Loading ...

Play interactive tourEdit tour

Analysis Report INQUIRY.exe

Overview

General Information

Sample Name:INQUIRY.exe
Analysis ID:319686
MD5:0b940145d7d02e5b1b975c99dd5197a4
SHA1:53ae0b576f7b362b90a25ace1470d33068db4490
SHA256:bf487ff7cdbbd998b633b1858a939d8c808bcce65ab9937695475b39deea70a8
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • INQUIRY.exe (PID: 2016 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' MD5: 0B940145D7D02E5B1B975C99DD5197A4)
    • INQUIRY.exe (PID: 5896 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' MD5: 0B940145D7D02E5B1B975C99DD5197A4)
      • dw20.exe (PID: 6868 cmdline: dw20.exe -x -s 2308 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 6664 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6700 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • WerFault.exe (PID: 6776 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 2216 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • INQUIRY.exe (PID: 5788 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953 MD5: 0B940145D7D02E5B1B975C99DD5197A4)
      • INQUIRY.exe (PID: 6076 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
        • INQUIRY.exe (PID: 6808 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
          • dw20.exe (PID: 6936 cmdline: dw20.exe -x -s 2272 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
          • vbc.exe (PID: 5684 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • vbc.exe (PID: 4184 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 1076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2324 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • INQUIRY.exe (PID: 6792 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546 MD5: 0B940145D7D02E5B1B975C99DD5197A4)
          • INQUIRY.exe (PID: 6400 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
            • INQUIRY.exe (PID: 240 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
              • dw20.exe (PID: 204 cmdline: dw20.exe -x -s 2100 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
            • INQUIRY.exe (PID: 6428 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406 MD5: 0B940145D7D02E5B1B975C99DD5197A4)
              • INQUIRY.exe (PID: 6900 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
                • INQUIRY.exe (PID: 1364 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
                  • dw20.exe (PID: 6380 cmdline: dw20.exe -x -s 2284 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
                  • vbc.exe (PID: 5396 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
                  • vbc.exe (PID: 3064 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
                  • WerFault.exe (PID: 7076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2096 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
                • INQUIRY.exe (PID: 4424 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187 MD5: 0B940145D7D02E5B1B975C99DD5197A4)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x59d3e3:$key: HawkEyeKeylogger
  • 0x59f613:$salt: 099u787978786
  • 0x59da24:$string1: HawkEye_Keylogger
  • 0x59e863:$string1: HawkEye_Keylogger
  • 0x59f573:$string1: HawkEye_Keylogger
  • 0x59ddf9:$string2: holdermail.txt
  • 0x59de19:$string2: holdermail.txt
  • 0x59dd3b:$string3: wallet.dat
  • 0x59dd53:$string3: wallet.dat
  • 0x59dd69:$string3: wallet.dat
  • 0x59f137:$string4: Keylog Records
  • 0x59f44f:$string4: Keylog Records
  • 0x59f66b:$string5: do not script -->
  • 0x59d3cb:$string6: \pidloc.txt
  • 0x59d459:$string7: BSPLIT
  • 0x59d469:$string7: BSPLIT
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x59da7c:$hawkstr1: HawkEye Keylogger
    • 0x59e8a9:$hawkstr1: HawkEye Keylogger
    • 0x59ebd8:$hawkstr1: HawkEye Keylogger
    • 0x59ed33:$hawkstr1: HawkEye Keylogger
    • 0x59ee96:$hawkstr1: HawkEye Keylogger
    • 0x59f10f:$hawkstr1: HawkEye Keylogger
    • 0x59d60a:$hawkstr2: Dear HawkEye Customers!
    • 0x59ec2b:$hawkstr2: Dear HawkEye Customers!
    • 0x59ed82:$hawkstr2: Dear HawkEye Customers!
    • 0x59eee9:$hawkstr2: Dear HawkEye Customers!
    • 0x59d72b:$hawkstr3: HawkEye Logger Details:
    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x5a504d:$key: HawkEyeKeylogger
    • 0x5a727d:$salt: 099u787978786
    • 0x5a568e:$string1: HawkEye_Keylogger
    • 0x5a64cd:$string1: HawkEye_Keylogger
    • 0x5a71dd:$string1: HawkEye_Keylogger
    • 0x5a5a63:$string2: holdermail.txt
    • 0x5a5a83:$string2: holdermail.txt
    • 0x5a59a5:$string3: wallet.dat
    • 0x5a59bd:$string3: wallet.dat
    • 0x5a59d3:$string3: wallet.dat
    • 0x5a6da1:$string4: Keylog Records
    • 0x5a70b9:$string4: Keylog Records
    • 0x5a72d5:$string5: do not script -->
    • 0x5a5035:$string6: \pidloc.txt
    • 0x5a50c3:$string7: BSPLIT
    • 0x5a50d3:$string7: BSPLIT
    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      Click to see the 4 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b89c:$key: HawkEyeKeylogger
      • 0x7dacc:$salt: 099u787978786
      • 0x7bedd:$string1: HawkEye_Keylogger
      • 0x7cd1c:$string1: HawkEye_Keylogger
      • 0x7da2c:$string1: HawkEye_Keylogger
      • 0x7c2b2:$string2: holdermail.txt
      • 0x7c2d2:$string2: holdermail.txt
      • 0x7c1f4:$string3: wallet.dat
      • 0x7c20c:$string3: wallet.dat
      • 0x7c222:$string3: wallet.dat
      • 0x7d5f0:$string4: Keylog Records
      • 0x7d908:$string4: Keylog Records
      • 0x7db24:$string5: do not script -->
      • 0x7b884:$string6: \pidloc.txt
      • 0x7b912:$string7: BSPLIT
      • 0x7b922:$string7: BSPLIT
      00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
            • 0x7bf35:$hawkstr1: HawkEye Keylogger
            • 0x7cd62:$hawkstr1: HawkEye Keylogger
            • 0x7d091:$hawkstr1: HawkEye Keylogger
            • 0x7d1ec:$hawkstr1: HawkEye Keylogger
            • 0x7d34f:$hawkstr1: HawkEye Keylogger
            • 0x7d5c8:$hawkstr1: HawkEye Keylogger
            • 0x7bac3:$hawkstr2: Dear HawkEye Customers!
            • 0x7d0e4:$hawkstr2: Dear HawkEye Customers!
            • 0x7d23b:$hawkstr2: Dear HawkEye Customers!
            • 0x7d3a2:$hawkstr2: Dear HawkEye Customers!
            • 0x7bbe4:$hawkstr3: HawkEye Logger Details:
            Click to see the 197 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              16.1.INQUIRY.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
              • 0x112984:$key: HawkEyeKeylogger
              • 0x114bb4:$salt: 099u787978786
              • 0x112fc5:$string1: HawkEye_Keylogger
              • 0x113e04:$string1: HawkEye_Keylogger
              • 0x114b14:$string1: HawkEye_Keylogger
              • 0x11339a:$string2: holdermail.txt
              • 0x1133ba:$string2: holdermail.txt
              • 0x1132dc:$string3: wallet.dat
              • 0x1132f4:$string3: wallet.dat
              • 0x11330a:$string3: wallet.dat
              • 0x1146d8:$string4: Keylog Records
              • 0x1149f0:$string4: Keylog Records
              • 0x114c0c:$string5: do not script -->
              • 0x11296c:$string6: \pidloc.txt
              • 0x1129fa:$string7: BSPLIT
              • 0x112a0a:$string7: BSPLIT
              16.1.INQUIRY.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                16.1.INQUIRY.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                  16.1.INQUIRY.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security