Loading ...

Play interactive tourEdit tour

Analysis Report Prueba de pago.exe

Overview

General Information

Sample Name:Prueba de pago.exe
Analysis ID:319596
MD5:b3a244a097904a4d6689a582d7ec9985
SHA1:b16032d83c91ee333221fafadd5f2381ca659d78
SHA256:286b416351f4ca6cc215c58692af9be6b9f4eb54c4641160e2a31dfd16c43ec7
Tags:ESPexegeoHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Deletes itself after installation
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • Prueba de pago.exe (PID: 5080 cmdline: 'C:\Users\user\Desktop\Prueba de pago.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
    • Prueba de pago.exe (PID: 2168 cmdline: 'C:\Users\user\Desktop\Prueba de pago.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
      • Windows Update.exe (PID: 5672 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
        • Windows Update.exe (PID: 5388 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
          • dw20.exe (PID: 2220 cmdline: dw20.exe -x -s 2384 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
          • vbc.exe (PID: 6120 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • vbc.exe (PID: 3484 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 4112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 2488 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 6328 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
    • WindowsUpdate.exe (PID: 6392 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
      • Windows Update.exe (PID: 6456 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
        • Windows Update.exe (PID: 6476 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: B3A244A097904A4D6689A582D7EC9985)
          • dw20.exe (PID: 7024 cmdline: dw20.exe -x -s 2376 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Windows Update.e_1044ba73b302b1a19e09d2f83986d3c5672f_ffa3413f_105a0017\Report.werSUSP_WER_Suspicious_Crash_DirectoryDetects a crashed application executed in a suspicious directoryFlorian Roth
  • 0x11c:$a1: ReportIdentifier=
  • 0x19e:$a1: ReportIdentifier=
  • 0x75a:$a2: .Name=Fault Module Name
  • 0x4ad8:$a3: AppPath=
  • 0x4ad8:$l4: AppPath=C:\Users\
  • 0x4ad8:$s8: AppPath=C:\Users\user\AppData\Roaming\Windows Update.exe
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x56e54e:$key: HawkEyeKeylogger
  • 0x5707b8:$salt: 099u787978786
  • 0x56ebab:$string1: HawkEye_Keylogger
  • 0x56f9ea:$string1: HawkEye_Keylogger
  • 0x570718:$string1: HawkEye_Keylogger
  • 0x56ef80:$string2: holdermail.txt
  • 0x56efa0:$string2: holdermail.txt
  • 0x56eec2:$string3: wallet.dat
  • 0x56eeda:$string3: wallet.dat
  • 0x56eef0:$string3: wallet.dat
  • 0x5702dc:$string4: Keylog Records
  • 0x5705f4:$string4: Keylog Records
  • 0x570810:$string5: do not script -->
  • 0x56e536:$string6: \pidloc.txt
  • 0x56e5c4:$string7: BSPLIT
  • 0x56e5d4:$string7: BSPLIT
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x56ec03:$hawkstr1: HawkEye Keylogger
    • 0x56fa30:$hawkstr1: HawkEye Keylogger
    • 0x56fd5f:$hawkstr1: HawkEye Keylogger
    • 0x56feba:$hawkstr1: HawkEye Keylogger
    • 0x57001d:$hawkstr1: HawkEye Keylogger
    • 0x5702b4:$hawkstr1: HawkEye Keylogger
    • 0x56e775:$hawkstr2: Dear HawkEye Customers!
    • 0x56fdb2:$hawkstr2: Dear HawkEye Customers!
    • 0x56ff09:$hawkstr2: Dear HawkEye Customers!
    • 0x570070:$hawkstr2: Dear HawkEye Customers!
    • 0x56e896:$hawkstr3: HawkEye Logger Details:

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
      • 0x26a0:$hawkstr1: HawkEye Keylogger
      • 0x20ec:$hawkstr2: Dear HawkEye Customers!
      • 0x221e:$hawkstr3: HawkEye Logger Details:
      0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b6e3:$key: HawkEyeKeylogger
      • 0x7d94d:$salt: 099u787978786
      • 0x7bd40:$string1: HawkEye_Keylogger
      • 0x7cb7f:$string1: HawkEye_Keylogger
      • 0x7d8ad:$string1: HawkEye_Keylogger
      • 0x7c115:$string2: holdermail.txt
      • 0x7c135:$string2: holdermail.txt
      • 0x7c057:$string3: wallet.dat
      • 0x7c06f:$string3: wallet.dat
      • 0x7c085:$string3: wallet.dat
      • 0x7d471:$string4: Keylog Records
      • 0x7d789:$string4: Keylog Records
      • 0x7d9a5:$string5: do not script -->
      • 0x7b6cb:$string6: \pidloc.txt
      • 0x7b759:$string7: BSPLIT
      • 0x7b769:$string7: BSPLIT
      0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Click to see the 200 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.Prueba de pago.exe.2460000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x7b8e3:$key: HawkEyeKeylogger
          • 0x7db4d:$salt: 099u787978786
          • 0x7bf40:$string1: HawkEye_Keylogger
          • 0x7cd7f:$string1: HawkEye_Keylogger
          • 0x7daad:$string1: HawkEye_Keylogger
          • 0x7c315:$string2: holdermail.txt
          • 0x7c335:$string2: holdermail.txt
          • 0x7c257:$string3: wallet.dat
          • 0x7c26f:$string3: wallet.dat
          • 0x7c285:$string3: wallet.dat
          • 0x7d671:$string4: Keylog Records
          • 0x7d989:$string4: Keylog Records
          • 0x7dba5:$string5: do not script -->
          • 0x7b8cb:$string6: \pidloc.txt
          • 0x7b959:$string7: BSPLIT
          • 0x7b969:$string7: BSPLIT
          1.2.Prueba de pago.exe.2460000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            1.2.Prueba de pago.exe.2460000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              1.2.Prueba de pago.exe.2460000.3.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                1.2.Prueba de pago.exe.2460000.3.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
                • 0x7bf98:$hawkstr1: HawkEye Keylogger
                • 0x7cdc5:$hawkstr1: HawkEye Keylogger
                • 0x7d0f4:$hawkstr1: HawkEye Keylogger
                • 0x7d24f:$hawkstr1: HawkEye Keylogger
                • 0x7d3b2:$hawkstr1: HawkEye Keylogger
                • 0x7d649:$hawkstr1: HawkEye Keylogger
                • 0x7bb0a:$hawkstr2: Dear HawkEye Customers!
                • 0x7d147:$hawkstr2: Dear HawkEye Customers!
                • 0x7d29e:$hawkstr2: Dear HawkEye Customers!
                • 0x7d405:$hawkstr2: Dear HawkEye Customers!
                • 0x7bc2b:$hawkstr3: HawkEye Logger Details: