Loading ...

Play interactive tourEdit tour

Analysis Report BANK-STATMENT _xlsx.exe

Overview

General Information

Sample Name:BANK-STATMENT _xlsx.exe
Analysis ID:320625
MD5:debe564cd4c27c02d23c828df27fe27f
SHA1:1b55fba242460cc0a5b38299acaaacf3f54c5e87
SHA256:edafe7e62738e180cb882d93f37d2d306627aef482d6f7a7a06c69198c61cd58
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • BANK-STATMENT _xlsx.exe (PID: 1496 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' MD5: DEBE564CD4C27C02D23C828DF27FE27F)
    • BANK-STATMENT _xlsx.exe (PID: 4500 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' MD5: DEBE564CD4C27C02D23C828DF27FE27F)
      • dw20.exe (PID: 5996 cmdline: dw20.exe -x -s 2264 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 6920 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7044 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • BANK-STATMENT _xlsx.exe (PID: 3984 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4500 5715437 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
      • BANK-STATMENT _xlsx.exe (PID: 1900 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
        • BANK-STATMENT _xlsx.exe (PID: 4240 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
          • dw20.exe (PID: 5456 cmdline: dw20.exe -x -s 2304 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
        • BANK-STATMENT _xlsx.exe (PID: 6452 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4240 5772140 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
          • BANK-STATMENT _xlsx.exe (PID: 3028 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
            • BANK-STATMENT _xlsx.exe (PID: 1548 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
              • dw20.exe (PID: 5992 cmdline: dw20.exe -x -s 2288 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
              • vbc.exe (PID: 5676 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
              • vbc.exe (PID: 6708 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
            • BANK-STATMENT _xlsx.exe (PID: 2240 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 1548 5785125 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
              • BANK-STATMENT _xlsx.exe (PID: 6984 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                • BANK-STATMENT _xlsx.exe (PID: 6180 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                  • dw20.exe (PID: 5484 cmdline: dw20.exe -x -s 2264 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
                • BANK-STATMENT _xlsx.exe (PID: 6188 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 6180 5810484 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                  • BANK-STATMENT _xlsx.exe (PID: 5540 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                    • BANK-STATMENT _xlsx.exe (PID: 5580 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                      • dw20.exe (PID: 6904 cmdline: dw20.exe -x -s 2324 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
                    • BANK-STATMENT _xlsx.exe (PID: 5588 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 5580 5822718 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                      • BANK-STATMENT _xlsx.exe (PID: 6176 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                        • BANK-STATMENT _xlsx.exe (PID: 2864 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                        • BANK-STATMENT _xlsx.exe (PID: 4608 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 2864 5836578 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["Mail PassView", "mailpv"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x2674:$hawkstr1: HawkEye Keylogger
    • 0x20ec:$hawkstr2: Dear HawkEye Customers!
    • 0x221e:$hawkstr3: HawkEye Logger Details:
    00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b984:$key: HawkEyeKeylogger
    • 0x7dbb4:$salt: 099u787978786
    • 0x7bfc5:$string1: HawkEye_Keylogger
    • 0x7ce04:$string1: HawkEye_Keylogger
    • 0x7db14:$string1: HawkEye_Keylogger
    • 0x7c39a:$string2: holdermail.txt
    • 0x7c3ba:$string2: holdermail.txt
    • 0x7c2dc:$string3: wallet.dat
    • 0x7c2f4:$string3: wallet.dat
    • 0x7c30a:$string3: wallet.dat
    • 0x7d6d8:$string4: Keylog Records
    • 0x7d9f0:$string4: Keylog Records
    • 0x7dc0c:$string5: do not script -->
    • 0x7b96c:$string6: \pidloc.txt
    • 0x7b9fa:$string7: BSPLIT
    • 0x7ba0a:$string7: BSPLIT
    00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        Click to see the 280 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        25.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          7.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x7b89c:$key: HawkEyeKeylogger
            • 0x7dacc:$salt: 099u787978786
            • 0x7bedd:$string1: HawkEye_Keylogger
            • 0x7cd1c:$string1: HawkEye_Keylogger
            • 0x7da2c:$string1: HawkEye_Keylogger
            • 0x7c2b2:$string2: holdermail.txt
            • 0x7c2d2:$string2: holdermail.txt
            • 0x7c1f4:$string3: wallet.dat
            • 0x7c20c:$string3: wallet.dat
            • 0x7c222:$string3: wallet.dat
            • 0x7d5f0:$string4: Keylog Records
            • 0x7d908:$string4: Keylog Records
            • 0x7db24:$string5: do not script -->
            • 0x7b884:$string6: \pidloc.txt
            • 0x7b912:$string7: BSPLIT
            • 0x7b922:$string7: BSPLIT
            1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security