Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report sino project approved products 5109735005181 list.exe

Overview

General Information

Sample Name:sino project approved products 5109735005181 list.exe
Analysis ID:337290
MD5:3bbbed10eb5a674881c87063d60e277c
SHA1:17f1653ae0d93013de015bbfd0d7d786d15727ae
SHA256:28158cd7c05b6c1959a8cc3c2def840d34674ef21b925d5e9f04670ddf45226a
Tags:exegeoITAUniCredit

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
Machine Learning detection for sample
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x398aa:$key: HawkEyeKeylogger
  • 0x3bada:$salt: 099u787978786
  • 0x39eeb:$string1: HawkEye_Keylogger
  • 0x3ad2a:$string1: HawkEye_Keylogger
  • 0x3ba3a:$string1: HawkEye_Keylogger
  • 0x3a2c0:$string2: holdermail.txt
  • 0x3a2e0:$string2: holdermail.txt
  • 0x3a202:$string3: wallet.dat
  • 0x3a21a:$string3: wallet.dat
  • 0x3a230:$string3: wallet.dat
  • 0x3b5fe:$string4: Keylog Records
  • 0x3b916:$string4: Keylog Records
  • 0x3bb32:$string5: do not script -->
  • 0x39892:$string6: \pidloc.txt
  • 0x39920:$string7: BSPLIT
  • 0x39930:$string7: BSPLIT
00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x39f43:$hawkstr1: HawkEye Keylogger
    • 0x3ad70:$hawkstr1: HawkEye Keylogger
    • 0x3b09f:$hawkstr1: HawkEye Keylogger
    • 0x3b1fa:$hawkstr1: HawkEye Keylogger
    • 0x3b35d:$hawkstr1: HawkEye Keylogger
    • 0x3b5d6:$hawkstr1: HawkEye Keylogger
    • 0x39ad1:$hawkstr2: Dear HawkEye Customers!
    • 0x3b0f2:$hawkstr2: Dear HawkEye Customers!
    • 0x3b249:$hawkstr2: Dear HawkEye Customers!
    • 0x3b3b0:$hawkstr2: Dear HawkEye Customers!
    • 0x39bf2:$hawkstr3: HawkEye Logger Details:
    00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7bbb2:$key: HawkEyeKeylogger
    • 0x7dde2:$salt: 099u787978786
    • 0x7c1f3:$string1: HawkEye_Keylogger
    • 0x7d032:$string1: HawkEye_Keylogger
    • 0x7dd42:$string1: HawkEye_Keylogger
    • 0x7c5c8:$string2: holdermail.txt
    • 0x7c5e8:$string2: holdermail.txt
    • 0x7c50a:$string3: wallet.dat
    • 0x7c522:$string3: wallet.dat
    • 0x7c538:$string3: wallet.dat
    • 0x7d906:$string4: Keylog Records
    • 0x7dc1e:$string4: Keylog Records
    • 0x7de3a:$string5: do not script -->
    • 0x7bb9a:$string6: \pidloc.txt
    • 0x7bc28:$string7: BSPLIT
    • 0x7bc38:$string7: BSPLIT
    00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b8ca:$key: HawkEyeKeylogger
      • 0x7dafa:$salt: 099u787978786
      • 0x7bf0b:$string1: HawkEye_Keylogger
      • 0x7cd4a:$string1: HawkEye_Keylogger
      • 0x7da5a:$string1: HawkEye_Keylogger
      • 0x7c2e0:$string2: holdermail.txt
      • 0x7c300:$string2: holdermail.txt
      • 0x7c222:$string3: wallet.dat
      • 0x7c23a:$string3: wallet.dat
      • 0x7c250:$string3: wallet.dat
      • 0x7d61e:$string4: Keylog Records
      • 0x7d936:$string4: Keylog Records
      • 0x7db52:$string5: do not script -->
      • 0x7b8b2:$string6: \pidloc.txt
      • 0x7b940:$string7: BSPLIT
      • 0x7b950:$string7: BSPLIT
      0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
            • 0x7bf63:$hawkstr1: HawkEye Keylogger
            • 0x7cd90:$hawkstr1: HawkEye Keylogger
            • 0x7d0bf:$hawkstr1: HawkEye Keylogger
            • 0x7d21a:$hawkstr1: HawkEye Keylogger
            • 0x7d37d:$hawkstr1: HawkEye Keylogger
            • 0x7d5f6:$hawkstr1: HawkEye Keylogger
            • 0x7baf1:$hawkstr2: Dear HawkEye Customers!
            • 0x7d112:$hawkstr2: Dear HawkEye Customers!
            • 0x7d269:$hawkstr2: Dear HawkEye Customers!
            • 0x7d3d0:$hawkstr2: Dear HawkEye Customers!
            • 0x7bc12:$hawkstr3: HawkEye Logger Details:
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: sino project approved products 5109735005181 list.exeAvira: detected
            Found malware configurationShow sources
            Source: sino project approved products 5109735005181 list.exe.6624.0.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}
            Multi AV Scanner detection for submitted fileShow sources
            Source: sino project approved products 5109735005181 list.exeVirustotal: Detection: 51%Perma Link
            Machine Learning detection for sampleShow sources
            Source: sino project approved products 5109735005181 list.exeJoe Sandbox ML: detected
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpackAvira: Label: TR/Inject.vcoldi
            Source: sino project approved products 5109735005181 list.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: sino project approved products 5109735005181 list.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.238477187.0000000000A1B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: sino project approved products 5109735005181 list.exeBinary or memory string: OriginalFilename vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000000.236840131.00000000001F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAnyDesk.exe0 vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameROOT.exe4 vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exeBinary or memory string: OriginalFilenameAnyDesk.exe0 vs sino project approved products 5109735005181 list.exe
            Source: sino project approved products 5109735005181 list.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: sino project approved products 5109735005181 list.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: sino project approved products 5109735005181 list.exe, XDZSECYCUBZWWIDIZAIRGTGAONNLAQARDZS/CLASSECYCUBZWWIDIZAIRGTGAONNLAQACLASSWQORECYCUBZWWIDIZAIRGTGAONNLAQA.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.0.sino project approved products 5109735005181 list.exe.1f0000.0.unpack, XDZSECYCUBZWWIDIZAIRGTGAONNLAQARDZS/CLASSECYCUBZWWIDIZAIRGTGAONNLAQACLASSWQORECYCUBZWWIDIZAIRGTGAONNLAQA.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.2.sino project approved products 5109735005181 list.exe.1f0000.0.unpack, XDZSECYCUBZWWIDIZAIRGTGAONNLAQARDZS/CLASSECYCUBZWWIDIZAIRGTGAONNLAQACLASSWQORECYCUBZWWIDIZAIRGTGAONNLAQA.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.winEXE@1/1@0/0
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sino project approved products 5109735005181 list.exe.logJump to behavior
            Source: sino project approved products 5109735005181 list.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: sino project approved products 5109735005181 list.exeVirustotal: Detection: 51%
            Source: sino project approved products 5109735005181 list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: sino project approved products 5109735005181 list.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F901D push ebp; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F502C push esp; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F4026 push cs; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F8021 push esp; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F5049 push eax; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F8043 push eax; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F907B push es; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F80BC pushad ; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F40B7 push ebx; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F90B1 push cs; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F50AB push esp; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F90A3 pushad ; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F90FA push ebx; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F90F4 push ecx; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F90E2 push cs; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F411B push ebx; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F610E push ds; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F3158 pushfd ; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F51BC push ebx; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F31C2 pushfd ; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F51FF push es; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F51FF pushfd ; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F41F7 push es; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F51E2 pushfd ; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F71E0 pushad ; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F720E push cs; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F3202 pushfd ; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F523F push ebx; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F522A push cs; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F7229 push 00000024h; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeCode function: 0_2_001F3241 pushfd ; ret
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe TID: 6628Thread sleep time: -30000s >= -30000s
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe TID: 6644Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\sino project approved products 5109735005181 list.exeMemory allocated: page read and write | page guard

            Stealing of Sensitive Information:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE
            Yara detected WebBrowserPassView password recovery toolShow sources
            Source: Yara matchFile source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Detected HawkEye RatShow sources
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: sino project approved products 5109735005181 list.exe PID: 6624, type: MEMORY
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Replication Through Removable Media1Windows Management InstrumentationPath InterceptionPath InterceptionMasquerading1Input Capture1Virtualization/Sandbox Evasion2Replication Through Removable Media1Input Capture1Exfiltration Over Other Network MediumRemote Access Software1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryPeripheral Device Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            sino project approved products 5109735005181 list.exe51%VirustotalBrowse
            sino project approved products 5109735005181 list.exe100%AviraHEUR/AGEN.1122402
            sino project approved products 5109735005181 list.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.2.sino project approved products 5109735005181 list.exe.4b20000.2.unpack100%AviraTR/Inject.vcoldiDownload File
            0.0.sino project approved products 5109735005181 list.exe.1f0000.0.unpack100%AviraHEUR/AGEN.1122402Download File
            0.2.sino project approved products 5109735005181 list.exe.1f0000.0.unpack100%AviraHEUR/AGEN.1122402Download File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.nirsoft.net/sino project approved products 5109735005181 list.exe, 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmpfalse
              		high
              http://whatismyipaddress.com/-sino project approved products 5109735005181 list.exe, 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmpfalse
                		high

                Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox Version:31.0.0 Red Diamond
                Analysis ID:337290
                Start date:08.01.2021
                Start time:09:27:14
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 2m 58s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:sino project approved products 5109735005181 list.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:4
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.spyw.winEXE@1/1@0/0
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 96.1% (good quality ratio 86.7%)
                • Quality average: 57.8%
                • Quality standard deviation: 36.2%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, svchost.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                09:28:07API Interceptor1x Sleep call for process: sino project approved products 5109735005181 list.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASN

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sino project approved products 5109735005181 list.exe.log
                Process:C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):525
                Entropy (8bit):5.2874233355119316
                Encrypted:false
                SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                MD5:80EFBEC081D7836D240503C4C9465FEC
                SHA1:6AF398E08A359457083727BAF296445030A55AC3
                SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                Malicious:true
                Reputation:moderate, very likely benign file
                Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):6.673611741073313
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                • Generic Win/DOS Executable (2004/3) 0.01%
                File name:sino project approved products 5109735005181 list.exe
                File size:606208
                MD5:3bbbed10eb5a674881c87063d60e277c
                SHA1:17f1653ae0d93013de015bbfd0d7d786d15727ae
                SHA256:28158cd7c05b6c1959a8cc3c2def840d34674ef21b925d5e9f04670ddf45226a
                SHA512:a96aed4f2f799a326edcfc67f4b2f83c52d6abbbefbaa17c81c4f1560d1c9daa7005d752afa23426bb7d6bf1af84b36d8666135a82f279ec13948681d3cc96d1
                SSDEEP:12288:D/0K0Ka8djOw1JaxeF1b23cg5941PFnXF+iT66RHD/WKqVayfAsc:xI7cJVFQWn
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.._............................^.... ........@.. .......................`............@................................

                File Icon

                Icon Hash:71d4b2a9abaaccb0

                Static PE Info

                General

                Entrypoint:0x48915e
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Time Stamp:0x5FF78343 [Thu Jan 7 21:55:15 2021 UTC]
                TLS Callbacks:
                CLR (.Net) Version:v2.0.50727
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x891040x57.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x98d0.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x871640x88000False0.775071088006data6.6334252518IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rsrc0x8a0000x98d00xa000False0.153930664062data4.0062168943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x940000xc0x1000False0.009033203125data0.0164084645156IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0x8a0e80x94a8data
                RT_GROUP_ICON0x935900x14data
                RT_VERSION0x935a40x32cdata

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Version Infos

                DescriptionData
                Translation0x0000 0x04b0
                LegalCopyright(C) 2016 philandro Software GmbH
                Assembly Version1.0.0.0
                InternalNameAnyDesk.exe
                FileVersion1.0.0.0
                CompanyNamephilandro Software GmbH
                CommentsAnyDesk
                ProductNameAnyDesk
                ProductVersion1.0.0.0
                FileDescription
                OriginalFilenameAnyDesk.exe

                Network Behavior

                No network behavior found

                Code Manipulations

                Statistics

                System Behavior

                Analysis Process: sino project approved products 5109735005181 list.exe PID: 6624 Parent PID: 5728

                General

                Start time:09:28:07
                Start date:08/01/2021
                Path:C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\Desktop\sino project approved products 5109735005181 list.exe'
                Imagebase:0x1f0000
                File size:606208 bytes
                MD5 hash:3BBBED10EB5A674881C87063D60E277C
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.239040119.0000000002931000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.239767469.0000000003B15000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.240283032.0000000004B20000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.239406481.0000000003931000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                Disassembly

                Code Analysis

                Reset < >