Loading ...

Play interactive tourEdit tour

Analysis Report PURCHASE ORDER.exe

Overview

General Information

Sample Name:PURCHASE ORDER.exe
Analysis ID:321194
MD5:8e2337f7cdd4bcd18e862b7a73734d49
SHA1:457de2e691794711d257ab9c6315d6f26465ce1a
SHA256:d30629a1a9aad3b8bc1e3827ab767473089214fd801b556f9ed3430f39bacbdd
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • PURCHASE ORDER.exe (PID: 6508 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER.exe' MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
    • PURCHASE ORDER.exe (PID: 6524 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER.exe' MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
      • dw20.exe (PID: 6732 cmdline: dw20.exe -x -s 2104 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 6928 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6940 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • PURCHASE ORDER.exe (PID: 6532 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 6524 7175453 MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
      • PURCHASE ORDER.exe (PID: 764 cmdline: C:\Users\user\Desktop\PURCHASE ORDER.exe MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
        • PURCHASE ORDER.exe (PID: 6952 cmdline: C:\Users\user\Desktop\PURCHASE ORDER.exe MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
          • dw20.exe (PID: 1112 cmdline: dw20.exe -x -s 2112 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
          • vbc.exe (PID: 1236 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • vbc.exe (PID: 3720 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • PURCHASE ORDER.exe (PID: 5552 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 6952 7204953 MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
          • PURCHASE ORDER.exe (PID: 1396 cmdline: C:\Users\user\Desktop\PURCHASE ORDER.exe MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
            • PURCHASE ORDER.exe (PID: 5140 cmdline: C:\Users\user\Desktop\PURCHASE ORDER.exe MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
              • dw20.exe (PID: 5468 cmdline: dw20.exe -x -s 2304 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
            • PURCHASE ORDER.exe (PID: 3100 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 5140 7233203 MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
              • PURCHASE ORDER.exe (PID: 5772 cmdline: C:\Users\user\Desktop\PURCHASE ORDER.exe MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
                • PURCHASE ORDER.exe (PID: 5076 cmdline: C:\Users\user\Desktop\PURCHASE ORDER.exe MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
                  • dw20.exe (PID: 4684 cmdline: dw20.exe -x -s 2272 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
                  • vbc.exe (PID: 6536 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
                  • vbc.exe (PID: 6312 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
                • PURCHASE ORDER.exe (PID: 6660 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 5076 7248218 MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b69c:$key: HawkEyeKeylogger
  • 0x7d8cc:$salt: 099u787978786
  • 0x7bcdd:$string1: HawkEye_Keylogger
  • 0x7cb1c:$string1: HawkEye_Keylogger
  • 0x7d82c:$string1: HawkEye_Keylogger
  • 0x7c0b2:$string2: holdermail.txt
  • 0x7c0d2:$string2: holdermail.txt
  • 0x7bff4:$string3: wallet.dat
  • 0x7c00c:$string3: wallet.dat
  • 0x7c022:$string3: wallet.dat
  • 0x7d3f0:$string4: Keylog Records
  • 0x7d708:$string4: Keylog Records
  • 0x7d924:$string5: do not script -->
  • 0x7b684:$string6: \pidloc.txt
  • 0x7b712:$string7: BSPLIT
  • 0x7b722:$string7: BSPLIT
00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bd35:$hawkstr1: HawkEye Keylogger
        • 0x7cb62:$hawkstr1: HawkEye Keylogger
        • 0x7ce91:$hawkstr1: HawkEye Keylogger
        • 0x7cfec:$hawkstr1: HawkEye Keylogger
        • 0x7d14f:$hawkstr1: HawkEye Keylogger
        • 0x7d3c8:$hawkstr1: HawkEye Keylogger
        • 0x7b8c3:$hawkstr2: Dear HawkEye Customers!
        • 0x7cee4:$hawkstr2: Dear HawkEye Customers!
        • 0x7d03b:$hawkstr2: Dear HawkEye Customers!
        • 0x7d1a2:$hawkstr2: Dear HawkEye Customers!
        • 0x7b9e4:$hawkstr3: HawkEye Logger Details:
        Click to see the 198 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          38.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            39.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              7.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                34.2.PURCHASE ORDER.exe.2390000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                • 0x7b89c:$key: HawkEyeKeylogger
                • 0x7dacc:$salt: 099u787978786
                • 0x7bedd:$string1: HawkEye_Keylogger
                • 0x7cd1c:$string1: HawkEye_Keylogger
                • 0x7da2c:$string1: HawkEye_Keylogger
                • 0x7c2b2:$string2: holdermail.txt
                • 0x7c2d2:$string2: holdermail.txt
                • 0x7c1f4:$string3: wallet.dat
                • 0x7c20c:$string3: wallet.dat
                • 0x7c222:$string3: wallet.dat
                • 0x7d5f0:$string4: Keylog Records
                • 0x7d908:$string4: Keylog Records
                • 0x7db24:$string5: do not script -->
                • 0x7b884:$string6: \pidloc.txt
                • 0x7b912:$string7: BSPLIT
                • 0x7b922:$string7: BSPLIT