Loading ...

Play interactive tourEdit tour

Analysis Report sino project approved products 5109735005181 list.exe

Overview

General Information

Sample Name:sino project approved products 5109735005181 list.exe
Analysis ID:337290
MD5:3bbbed10eb5a674881c87063d60e277c
SHA1:17f1653ae0d93013de015bbfd0d7d786d15727ae
SHA256:28158cd7c05b6c1959a8cc3c2def840d34674ef21b925d5e9f04670ddf45226a
Tags:exegeoITAUniCredit

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
Machine Learning detection for sample
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x398aa:$key: HawkEyeKeylogger
  • 0x3bada:$salt: 099u787978786
  • 0x39eeb:$string1: HawkEye_Keylogger
  • 0x3ad2a:$string1: HawkEye_Keylogger
  • 0x3ba3a:$string1: HawkEye_Keylogger
  • 0x3a2c0:$string2: holdermail.txt
  • 0x3a2e0:$string2: holdermail.txt
  • 0x3a202:$string3: wallet.dat
  • 0x3a21a:$string3: wallet.dat
  • 0x3a230:$string3: wallet.dat
  • 0x3b5fe:$string4: Keylog Records
  • 0x3b916:$string4: Keylog Records
  • 0x3bb32:$string5: do not script -->
  • 0x39892:$string6: \pidloc.txt
  • 0x39920:$string7: BSPLIT
  • 0x39930:$string7: BSPLIT
00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x39f43:$hawkstr1: HawkEye Keylogger
    • 0x3ad70:$hawkstr1: HawkEye Keylogger
    • 0x3b09f:$hawkstr1: HawkEye Keylogger
    • 0x3b1fa:$hawkstr1: HawkEye Keylogger
    • 0x3b35d:$hawkstr1: HawkEye Keylogger
    • 0x3b5d6:$hawkstr1: HawkEye Keylogger
    • 0x39ad1:$hawkstr2: Dear HawkEye Customers!
    • 0x3b0f2:$hawkstr2: Dear HawkEye Customers!
    • 0x3b249:$hawkstr2: Dear HawkEye Customers!
    • 0x3b3b0:$hawkstr2: Dear HawkEye Customers!
    • 0x39bf2:$hawkstr3: HawkEye Logger Details:
    00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7bbb2:$key: HawkEyeKeylogger
    • 0x7dde2:$salt: 099u787978786
    • 0x7c1f3:$string1: HawkEye_Keylogger
    • 0x7d032:$string1: HawkEye_Keylogger
    • 0x7dd42:$string1: HawkEye_Keylogger
    • 0x7c5c8:$string2: holdermail.txt
    • 0x7c5e8:$string2: holdermail.txt
    • 0x7c50a:$string3: wallet.dat
    • 0x7c522:$string3: wallet.dat
    • 0x7c538:$string3: wallet.dat
    • 0x7d906:$string4: Keylog Records
    • 0x7dc1e:$string4: Keylog Records
    • 0x7de3a:$string5: do not script -->
    • 0x7bb9a:$string6: \pidloc.txt
    • 0x7bc28:$string7: BSPLIT
    • 0x7bc38:$string7: BSPLIT
    00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b8ca:$key: HawkEyeKeylogger
      • 0x7dafa:$salt: 099u787978786
      • 0x7bf0b:$string1: HawkEye_Keylogger
      • 0x7cd4a:$string1: HawkEye_Keylogger
      • 0x7da5a:$string1: HawkEye_Keylogger
      • 0x7c2e0:$string2: holdermail.txt
      • 0x7c300:$string2: holdermail.txt
      • 0x7c222:$string3: wallet.dat
      • 0x7c23a:$string3: wallet.dat
      • 0x7c250:$string3: wallet.dat
      • 0x7d61e:$string4: Keylog Records
      • 0x7d936:$string4: Keylog Records
      • 0x7db52:$string5: do not script -->
      • 0x7b8b2:$string6: \pidloc.txt
      • 0x7b940:$string7: BSPLIT
      • 0x7b950:$string7: BSPLIT
      0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
            • 0x7bf63:$hawkstr1: HawkEye Keylogger
            • 0x7cd90:$hawkstr1: HawkEye Keylogger
            • 0x7d0bf:$hawkstr1: HawkEye Keylogger
            • 0x7d21a:$hawkstr1: HawkEye Keylogger
            • 0x7d37d:$hawkstr1: HawkEye Keylogger
            • 0x7d5f6:$hawkstr1: HawkEye Keylogger
            • 0x7baf1:$hawkstr2: Dear HawkEye Customers!
            • 0x7d112:$hawkstr2: Dear HawkEye Customers!
            • 0x7d269:$hawkstr2: Dear HawkEye Customers!
            • 0x7d3d0:$hawkstr2: Dear HawkEye Customers!
            • 0x7bc12:$hawkstr3: HawkEye Logger Details:
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: sino project approved products 5109735005181 list.exeAvira: detected
            Found malware configurationShow sources
            Source: sino project approved products 5109735005181 list.exe.6624.0.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}
            Multi AV Scanner detection for submitted fileShow sources
            Source: sino project approved products 5109735005181 list.exeVirustotal: Detection: 51%Perma Link
            Machine Learning detection for sampleShow sources
            Source: sino project approved products 5109735005181 list.exeJoe Sandbox ML: detected
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpackAvira: Label: TR/Inject.vcoldi
            Source: sino project approved products 5109735005181 list.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: sino project approved products 5109735005181 list.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.238477187.0000000000A1B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: sino project approved products 5109735005181 list.exeBinary or memory string: OriginalFilename vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000000.236840131.00000000001F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAnyDesk.exe0 vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameROOT.exe4 vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exeBinary or memory string: OriginalFilenameAnyDesk.exe0 vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: sino project approved products 5109735005181 list.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: sino project approved products 5109735005181 list.exe, XDZSECYCUBZWWIDIZAIRGTGAONNLAQARDZS/CLASSECYCUBZWWIDIZAIRGTGAONNLAQACLASSWQORECYCUBZWWIDIZAIRGTGAONNLAQA.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.0.sino project approved products 5109735005181 list.exe.1f0000.0.unpack, XDZSECYCUBZWWIDIZAIRGTGAONNLAQARDZS/CLASSECYCUBZWWIDIZAIRGTGAONNLAQACLASSWQORECYCUBZWWIDIZAIRGTGAONNLAQA.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.2.sino project approved products 5109735005181 list.exe.1f0000.0.unpack, XDZSECYCUBZWWIDIZAIRGTGAONNLAQARDZS/CLASSECYCUBZWWIDIZAIRGTGAONNLAQACLASSWQORECYCUBZWWIDIZAIRGTGAONNLAQA.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.winEXE@1/1@0/0
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sino project approved products 5109735005181 list.exe.logJump to behavior
            Source: sino project approved products 5109735005181 list.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: sino project approved products 5109735005181 list.exeVirustotal: Detection: 51%
            Source: sino project approved products 5109735005181 list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: sino project approved products 5109735005181 list.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F901D push ebp; ret 0_2_001F9025
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F502C push esp; ret 0_2_001F50C7
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F4026 push cs; ret 0_2_001F4029
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F8021 push esp; ret 0_2_001F8027
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F5049 push eax; ret 0_2_001F504A
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F8043 push eax; ret 0_2_001F8045
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F907B push es; ret 0_2_001F9086
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F80BC pushad ; ret 0_2_001F80D0
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F40B7 push ebx; ret 0_2_001F40BF
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F90B1 push cs; ret 0_2_001F907D
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F50AB push esp; ret 0_2_001F50C7
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F90A3 pushad ; ret 0_2_001F90A4
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F90FA push ebx; ret 0_2_001F90FB
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F90F4 push ecx; ret 0_2_001F90F6
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F90E2 push cs; ret 0_2_001F90E3
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F411B push ebx; ret 0_2_001F40BF
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F610E push ds; ret 0_2_001F611C
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F3158 pushfd ; ret 0_2_001F31D7
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F51BC push ebx; ret 0_2_001F51D1
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F31C2 pushfd ; ret 0_2_001F31D7
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F51FF push es; ret 0_2_001F5110
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F51FF pushfd ; ret 0_2_001F5229
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F41F7 push es; ret 0_2_001F41F9
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F51E2 pushfd ; ret 0_2_001F51EA
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F71E0 pushad ; ret 0_2_001F71FB
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F720E push cs; ret 0_2_001F721D
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F3202 pushfd ; ret 0_2_001F31D7
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F523F push ebx; ret 0_2_001F51D1
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F522A push cs; ret 0_2_001F522D
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F7229 push 00000024h; ret 0_2_001F7232
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F3241 pushfd ; ret 0_2_001F31D7
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe TID: 6628Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe TID: 6644Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeMemory allocated: page read and write | page guardJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE
            Yara detected WebBrowserPassView password recovery toolShow sources
            Source: Yara matchFile source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Detected HawkEye RatShow sources
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Replication Through Removable Media1Windows Management InstrumentationPath InterceptionPath InterceptionMasquerading1Input Capture1Virtualization/Sandbox Evasion2Replication Through Removable Media1Input Capture1Exfiltration Over Other Network MediumRemote Access Software1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryPeripheral Device Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.