659825.PDF.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.071020207659825.PDF.exe.2860000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.071020207659825.PDF.exe.400000.0.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 0.2.071020207659825.PDF.exe.2860000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.071020207659825.PDF.exe.2240000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.071020207659825.PDF.exe.22d0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.071020207659825.PDF.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Yara detected Keylogger GenericShow sources
                Source: Yara matchFile source: Process Memory Space: 071020207659825.PDF.exe PID: 6820, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 071020207659825.PDF.exe PID: 6840, type: MEMORY
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,3_2_0040AC8A
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_0042565C GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_0042565C
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_0043C7A0 GetKeyboardState,0_2_0043C7A0

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.511343201.00000000022D2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.511343201.00000000022D2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.509516419.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.509516419.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.511229624.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.511229624.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.511056478.0000000002080000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.511056478.0000000002080000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000001.241114286.0000000000497000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000001.241114286.0000000000497000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.245350386.0000000002862000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.245350386.0000000002862000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.518798136.0000000002A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.071020207659825.PDF.exe.2080000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.071020207659825.PDF.exe.2080000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.071020207659825.PDF.exe.2080000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.071020207659825.PDF.exe.2080000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.071020207659825.PDF.exe.22d0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.071020207659825.PDF.exe.22d0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.071020207659825.PDF.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.071020207659825.PDF.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.1.071020207659825.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.1.071020207659825.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.071020207659825.PDF.exe.2860000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.071020207659825.PDF.exe.2860000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.071020207659825.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.071020207659825.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: 071020207659825.PDF.exe
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_0045A648 NtdllDefWindowProc_A,0_2_0045A648
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_0043F7EC NtdllDefWindowProc_A,GetCapture,0_2_0043F7EC
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_0045ADC4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045ADC4
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_0045AE74 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045AE74
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_00433094 NtdllDefWindowProc_A,0_2_00433094
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_0044F218 GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044F218
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_00490159 NtCreateSection,1_2_00490159
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,4_2_00408836
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_00454D1C0_2_00454D1C
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_0046EF2C0_2_0046EF2C
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_004690C80_2_004690C8
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_0044F2180_2_0044F218
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_0040D4261_2_0040D426
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_0040D5231_2_0040D523
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_0041D5AE1_2_0041D5AE
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_004176461_2_00417646
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_004429BE1_2_004429BE
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_00446AF41_2_00446AF4
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_0046ABFC1_2_0046ABFC
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_00463C4D1_2_00463C4D
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_00463CBE1_2_00463CBE
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_0040ED031_2_0040ED03
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_00463D2F1_2_00463D2F
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_00463DC01_2_00463DC0
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_0040CF921_2_0040CF92
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_0041AFA61_2_0041AFA6
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_0048F13D1_2_0048F13D
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_004899761_2_00489976
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 1_2_0043C7BC1_2_0043C7BC
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00404DDB3_2_00404DDB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040BD8A3_2_0040BD8A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00404E4C3_2_00404E4C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00404EBD3_2_00404EBD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00404F4E3_2_00404F4E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004044194_2_00404419
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004045164_2_00404516
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004135384_2_00413538
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004145A14_2_004145A1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040E6394_2_0040E639
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004337AF4_2_004337AF
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004399B14_2_004399B1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0043DAE74_2_0043DAE7
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00405CF64_2_00405CF6
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00403F854_2_00403F85
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00411F994_2_00411F99
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: String function: 0044BA9D appears 34 times
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: String function: 004043CC appears 67 times
                Source: 071020207659825.PDF.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: 071020207659825.PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 071020207659825.PDF.exe, 00000000.00000002.241324142.00000000006E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 071020207659825.PDF.exe
                Source: 071020207659825.PDF.exe, 00000000.00000002.245447620.00000000028E2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 071020207659825.PDF.exe
                Source: 071020207659825.PDF.exe, 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 071020207659825.PDF.exe
                Source: 071020207659825.PDF.exe, 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 071020207659825.PDF.exe
                Source: 071020207659825.PDF.exe, 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 071020207659825.PDF.exe
                Source: 071020207659825.PDF.exeBinary or memory string: OriginalFilename vs 071020207659825.PDF.exe
                Source: 071020207659825.PDF.exeBinary or memory string: OriginalFileName vs 071020207659825.PDF.exe
                Source: 071020207659825.PDF.exe, 00000001.00000002.524667824.0000000007370000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 071020207659825.PDF.exe
                Source: 071020207659825.PDF.exe, 00000001.00000002.511294055.00000000022C2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 071020207659825.PDF.exe
                Source: 071020207659825.PDF.exe, 00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 071020207659825.PDF.exe
                Source: 071020207659825.PDF.exe, 00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 071020207659825.PDF.exe
                Source: 071020207659825.PDF.exe, 00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 071020207659825.PDF.exe
                Source: 00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.511343201.00000000022D2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.511343201.00000000022D2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.509516419.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.509516419.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.511229624.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.511229624.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.511056478.0000000002080000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.511056478.0000000002080000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000001.241114286.0000000000497000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000001.241114286.0000000000497000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.245350386.0000000002862000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.245350386.0000000002862000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.518798136.0000000002A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.071020207659825.PDF.exe.2080000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.071020207659825.PDF.exe.2080000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.071020207659825.PDF.exe.2080000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.071020207659825.PDF.exe.2080000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.071020207659825.PDF.exe.22d0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.071020207659825.PDF.exe.22d0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.071020207659825.PDF.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.071020207659825.PDF.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.1.071020207659825.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.1.071020207659825.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.071020207659825.PDF.exe.2860000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.071020207659825.PDF.exe.2860000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.071020207659825.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.071020207659825.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.071020207659825.PDF.exe.2860000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.071020207659825.PDF.exe.2860000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.071020207659825.PDF.exe.2860000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.071020207659825.PDF.exe.2860000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.071020207659825.PDF.exe.2240000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.071020207659825.PDF.exe.2240000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.071020207659825.PDF.exe.2240000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.071020207659825.PDF.exe.2240000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.071020207659825.PDF.exe.2860000.2.unpack, Form1.csBase64 encoded string: 'xZv2KTjDOGwMPewlL06/2/+cBh+3YNzZLNYqWwxyouAodILYLJV9xZ9CGhDaO0jH', 'G9O9EXxYbTKbu/JIqZ4FXWAEsGCT7RJ+/SHmPiE44HoRMOAUDNTRY4dL0xxXj+PX', 'yFzOCZnSHgqZgbtRiX7zTTL1Qt6D+8cCFAWN8MP9eKKls7OaJo1TF2n4j++JkQX9', 'LeVgD+CCM8vGOvvCfBCbKlOuO22U5biiPlXQ3m1iV5wOttbrqIGRlRjJtF3s2yy7JUW0Ja5O8CmF3VvxZqreIg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.071020207659825.PDF.exe.2240000.2.unpack, Form1.csBase64 encoded string: 'xZv2KTjDOGwMPewlL06/2/+cBh+3YNzZLNYqWwxyouAodILYLJV9xZ9CGhDaO0jH', 'G9O9EXxYbTKbu/JIqZ4FXWAEsGCT7RJ+/SHmPiE44HoRMOAUDNTRY4dL0xxXj+PX', 'yFzOCZnSHgqZgbtRiX7zTTL1Qt6D+8cCFAWN8MP9eKKls7OaJo1TF2n4j++JkQX9', 'LeVgD+CCM8vGOvvCfBCbKlOuO22U5biiPlXQ3m1iV5wOttbrqIGRlRjJtF3s2yy7JUW0Ja5O8CmF3VvxZqreIg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.071020207659825.PDF.exe.22d0000.3.unpack, Form1.csBase64 encoded string: 'xZv2KTjDOGwMPewlL06/2/+cBh+3YNzZLNYqWwxyouAodILYLJV9xZ9CGhDaO0jH', 'G9O9EXxYbTKbu/JIqZ4FXWAEsGCT7RJ+/SHmPiE44HoRMOAUDNTRY4dL0xxXj+PX', 'yFzOCZnSHgqZgbtRiX7zTTL1Qt6D+8cCFAWN8MP9eKKls7OaJo1TF2n4j++JkQX9', 'LeVgD+CCM8vGOvvCfBCbKlOuO22U5biiPlXQ3m1iV5wOttbrqIGRlRjJtF3s2yy7JUW0Ja5O8CmF3VvxZqreIg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.071020207659825.PDF.exe.400000.0.unpack, Form1.csBase64 encoded string: 'xZv2KTjDOGwMPewlL06/2/+cBh+3YNzZLNYqWwxyouAodILYLJV9xZ9CGhDaO0jH', 'G9O9EXxYbTKbu/JIqZ4FXWAEsGCT7RJ+/SHmPiE44HoRMOAUDNTRY4dL0xxXj+PX', 'yFzOCZnSHgqZgbtRiX7zTTL1Qt6D+8cCFAWN8MP9eKKls7OaJo1TF2n4j++JkQX9', 'LeVgD+CCM8vGOvvCfBCbKlOuO22U5biiPlXQ3m1iV5wOttbrqIGRlRjJtF3s2yy7JUW0Ja5O8CmF3VvxZqreIg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.071020207659825.PDF.exe.22d0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.071020207659825.PDF.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.071020207659825.PDF.exe.2240000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 0.2.071020207659825.PDF.exe.2860000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@7/3@4/3
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_00422774 GetLastError,FormatMessageA,0_2_00422774
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_00408C60 GetDiskFreeSpaceA,0_2_00408C60
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,4_2_00411196
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeCode function: 0_2_004158D8 FindResourceA,0_2_004158D8
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\holdermail.txtJump to behavior
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: 071020207659825.PDF.exe, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: 071020207659825.PDF.exe, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: 071020207659825.PDF.exe, 00000000.00000002.245464271.00000000028F7000.00000040.00000001.sdmp, 071020207659825.PDF.exe, 00000001.00000002.509269953.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000004.00000002.292018887.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: 071020207659825.PDF.exe, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: 071020207659825.PDF.exe, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: 071020207659825.PDF.exe, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: 071020207659825.PDF.exe, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: 071020207659825.PDF.exeReversingLabs: Detection: 56%
                Source: unknownProcess created: C:\Users\user\Desktop\071020207659825.PDF.exe 'C:\Users\user\Desktop\071020207659825.PDF.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\071020207659825.PDF.exe 'C:\Users\user\Desktop\071020207659825.PDF.exe'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeProcess created: C:\Users\user\Desktop\071020207659825.PDF.exe 'C:\Users\user\Desktop\071020207659825.PDF.exe' Jump to behavior
                Source: C:\Users\user\Desktop\071020207659825.PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'