Loading ...

Play interactive tourEdit tour

Analysis Report QNSpfBSrsR.exe

Overview

General Information

Sample Name:QNSpfBSrsR.exe
Analysis ID:330378
MD5:7da4f5e17791a774131c3c97538a2495
SHA1:552b4a357b259935a35b06d040d7f2e3205c8e42
SHA256:ac8ef770d70da42ea56d5b15fb5db0be89ae9250ac78b2bfd493843a50399a19
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye M00nD3v Logger MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected M00nD3v Logger
Yara detected MailPassView
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • QNSpfBSrsR.exe (PID: 6696 cmdline: 'C:\Users\user\Desktop\QNSpfBSrsR.exe' MD5: 7DA4F5E17791A774131C3C97538A2495)
    • QNSpfBSrsR.exe (PID: 7128 cmdline: C:\Users\user\Desktop\QNSpfBSrsR.exe MD5: 7DA4F5E17791A774131C3C97538A2495)
    • QNSpfBSrsR.exe (PID: 6384 cmdline: C:\Users\user\Desktop\QNSpfBSrsR.exe MD5: 7DA4F5E17791A774131C3C97538A2495)
    • QNSpfBSrsR.exe (PID: 2800 cmdline: C:\Users\user\Desktop\QNSpfBSrsR.exe MD5: 7DA4F5E17791A774131C3C97538A2495)
      • vbc.exe (PID: 4204 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C49.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5732 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C48.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7132 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp989B.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7012 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9CC3.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 4088 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8FAF.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 1072 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9398.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
  • 0x147b0:$a1: logins.json
  • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
  • 0x14f34:$s4: \mozsqlite3.dll
  • 0x137a4:$s5: SMTP Password
0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000008.00000002.1020981161.000000000358C000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x147b0:$a1: logins.json
      • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x14f34:$s4: \mozsqlite3.dll
      • 0x137a4:$s5: SMTP Password
      00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        Click to see the 32 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.2.vbc.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
        • 0x131b0:$a1: logins.json
        • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
        • 0x13934:$s4: \mozsqlite3.dll
        • 0x121a4:$s5: SMTP Password
        11.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          10.2.vbc.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x147b0:$a1: logins.json
          • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x14f34:$s4: \mozsqlite3.dll
          • 0x137a4:$s5: SMTP Password
          10.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            8.2.QNSpfBSrsR.exe.3090000.2.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
            • 0x134d2:$a1: logins.json
            • 0x13432:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
            • 0x13c56:$s4: \mozsqlite3.dll
            • 0x124c6:$s5: SMTP Password
            Click to see the 26 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: vbc.exe.4204.10.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv"], "Version": ""}
            Multi AV Scanner detection for submitted fileShow sources
            Source: QNSpfBSrsR.exeVirustotal: Detection: 28%Perma Link
            Source: 8.2.QNSpfBSrsR.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,10_2_0040702D
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]8_2_0172A9E8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]8_2_0172A9E0
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
            Source: QNSpfBSrsR.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: QNSpfBSrsR.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpString found in binary or memory: http://dyn.com/dns/
            Source: QNSpfBSrsR.exeString found in binary or memory: http://ocsp.sectigo.com0
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
            Source: QNSpfBSrsR.exe, 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
            Source: vbc.exe, 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/
            Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/done8
            Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/set
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
            Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591yu1SPS
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1)
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpString found in binary or memory: https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpString found in binary or memory: https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll;HawkEye
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callout
            Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
            Source: QNSpfBSrsR.exeString found in binary or memory: https://sectigo.com/CPS0D
            Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
            Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com&gl=GB&pc=s&uxe=4421591
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/?gws_rd=ssl
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/favicon.ico
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/(x
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/7a5c56LMEMx
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/7a5c56LMEMx8
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/SFQ
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/er9
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/search
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/url
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1016568541.0000000001542000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
            Source: Yara matchFile source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040ADA4 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,10_2_0040ADA4

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0000000F.00000002.876231898.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 0000000A.00000002.739382606.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000010.00000002.878633274.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000008.00000002.1017257384.0000000003090000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000013.00000002.1011864489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.2.QNSpfBSrsR.exe.3090000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.2.QNSpfBSrsR.exe.3090000.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06163CA8 NtUnmapViewOfSection,8_2_06163CA8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06163CA0 NtUnmapViewOfSection,8_2_06163CA0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017211088_2_01721108
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017289F88_2_017289F8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017219B18_2_017219B1
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017223588_2_01722358
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01729B398_2_01729B39
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017282F08_2_017282F0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017232B08_2_017232B0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172E5808_2_0172E580
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017204E88_2_017204E8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172CF618_2_0172CF61
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172A6288_2_0172A628
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017266038_2_01726603
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017259088_2_01725908
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017289E78_2_017289E7
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017269D88_2_017269D8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172D9D88_2_0172D9D8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017269C88_2_017269C8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017231B58_2_017231B5
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017270488_2_01727048
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017270388_2_01727038
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017250F38_2_017250F3
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017258F98_2_017258F9
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017210E88_2_017210E8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01725B098_2_01725B09
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017213E08_2_017213E0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01726B938_2_01726B93
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017242488_2_01724248
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017242388_2_01724238
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017242008_2_01724200
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017282E18_2_017282E1
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01721DF88_2_01721DF8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01724DE08_2_01724DE0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01724DD08_2_01724DD0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172E5C08_2_0172E5C0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01721DA08_2_01721DA0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172A58D8_2_0172A58D
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017254A08_2_017254A0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017254908_2_01725490
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017277088_2_01727708
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172DFF18_2_0172DFF1
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017266398_2_01726639
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172A60C8_2_0172A60C
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017276F88_2_017276F8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017256C08_2_017256C0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017256B08_2_017256B0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C3E5108_2_05C3E510
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C3BAE08_2_05C3BAE0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C3D6008_2_05C3D600
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C319108_2_05C31910
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C319208_2_05C31920
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C36C808_2_05C36C80
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C37C208_2_05C37C20
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C3B0388_2_05C3B038
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C35F108_2_05C35F10
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C35F208_2_05C35F20
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C362488_2_05C36248
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C362588_2_05C36258
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06160A488_2_06160A48
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06161B188_2_06161B18
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06161F088_2_06161F08
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_061631958_2_06163195
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_061603A58_2_061603A5
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06160FD78_2_06160FD7
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06160FD88_2_06160FD8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_061613F88_2_061613F8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_061613E98_2_061613E9
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00404DE510_2_00404DE5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00404E5610_2_00404E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00404EC710_2_00404EC7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00404F5810_2_00404F58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040BF6B10_2_0040BF6B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
            Source: QNSpfBSrsR.exeStatic PE information: invalid certificate
            Source: QNSpfBSrsR.exe, 00000008.00000002.1022383238.0000000006170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs QNSpfBSrsR.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1016019663.00000000012F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs QNSpfBSrsR.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameccdf cff.exe2 vs QNSpfBSrsR.exe
            Source: 0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0000000F.00000002.876231898.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 0000000A.00000002.739382606.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000010.00000002.878633274.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000008.00000002.1017257384.0000000003090000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000013.00000002.1011864489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.2.QNSpfBSrsR.exe.3090000.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.2.QNSpfBSrsR.exe.3090000.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@19/2@0/0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040F37C FindResourceA,SizeofResource,LoadResource,LockResource,10_2_0040F37C
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QNSpfBSrsR.exe.logJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMutant created: \Sessions\1\BaseNamedObjects\ae5d6307-0d62-4e92-938b-debeac1db00e
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeFile created: C:\Users\user\AppData\Local\Temp\2c99a7ed-ddac-ab7c-0bfe-56058ec17ef8Jump to behavior
            Source: QNSpfBSrsR.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: QNSpfBSrsR.exeVirustotal: Detection: 28%
            Source: unknownProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe 'C:\Users\user\Desktop\QNSpfBSrsR.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
            Source: unknownProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
            Source: unknownProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C49.tmp'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C48.tmp'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp989B.tmp'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9CC3.tmp'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8FAF.tmp'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9398.tmp'
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exeJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exeJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exeJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C49.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C48.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp989B.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9CC3.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8FAF.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9398.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: QNSpfBSrsR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: QNSpfBSrsR.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: QNSpfBSrsR.exeStatic file information: File size 7447752 > 1048576
            Source: QNSpfBSrsR.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x718800
            Source: QNSpfBSrsR.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: QNSpfBSrsR.exe, 00000008.00000002.1020981161.000000000358C000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000F.00000002.876231898.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.878633274.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000013.00000002.1011864489.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00403C17 LoadLibraryA,GetProcAddress,strcpy,10_2_00403C17
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017261E8 push esp; iretd 8_2_017261E9
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172F353 push FFD2B0BAh; retf 8_2_0172F360
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C35929 push esi; ret 8_2_05C3592A
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C36B34 push 6A3205C3h; ret 8_2_05C36B42
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C35EC3 push ecx; ret 8_2_05C35ECA
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C36ADB push 633105C3h; ret 8_2_05C36AFE
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C35E5B push edi; ret 8_2_05C35E62
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_061633FD push es; retf 8_2_06163400
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_061633EC push es; iretd 8_2_061633FC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00412341 push ecx; ret 10_2_00412351
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00412360 push eax; ret 10_2_00412374
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00412360 push eax; ret 10_2_0041239C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040FCBC memset,strcpy,memset,strcpy,strcat,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_0040FCBC
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 6656Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 5748Thread sleep count: 177 > 30Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 5748Thread sleep time: -177000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 1852Thread sleep time: -1200000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 1852Thread sleep count: 276 > 30Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 1852Thread sleep time: -276000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,10_2_0040702D
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00403C17 LoadLibraryA,GetProcAddress,strcpy,10_2_00403C17
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Allocates memory in foreign processesShow sources
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 25D008Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 20F008Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3A6008Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 22D008Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 20E008Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 20F008Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exeJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exeJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exeJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C49.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C48.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp989B.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9CC3.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8FAF.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9398.tmp'Jump to behavior
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017113609.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017113609.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017113609.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017113609.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Users\user\Desktop\QNSpfBSrsR.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Users\user\Desktop\QNSpfBSrsR.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,10_2_004073B6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00406282 GetVersionExA,10_2_00406282
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avguard.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avp.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avgui.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: mbam.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
            Source: Yara matchFile source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPE
            Yara detected M00nD3v LoggerShow sources
            Source: Yara matchFile source: 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1020981161.000000000358C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.727612080.0000000004A15000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.876231898.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.739382606.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1017907114.0000000003343000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.878633274.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1017257384.0000000003090000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1019556248.000000000347F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1021020173.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.1011864489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1019524329.0000000003462000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1021102525.0000000004211000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4204, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7132, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1072, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7012, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4088, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5732, type: MEMORY
            Source: Yara matchFile source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.QNSpfBSrsR.exe.3090000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.QNSpfBSrsR.exe.3090000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword10_2_00402D74
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword10_2_00402D74
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword10_2_004033B1

            Remote Access Functionality:

            barindex
            Detected HawkEye RatShow sources
            Source: QNSpfBSrsR.exe, 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_LoopPasswordStealer_KeyStrokeLogger_EmptyKeyStroke_ClipboardLogger_EmptyClipboard_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
            Source: Yara matchFile source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPE
            Yara detected M00nD3v LoggerShow sources
            Source: Yara matchFile source: 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation111Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection412Deobfuscate/Decode Files or Information1Credentials in Registry2File and Directory Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Credentials In Files1System Information Discovery15SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSSecurity Software Discovery22Distributed Component Object ModelClipboard Data1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion13Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection412DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java