Analysis Report QNSpfBSrsR.exe

Overview

General Information

Sample Name: QNSpfBSrsR.exe
Analysis ID: 330378
MD5: 7da4f5e17791a774131c3c97538a2495
SHA1: 552b4a357b259935a35b06d040d7f2e3205c8e42
SHA256: ac8ef770d70da42ea56d5b15fb5db0be89ae9250ac78b2bfd493843a50399a19
Tags: exeHawkEye

Most interesting Screenshot:

Detection

HawkEye M00nD3v Logger MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected M00nD3v Logger
Yara detected MailPassView
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: vbc.exe.4204.10.memstr Malware Configuration Extractor: HawkEye {"Modules": ["mailpv"], "Version": ""}
Multi AV Scanner detection for submitted file
Source: QNSpfBSrsR.exe Virustotal: Detection: 28% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 8.2.QNSpfBSrsR.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen, 10_2_0040702D

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 8_2_0172A9E8
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 8_2_0172A9E0
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp String found in binary or memory: http://bot.whatismyipaddress.com/
Source: QNSpfBSrsR.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: QNSpfBSrsR.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp String found in binary or memory: http://dyn.com/dns/
Source: QNSpfBSrsR.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php
Source: QNSpfBSrsR.exe, 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: vbc.exe, 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp String found in binary or memory: https://a.pomf.cat/
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/
Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/done8
Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/set
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591yu1SPS
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1)
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp String found in binary or memory: https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp String found in binary or memory: https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll;HawkEye
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://ogs.google.com/widget/callout
Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmp String found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
Source: QNSpfBSrsR.exe String found in binary or memory: https://sectigo.com/CPS0D
Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com&gl=GB&pc=s&uxe=4421591
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/favicon.ico
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/(x
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/7a5c56LMEMx
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/7a5c56LMEMx8
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/SFQ
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/er9
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/search
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/url
Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1016568541.0000000001542000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
Source: Yara match File source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040ADA4 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 10_2_0040ADA4

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000F.00000002.876231898.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000000A.00000002.739382606.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000010.00000002.878633274.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000008.00000002.1017257384.0000000003090000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000013.00000002.1011864489.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.QNSpfBSrsR.exe.3090000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.QNSpfBSrsR.exe.3090000.2.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Contains functionality to call native functions
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_06163CA8 NtUnmapViewOfSection, 8_2_06163CA8
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_06163CA0 NtUnmapViewOfSection, 8_2_06163CA0
Detected potential crypto function
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01721108 8_2_01721108
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017289F8 8_2_017289F8
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017219B1 8_2_017219B1
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01722358 8_2_01722358
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01729B39 8_2_01729B39
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017282F0 8_2_017282F0
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017232B0 8_2_017232B0
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_0172E580 8_2_0172E580
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017204E8 8_2_017204E8
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_0172CF61 8_2_0172CF61
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_0172A628 8_2_0172A628
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01726603 8_2_01726603
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01725908 8_2_01725908
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017289E7 8_2_017289E7
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017269D8 8_2_017269D8
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_0172D9D8 8_2_0172D9D8
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017269C8 8_2_017269C8
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017231B5 8_2_017231B5
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01727048 8_2_01727048
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01727038 8_2_01727038
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017250F3 8_2_017250F3
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017258F9 8_2_017258F9
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017210E8 8_2_017210E8
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01725B09 8_2_01725B09
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017213E0 8_2_017213E0
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01726B93 8_2_01726B93
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01724248 8_2_01724248
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01724238 8_2_01724238
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01724200 8_2_01724200
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017282E1 8_2_017282E1
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01721DF8 8_2_01721DF8
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01724DE0 8_2_01724DE0
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01724DD0 8_2_01724DD0
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_0172E5C0 8_2_0172E5C0
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01721DA0 8_2_01721DA0
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_0172A58D 8_2_0172A58D
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017254A0 8_2_017254A0
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01725490 8_2_01725490
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01727708 8_2_01727708
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_0172DFF1 8_2_0172DFF1
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_01726639 8_2_01726639
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_0172A60C 8_2_0172A60C
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017276F8 8_2_017276F8
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017256C0 8_2_017256C0
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017256B0 8_2_017256B0
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C3E510 8_2_05C3E510
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C3BAE0 8_2_05C3BAE0
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C3D600 8_2_05C3D600
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C31910 8_2_05C31910
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C31920 8_2_05C31920
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C36C80 8_2_05C36C80
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C37C20 8_2_05C37C20
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C3B038 8_2_05C3B038
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C35F10 8_2_05C35F10
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C35F20 8_2_05C35F20
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C36248 8_2_05C36248
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C36258 8_2_05C36258
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_06160A48 8_2_06160A48
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_06161B18 8_2_06161B18
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_06161F08 8_2_06161F08
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_06163195 8_2_06163195
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_061603A5 8_2_061603A5
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_06160FD7 8_2_06160FD7
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_06160FD8 8_2_06160FD8
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_061613F8 8_2_061613F8
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_061613E9 8_2_061613E9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00404DE5 10_2_00404DE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00404E56 10_2_00404E56
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00404EC7 10_2_00404EC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00404F58 10_2_00404F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040BF6B 10_2_0040BF6B
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00412084 appears 39 times
PE / OLE file has an invalid certificate
Source: QNSpfBSrsR.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: QNSpfBSrsR.exe, 00000008.00000002.1022383238.0000000006170000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs QNSpfBSrsR.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1016019663.00000000012F8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs QNSpfBSrsR.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameccdf cff.exe2 vs QNSpfBSrsR.exe
Yara signature match
Source: 0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.876231898.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000000A.00000002.739382606.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.878633274.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000008.00000002.1017257384.0000000003090000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000013.00000002.1011864489.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.QNSpfBSrsR.exe.3090000.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.QNSpfBSrsR.exe.3090000.2.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@19/2@0/0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040F37C FindResourceA,SizeofResource,LoadResource,LockResource, 10_2_0040F37C
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QNSpfBSrsR.exe.log Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Mutant created: \Sessions\1\BaseNamedObjects\ae5d6307-0d62-4e92-938b-debeac1db00e
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe File created: C:\Users\user\AppData\Local\Temp\2c99a7ed-ddac-ab7c-0bfe-56058ec17ef8 Jump to behavior
Source: QNSpfBSrsR.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: QNSpfBSrsR.exe Virustotal: Detection: 28%
Source: unknown Process created: C:\Users\user\Desktop\QNSpfBSrsR.exe 'C:\Users\user\Desktop\QNSpfBSrsR.exe'
Source: unknown Process created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
Source: unknown Process created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
Source: unknown Process created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C49.tmp'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C48.tmp'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp989B.tmp'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9CC3.tmp'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8FAF.tmp'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9398.tmp'
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C49.tmp' Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C48.tmp' Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp989B.tmp' Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9CC3.tmp' Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8FAF.tmp' Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9398.tmp' Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: QNSpfBSrsR.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: QNSpfBSrsR.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: QNSpfBSrsR.exe Static file information: File size 7447752 > 1048576
Source: QNSpfBSrsR.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x718800
Source: QNSpfBSrsR.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: QNSpfBSrsR.exe, 00000008.00000002.1020981161.000000000358C000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000F.00000002.876231898.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.878633274.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000013.00000002.1011864489.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00403C17 LoadLibraryA,GetProcAddress,strcpy, 10_2_00403C17
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_017261E8 push esp; iretd 8_2_017261E9
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_0172F353 push FFD2B0BAh; retf 8_2_0172F360
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C35929 push esi; ret 8_2_05C3592A
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C36B34 push 6A3205C3h; ret 8_2_05C36B42
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C35EC3 push ecx; ret 8_2_05C35ECA
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C36ADB push 633105C3h; ret 8_2_05C36AFE
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_05C35E5B push edi; ret 8_2_05C35E62
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_061633FD push es; retf 8_2_06163400
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Code function: 8_2_061633EC push es; iretd 8_2_061633FC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00412341 push ecx; ret 10_2_00412351
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00412360 push eax; ret 10_2_00412374
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00412360 push eax; ret 10_2_0041239C

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040FCBC memset,strcpy,memset,strcpy,strcat,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_0040FCBC
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Thread delayed: delay time: 600000 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 6656 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 5748 Thread sleep count: 177 > 30 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 5748 Thread sleep time: -177000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 1852 Thread sleep time: -1200000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 1852 Thread sleep count: 276 > 30 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 1852 Thread sleep time: -276000s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen, 10_2_0040702D
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00403C17 LoadLibraryA,GetProcAddress,strcpy, 10_2_00403C17
Enables debug privileges
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 25D008 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 20F008 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3A6008 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 22D008 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 20E008 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000 Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 20F008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C49.tmp' Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C48.tmp' Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp989B.tmp' Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9CC3.tmp' Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8FAF.tmp' Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9398.tmp' Jump to behavior
Source: QNSpfBSrsR.exe, 00000008.00000002.1017113609.0000000001C00000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: QNSpfBSrsR.exe, 00000008.00000002.1017113609.0000000001C00000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: QNSpfBSrsR.exe, 00000008.00000002.1017113609.0000000001C00000.00000002.00000001.sdmp Binary or memory string: Progman
Source: QNSpfBSrsR.exe, 00000008.00000002.1017113609.0000000001C00000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Queries volume information: C:\Users\user\Desktop\QNSpfBSrsR.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Queries volume information: C:\Users\user\Desktop\QNSpfBSrsR.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 10_2_004073B6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 10_2_00406282 GetVersionExA, 10_2_00406282
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: bdagent.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: MSASCui.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: avguard.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: avgrsx.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: avcenter.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: avp.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: zlclient.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: avgcsrvx.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: avgnt.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: hijackthis.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: avgui.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: avgwdsvc.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: mbam.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: MsMpEng.exe
Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp Binary or memory string: ComboFix.exe

Stealing of Sensitive Information:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
Source: Yara match File source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected M00nD3v Logger
Source: Yara match File source: 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
Yara detected MailPassView
Source: Yara match File source: 0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1020981161.000000000358C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.727612080.0000000004A15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.876231898.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.739382606.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1017907114.0000000003343000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.878633274.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1017257384.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1019556248.000000000347F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1021020173.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1011864489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1019524329.0000000003462000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1021102525.0000000004211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 4204, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7132, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1072, type: MEMORY
Source: Yara match File source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7012, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 4088, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 5732, type: MEMORY
Source: Yara match File source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.QNSpfBSrsR.exe.3090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.QNSpfBSrsR.exe.3090000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\QNSpfBSrsR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 10_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 10_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: ESMTPPassword 10_2_004033B1

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: QNSpfBSrsR.exe, 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_LoopPasswordStealer_KeyStrokeLogger_EmptyKeyStroke_ClipboardLogger_EmptyClipboard_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
Source: Yara match File source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected M00nD3v Logger
Source: Yara match File source: 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 330378 Sample: QNSpfBSrsR.exe Startdate: 14/12/2020 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 6 other signatures 2->35 7 QNSpfBSrsR.exe 3 2->7         started        process3 file4 27 C:\Users\user\AppData\...\QNSpfBSrsR.exe.log, ASCII 7->27 dropped 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->43 11 QNSpfBSrsR.exe 21 7->11         started        14 QNSpfBSrsR.exe 7->14         started        16 QNSpfBSrsR.exe 7->16         started        signatures5 process6 signatures7 45 Tries to harvest and steal browser information (history, passwords, etc) 11->45 47 Writes to foreign memory regions 11->47 49 Allocates memory in foreign processes 11->49 51 2 other signatures 11->51 18 vbc.exe 11->18         started        21 vbc.exe 11->21         started        23 vbc.exe 11->23         started        25 3 other processes 11->25 process8 signatures9 37 Tries to steal Mail credentials (via file registry) 18->37 39 Tries to steal Instant Messenger accounts or passwords 18->39 41 Tries to steal Mail credentials (via file access) 18->41
No contacted IP infos