Analysis Report sino project approved products 5109735005181 list.exe

Overview

General Information

Sample Name:	sino project approved products 5109735005181 list.exe
Analysis ID:	337290
MD5:	3bbbed10eb5a674881c87063d60e277c
SHA1:	17f1653ae0d93013de015bbfd0d7d786d15727ae
SHA256:	28158cd7c05b6c1959a8cc3c2def840d34674ef21b925d5e9f04670ddf45226a
Tags:	exegeoITAUniCredit
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected HawkEye Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected HawkEye Keylogger

Yara detected MailPassView

Machine Learning detection for sample

Yara detected WebBrowserPassView password recovery tool

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: sino project approved products 5109735005181 list.exe

Avira: detected

Found malware configuration

Source: sino project approved products 5109735005181 list.exe.6624.0.memstr

Malware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}

Multi AV Scanner detection for submitted file

Source: sino project approved products 5109735005181 list.exe

Virustotal: Detection: 51%

Perma Link

Machine Learning detection for sample

Source: sino project approved products 5109735005181 list.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack

Avira: Label: TR/Inject.vcoldi

Compliance:

Uses 32bit PE files

Source: sino project approved products 5109735005181 list.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: sino project approved products 5109735005181 list.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp

Spreading:

May infect USB drives

Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	Binary or memory string: [autorun]

Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)

Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE

Creates a DirectInput object (often for capturing keystrokes)

Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.238477187.0000000000A1B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Sample file is different than original file name gathered from version info

Source: sino project approved products 5109735005181 list.exe	Binary or memory string: OriginalFilename vs sino project approved products 5109735005181 list.exe
Source: sino project approved products 5109735005181 list.exe, 00000000.00000000.236840131.00000000001F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAnyDesk.exe0 vs sino project approved products 5109735005181 list.exe
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs sino project approved products 5109735005181 list.exe
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs sino project approved products 5109735005181 list.exe
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs sino project approved products 5109735005181 list.exe
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs sino project approved products 5109735005181 list.exe
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameROOT.exe4 vs sino project approved products 5109735005181 list.exe
Source: sino project approved products 5109735005181 list.exe	Binary or memory string: OriginalFilenameAnyDesk.exe0 vs sino project approved products 5109735005181 list.exe

Uses 32bit PE files

Source: sino project approved products 5109735005181 list.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: sino project approved products 5109735005181 list.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: sino project approved products 5109735005181 list.exe, XDZSECYCUBZWWIDIZAIRGTGAONNLAQARDZS/CLASSECYCUBZWWIDIZAIRGTGAONNLAQACLASSWQORECYCUBZWWIDIZAIRGTGAONNLAQA.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.0.sino project approved products 5109735005181 list.exe.1f0000.0.unpack, XDZSECYCUBZWWIDIZAIRGTGAONNLAQARDZS/CLASSECYCUBZWWIDIZAIRGTGAONNLAQACLASSWQORECYCUBZWWIDIZAIRGTGAONNLAQA.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.sino project approved products 5109735005181 list.exe.1f0000.0.unpack, XDZSECYCUBZWWIDIZAIRGTGAONNLAQARDZS/CLASSECYCUBZWWIDIZAIRGTGAONNLAQACLASSWQORECYCUBZWWIDIZAIRGTGAONNLAQA.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sino project approved products 5109735005181 list.exe.log

Jump to behavior

Source: sino project approved products 5109735005181 list.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: sino project approved products 5109735005181 list.exe

Virustotal: Detection: 51%

Source: sino project approved products 5109735005181 list.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: sino project approved products 5109735005181 list.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F901D push ebp; ret	0_2_001F9025
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F502C push esp; ret	0_2_001F50C7
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F4026 push cs; ret	0_2_001F4029
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F8021 push esp; ret	0_2_001F8027
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F5049 push eax; ret	0_2_001F504A
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F8043 push eax; ret	0_2_001F8045
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F907B push es; ret	0_2_001F9086
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F80BC pushad ; ret	0_2_001F80D0
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F40B7 push ebx; ret	0_2_001F40BF
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F90B1 push cs; ret	0_2_001F907D
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F50AB push esp; ret	0_2_001F50C7
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F90A3 pushad ; ret	0_2_001F90A4
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F90FA push ebx; ret	0_2_001F90FB
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F90F4 push ecx; ret	0_2_001F90F6
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F90E2 push cs; ret	0_2_001F90E3
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F411B push ebx; ret	0_2_001F40BF
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F610E push ds; ret	0_2_001F611C
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F3158 pushfd ; ret	0_2_001F31D7
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F51BC push ebx; ret	0_2_001F51D1
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F31C2 pushfd ; ret	0_2_001F31D7
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F51FF push es; ret	0_2_001F5110
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F51FF pushfd ; ret	0_2_001F5229
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F41F7 push es; ret	0_2_001F41F9
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F51E2 pushfd ; ret	0_2_001F51EA
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F71E0 pushad ; ret	0_2_001F71FB
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F720E push cs; ret	0_2_001F721D
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F3202 pushfd ; ret	0_2_001F31D7
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F523F push ebx; ret	0_2_001F51D1
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F522A push cs; ret	0_2_001F522D
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F7229 push 00000024h; ret	0_2_001F7232
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F3241 pushfd ; ret	0_2_001F31D7

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe TID: 6628	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe TID: 6644	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe

Memory allocated: page read and write | page guard

Jump to behavior

Stealing of Sensitive Information:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE

Yara detected MailPassView

Source: Yara match	File source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected HawkEye Rat

Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: sino project approved products 5109735005181 list.exe

Avira: detected

Found malware configuration

Source: sino project approved products 5109735005181 list.exe.6624.0.memstr

Malware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}

Multi AV Scanner detection for submitted file

Source: sino project approved products 5109735005181 list.exe

Virustotal: Detection: 51%

Perma Link

Machine Learning detection for sample

Source: sino project approved products 5109735005181 list.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack

Avira: Label: TR/Inject.vcoldi

Compliance:

Uses 32bit PE files

Source: sino project approved products 5109735005181 list.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: sino project approved products 5109735005181 list.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp

Spreading:

May infect USB drives

Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	Binary or memory string: [autorun]

Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)

Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE

Creates a DirectInput object (often for capturing keystrokes)

Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.238477187.0000000000A1B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Sample file is different than original file name gathered from version info

Source: sino project approved products 5109735005181 list.exe	Binary or memory string: OriginalFilename vs sino project approved products 5109735005181 list.exe
Source: sino project approved products 5109735005181 list.exe, 00000000.00000000.236840131.00000000001F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAnyDesk.exe0 vs sino project approved products 5109735005181 list.exe
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs sino project approved products 5109735005181 list.exe
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs sino project approved products 5109735005181 list.exe
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs sino project approved products 5109735005181 list.exe
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs sino project approved products 5109735005181 list.exe
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameROOT.exe4 vs sino project approved products 5109735005181 list.exe
Source: sino project approved products 5109735005181 list.exe	Binary or memory string: OriginalFilenameAnyDesk.exe0 vs sino project approved products 5109735005181 list.exe

Uses 32bit PE files

Source: sino project approved products 5109735005181 list.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: sino project approved products 5109735005181 list.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: sino project approved products 5109735005181 list.exe, XDZSECYCUBZWWIDIZAIRGTGAONNLAQARDZS/CLASSECYCUBZWWIDIZAIRGTGAONNLAQACLASSWQORECYCUBZWWIDIZAIRGTGAONNLAQA.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.0.sino project approved products 5109735005181 list.exe.1f0000.0.unpack, XDZSECYCUBZWWIDIZAIRGTGAONNLAQARDZS/CLASSECYCUBZWWIDIZAIRGTGAONNLAQACLASSWQORECYCUBZWWIDIZAIRGTGAONNLAQA.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.sino project approved products 5109735005181 list.exe.1f0000.0.unpack, XDZSECYCUBZWWIDIZAIRGTGAONNLAQARDZS/CLASSECYCUBZWWIDIZAIRGTGAONNLAQACLASSWQORECYCUBZWWIDIZAIRGTGAONNLAQA.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sino project approved products 5109735005181 list.exe.log

Jump to behavior

Source: sino project approved products 5109735005181 list.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: sino project approved products 5109735005181 list.exe

Virustotal: Detection: 51%

Source: sino project approved products 5109735005181 list.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: sino project approved products 5109735005181 list.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F901D push ebp; ret	0_2_001F9025
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F502C push esp; ret	0_2_001F50C7
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F4026 push cs; ret	0_2_001F4029
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F8021 push esp; ret	0_2_001F8027
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F5049 push eax; ret	0_2_001F504A
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F8043 push eax; ret	0_2_001F8045
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F907B push es; ret	0_2_001F9086
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F80BC pushad ; ret	0_2_001F80D0
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F40B7 push ebx; ret	0_2_001F40BF
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F90B1 push cs; ret	0_2_001F907D
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F50AB push esp; ret	0_2_001F50C7
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F90A3 pushad ; ret	0_2_001F90A4
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F90FA push ebx; ret	0_2_001F90FB
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F90F4 push ecx; ret	0_2_001F90F6
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F90E2 push cs; ret	0_2_001F90E3
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F411B push ebx; ret	0_2_001F40BF
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F610E push ds; ret	0_2_001F611C
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F3158 pushfd ; ret	0_2_001F31D7
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F51BC push ebx; ret	0_2_001F51D1
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F31C2 pushfd ; ret	0_2_001F31D7
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F51FF push es; ret	0_2_001F5110
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F51FF pushfd ; ret	0_2_001F5229
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F41F7 push es; ret	0_2_001F41F9
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F51E2 pushfd ; ret	0_2_001F51EA
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F71E0 pushad ; ret	0_2_001F71FB
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F720E push cs; ret	0_2_001F721D
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F3202 pushfd ; ret	0_2_001F31D7
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F523F push ebx; ret	0_2_001F51D1
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F522A push cs; ret	0_2_001F522D
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F7229 push 00000024h; ret	0_2_001F7232
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Code function: 0_2_001F3241 pushfd ; ret	0_2_001F31D7

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe TID: 6628	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe TID: 6644	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe

Memory allocated: page read and write | page guard

Jump to behavior

Stealing of Sensitive Information:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE

Yara detected MailPassView

Source: Yara match	File source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected HawkEye Rat

Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE

ID:	337290
Product:	CloudBasic
Start time:	09:27:14
Start date:	08.01.2021
Sample:	sino project approved products 5109735005181 list.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	3bbbed10eb5a674881c87063d60e277c
SHA1:	17f1653ae0d93013de015bbfd0d7d786d15727ae
SHA256:	28158cd7c05b6c1959a8cc3c2def840d34674ef21b925d5e9f04670ddf45226a
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Analysis Report sino project approved products 5109735005181 list.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map