Play interactive tour

Edit tour

Analysis Report QuotationTXCtyres.exe

Overview

General Information

Sample Name:	QuotationTXCtyres.exe
Analysis ID:	347605
MD5:	683bd9bd416a67e5b14c59668ead6de8
SHA1:	476275961878e53692cdbf7a887d6f6f61c27eee
SHA256:	6f8bb9d51ef192747d5393e13349bb03f272f5a947de849835709502ef09ef68
Tags:	exeHawkEye
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected HawkEye Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell adding suspicious path to exclusion list

Yara detected HawkEye Keylogger

Yara detected MailPassView

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Changes the view of files in windows explorer (hidden files and folders)

Connects to a pastebin service (likely for C&C)

Contains functionality to log keystrokes (.Net Source)

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Drops PE files to the startup folder

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected WebBrowserPassView password recovery tool

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Startup

System is w10x64

QuotationTXCtyres.exe (PID: 6320 cmdline: 'C:\Users\user\Desktop\QuotationTXCtyres.exe' MD5: 683BD9BD416A67E5B14C59668EAD6DE8)

powershell.exe (PID: 6780 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6812 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6828 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6912 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\QuotationTXCtyres.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4624 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 4408 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

RegSvcs.exe (PID: 6800 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

RegSvcs.exe (PID: 6984 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

WerFault.exe (PID: 6896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6320 -s 2356 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

QuotationTXCtyres.exe (PID: 6492 cmdline: 'C:\Users\user\Desktop\QuotationTXCtyres.exe' MD5: 683BD9BD416A67E5B14C59668EAD6DE8)

QuotationTXCtyres.exe (PID: 4748 cmdline: 'C:\Users\user\Desktop\QuotationTXCtyres.exe' MD5: 683BD9BD416A67E5B14C59668EAD6DE8)

QuotationTXCtyres.exe (PID: 1496 cmdline: 'C:\Users\user\Desktop\QuotationTXCtyres.exe' MD5: 683BD9BD416A67E5B14C59668EAD6DE8)

QuotationTXCtyres.exe (PID: 3980 cmdline: 'C:\Users\user\Desktop\QuotationTXCtyres.exe' MD5: 683BD9BD416A67E5B14C59668EAD6DE8)

QuotationTXCtyres.exe (PID: 3720 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' MD5: 683BD9BD416A67E5B14C59668EAD6DE8)

cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["Mail PassView", "mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000019.00000002.452936886.0000000000D30000.00000004.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000019.00000002.468178579.0000000002C68000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000019.00000002.468178579.0000000002C68000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x25f8:$hawkstr1: HawkEye Keylogger 0x2088:$hawkstr2: Dear HawkEye Customers! 0x21b6:$hawkstr3: HawkEye Logger Details:
00000019.00000002.453010740.0000000000D40000.00000004.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000019.00000002.468484958.0000000002C78000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b700:$key: HawkEyeKeylogger 0x7d94c:$salt: 099u787978786 0x7bd67:$string1: HawkEye_Keylogger 0x7cbba:$string1: HawkEye_Keylogger 0x7d8ac:$string1: HawkEye_Keylogger 0x7c150:$string2: holdermail.txt 0x7c170:$string2: holdermail.txt 0x7c092:$string3: wallet.dat 0x7c0aa:$string3: wallet.dat 0x7c0c0:$string3: wallet.dat 0x7d48e:$string4: Keylog Records 0x7d7a6:$string4: Keylog Records 0x7d9a4:$string5: do not script --> 0x7b6e8:$string6: \pidloc.txt 0x7b75e:$string7: BSPLIT 0x7b76e:$string7: BSPLIT
00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bdbf:$hawkstr1: HawkEye Keylogger 0x7cc00:$hawkstr1: HawkEye Keylogger 0x7cf2f:$hawkstr1: HawkEye Keylogger 0x7d08a:$hawkstr1: HawkEye Keylogger 0x7d1ed:$hawkstr1: HawkEye Keylogger 0x7d466:$hawkstr1: HawkEye Keylogger 0x7b931:$hawkstr2: Dear HawkEye Customers! 0x7cf82:$hawkstr2: Dear HawkEye Customers! 0x7d0d9:$hawkstr2: Dear HawkEye Customers! 0x7d240:$hawkstr2: Dear HawkEye Customers! 0x7ba52:$hawkstr3: HawkEye Logger Details:
Process Memory Space: RegSvcs.exe PID: 6984	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: RegSvcs.exe PID: 6984	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 6984	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
25.2.RegSvcs.exe.d40000.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
25.2.RegSvcs.exe.3a21b50.10.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
25.2.RegSvcs.exe.409c0d.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
25.2.RegSvcs.exe.45fa72.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
25.2.RegSvcs.exe.3a09930.9.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
25.2.RegSvcs.exe.3a09930.9.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
25.2.RegSvcs.exe.400000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
25.2.RegSvcs.exe.400000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b900:$key: HawkEyeKeylogger 0x7db4c:$salt: 099u787978786 0x7bf67:$string1: HawkEye_Keylogger 0x7cdba:$string1: HawkEye_Keylogger 0x7daac:$string1: HawkEye_Keylogger 0x7c350:$string2: holdermail.txt 0x7c370:$string2: holdermail.txt 0x7c292:$string3: wallet.dat 0x7c2aa:$string3: wallet.dat 0x7c2c0:$string3: wallet.dat 0x7d68e:$string4: Keylog Records 0x7d9a6:$string4: Keylog Records 0x7dba4:$string5: do not script --> 0x7b8e8:$string6: \pidloc.txt 0x7b95e:$string7: BSPLIT 0x7b96e:$string7: BSPLIT
25.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
25.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
25.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
25.2.RegSvcs.exe.400000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bfbf:$hawkstr1: HawkEye Keylogger 0x7ce00:$hawkstr1: HawkEye Keylogger 0x7d12f:$hawkstr1: HawkEye Keylogger 0x7d28a:$hawkstr1: HawkEye Keylogger 0x7d3ed:$hawkstr1: HawkEye Keylogger 0x7d666:$hawkstr1: HawkEye Keylogger 0x7bb31:$hawkstr2: Dear HawkEye Customers! 0x7d182:$hawkstr2: Dear HawkEye Customers! 0x7d2d9:$hawkstr2: Dear HawkEye Customers! 0x7d440:$hawkstr2: Dear HawkEye Customers! 0x7bc52:$hawkstr3: HawkEye Logger Details:
25.2.RegSvcs.exe.2c8e168.7.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
25.2.RegSvcs.exe.3a21b50.10.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
25.2.RegSvcs.exe.3a09930.9.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
25.2.RegSvcs.exe.2c94dd4.8.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
25.2.RegSvcs.exe.d30000.4.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
25.2.RegSvcs.exe.2a2b7a8.6.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
25.2.RegSvcs.exe.408208.2.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
25.2.RegSvcs.exe.408208.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754f8:$key: HawkEyeKeylogger 0x77744:$salt: 099u787978786 0x75b5f:$string1: HawkEye_Keylogger 0x769b2:$string1: HawkEye_Keylogger 0x776a4:$string1: HawkEye_Keylogger 0x75f48:$string2: holdermail.txt 0x75f68:$string2: holdermail.txt 0x75e8a:$string3: wallet.dat 0x75ea2:$string3: wallet.dat 0x75eb8:$string3: wallet.dat 0x77286:$string4: Keylog Records 0x7759e:$string4: Keylog Records 0x7779c:$string5: do not script --> 0x754e0:$string6: \pidloc.txt 0x75556:$string7: BSPLIT 0x75566:$string7: BSPLIT
25.2.RegSvcs.exe.408208.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
25.2.RegSvcs.exe.408208.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
25.2.RegSvcs.exe.408208.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
25.2.RegSvcs.exe.408208.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75bb7:$hawkstr1: HawkEye Keylogger 0x769f8:$hawkstr1: HawkEye Keylogger 0x76d27:$hawkstr1: HawkEye Keylogger 0x76e82:$hawkstr1: HawkEye Keylogger 0x76fe5:$hawkstr1: HawkEye Keylogger 0x7725e:$hawkstr1: HawkEye Keylogger 0x75729:$hawkstr2: Dear HawkEye Customers! 0x76d7a:$hawkstr2: Dear HawkEye Customers! 0x76ed1:$hawkstr2: Dear HawkEye Customers! 0x77038:$hawkstr2: Dear HawkEye Customers! 0x7584a:$hawkstr3: HawkEye Logger Details:
25.2.RegSvcs.exe.45fa72.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dc8e:$key: HawkEyeKeylogger 0x1feda:$salt: 099u787978786 0x1e2f5:$string1: HawkEye_Keylogger 0x1f148:$string1: HawkEye_Keylogger 0x1fe3a:$string1: HawkEye_Keylogger 0x1e6de:$string2: holdermail.txt 0x1e6fe:$string2: holdermail.txt 0x1e620:$string3: wallet.dat 0x1e638:$string3: wallet.dat 0x1e64e:$string3: wallet.dat 0x1fa1c:$string4: Keylog Records 0x1fd34:$string4: Keylog Records 0x1ff32:$string5: do not script --> 0x1dc76:$string6: \pidloc.txt 0x1dcec:$string7: BSPLIT 0x1dcfc:$string7: BSPLIT
25.2.RegSvcs.exe.45fa72.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
25.2.RegSvcs.exe.45fa72.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
25.2.RegSvcs.exe.45fa72.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e34d:$hawkstr1: HawkEye Keylogger 0x1f18e:$hawkstr1: HawkEye Keylogger 0x1f4bd:$hawkstr1: HawkEye Keylogger 0x1f618:$hawkstr1: HawkEye Keylogger 0x1f77b:$hawkstr1: HawkEye Keylogger 0x1f9f4:$hawkstr1: HawkEye Keylogger 0x1debf:$hawkstr2: Dear HawkEye Customers! 0x1f510:$hawkstr2: Dear HawkEye Customers! 0x1f667:$hawkstr2: Dear HawkEye Customers! 0x1f7ce:$hawkstr2: Dear HawkEye Customers! 0x1dfe0:$hawkstr3: HawkEye Logger Details:
25.2.RegSvcs.exe.409c0d.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73af3:$key: HawkEyeKeylogger 0x75d3f:$salt: 099u787978786 0x7415a:$string1: HawkEye_Keylogger 0x74fad:$string1: HawkEye_Keylogger 0x75c9f:$string1: HawkEye_Keylogger 0x74543:$string2: holdermail.txt 0x74563:$string2: holdermail.txt 0x74485:$string3: wallet.dat 0x7449d:$string3: wallet.dat 0x744b3:$string3: wallet.dat 0x75881:$string4: Keylog Records 0x75b99:$string4: Keylog Records 0x75d97:$string5: do not script --> 0x73adb:$string6: \pidloc.txt 0x73b51:$string7: BSPLIT 0x73b61:$string7: BSPLIT
25.2.RegSvcs.exe.409c0d.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
25.2.RegSvcs.exe.409c0d.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
25.2.RegSvcs.exe.409c0d.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
25.2.RegSvcs.exe.409c0d.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x741b2:$hawkstr1: HawkEye Keylogger 0x74ff3:$hawkstr1: HawkEye Keylogger 0x75322:$hawkstr1: HawkEye Keylogger 0x7547d:$hawkstr1: HawkEye Keylogger 0x755e0:$hawkstr1: HawkEye Keylogger 0x75859:$hawkstr1: HawkEye Keylogger 0x73d24:$hawkstr2: Dear HawkEye Customers! 0x75375:$hawkstr2: Dear HawkEye Customers! 0x754cc:$hawkstr2: Dear HawkEye Customers! 0x75633:$hawkstr2: Dear HawkEye Customers! 0x73e45:$hawkstr3: HawkEye Logger Details:
Click to see the 28 entries

Sigma Overview

System Summary:

Sigma detected: Powershell adding suspicious path to exclusion list

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\QuotationTXCtyres.exe' , ParentImage: C:\Users\user\Desktop\QuotationTXCtyres.exe, ParentProcessId: 6320, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force, ProcessId: 6780

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: RegSvcs.exe.6984.25.memstr

Malware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv", "WebBrowserPassView"], "Version": ""}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Show sources

Source: QuotationTXCtyres.exe

ReversingLabs: Detection: 34%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: QuotationTXCtyres.exe

Joe Sandbox ML: detected

Source: 25.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 25.2.RegSvcs.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473

Compliance:

Uses 32bit PE files

Show sources

Source: QuotationTXCtyres.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses insecure TLS / SSL version for HTTPS connection

Show sources

Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49721 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49742 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49748 version: TLS 1.0

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: QuotationTXCtyres.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000019.00000002.491465902.0000000005AAF000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbA source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp
Source:	Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\QuotationTXCtyres.PDB source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
Source:	Binary string: iVisualBasic.pdb source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdby source: RegSvcs.exe, 00000019.00000002.491465902.0000000005AAF000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: RegSvcs.exe, 00000019.00000002.468996361.0000000002C8C000.00000004.00000001.sdmp
Source:	Binary string: .pdb- source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbl source: powershell.exe, 00000006.00000003.567199772.000000000822B000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp
Source:	Binary string: QuotationTXCtyres.PDB source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbo source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbI source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp

Software Vulnerabilities:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4x nop then lea esp, dword ptr [ebp-08h]

25_2_075EFE8B

Networking:

Connects to a pastebin service (likely for C&C)

Show sources

Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com

Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190
Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49721 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49742 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49748 version: TLS 1.0

Source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: pastebin.com

Source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: powershell.exe, 00000008.00000002.622537318.0000000000C68000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.627265426.0000000003015000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegSvcs.exe, 00000019.00000003.310958362.0000000005D2D000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: powershell.exe, 00000008.00000002.657929211.00000000057B5000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.654327123.0000000005336000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png02
Source: powershell.exe, 00000006.00000002.640798276.00000000051BF000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.633303383.000000000440F000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: QuotationTXCtyres.exe, 00000000.00000003.265036261.0000000005532000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.635939796.0000000005081000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.632625439.0000000004751000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.633056835.00000000042D1000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.636613586.0000000004B01000.00000004.00000001.sdmp, RegSvcs.exe, 00000019.00000002.457364423.0000000002A01000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.640798276.00000000051BF000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.633303383.000000000440F000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html02
Source: RegSvcs.exe, 00000019.00000003.328420355.0000000005D5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RegSvcs.exe, 00000019.00000002.494111730.0000000005D20000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: RegSvcs.exe, 00000019.00000003.337399633.0000000005D5E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers&
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: RegSvcs.exe, 00000019.00000003.342492866.0000000005D5E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlXE
Source: RegSvcs.exe, 00000019.00000003.337399633.0000000005D5E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/tio
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: RegSvcs.exe, 00000019.00000003.339344837.0000000005D5E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersF
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: RegSvcs.exe, 00000019.00000003.339089886.0000000005D5E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: RegSvcs.exe, 00000019.00000002.494111730.0000000005D20000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comai
Source: RegSvcs.exe, 00000019.00000002.494111730.0000000005D20000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comiona
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: RegSvcs.exe, 00000019.00000003.314645960.0000000005D50000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RegSvcs.exe, 00000019.00000003.316824024.0000000005D4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnK
Source: RegSvcs.exe, 00000019.00000003.314645960.0000000005D50000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnh
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RegSvcs.exe, 00000019.00000003.361142409.0000000005D51000.00000004.00000001.sdmp, RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/1
Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Z
Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/sl-s
Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: powershell.exe, 00000009.00000003.535572028.0000000008B68000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 00000009.00000003.531136853.0000000008B2D000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.co
Source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester02
Source: powershell.exe, 00000008.00000003.533777599.00000000051B2000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000003.499602452.00000000055A2000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.660256551.00000000060E5000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.657929211.00000000057B5000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.654327123.0000000005336000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000019.00000002.468178579.0000000002C68000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.468484958.0000000002C78000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6984, type: MEMORY
Source: Yara match	File source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.RegSvcs.exe.409c0d.1.raw.unpack, type: UNPACKEDPE

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs

.Net Code: HookKeyboard

Installs a global keyboard hook

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000019.00000002.468178579.0000000002C68000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 25.2.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 25.2.RegSvcs.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.RegSvcs.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: QuotationTXCtyres.exe

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Code function: 0_2_00CC4A80	0_2_00CC4A80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0357BB58	6_2_0357BB58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0357F96B	6_2_0357F96B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0357F6F0	6_2_0357F6F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0357DE88	6_2_0357DE88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035B40E8	6_2_035B40E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035B5D38	6_2_035B5D38
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035B8528	6_2_035B8528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035B8528	6_2_035B8528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035B8528	6_2_035B8528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035B40E8	6_2_035B40E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035B8528	6_2_035B8528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035B8528	6_2_035B8528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035CD2D0	6_2_035CD2D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035C0040	6_2_035C0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035CA50F	6_2_035CA50F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035F9180	6_2_035F9180
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035FD660	6_2_035FD660
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035FB578	6_2_035FB578
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035FF5F0	6_2_035FF5F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035FBB00	6_2_035FBB00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035F6358	6_2_035F6358
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035F6368	6_2_035F6368
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035FB578	6_2_035FB578
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035FCA0C	6_2_035FCA0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035F99B0	6_2_035F99B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035F7DD0	6_2_035F7DD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0361F838	6_2_0361F838
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0361B468	6_2_0361B468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0361B478	6_2_0361B478
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035BE3DB	6_2_035BE3DB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00B26A00	8_2_00B26A00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00B27E70	8_2_00B27E70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_044B84B8	8_2_044B84B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_044B0AA8	8_2_044B0AA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_044EF068	8_2_044EF068
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_044E8D48	8_2_044E8D48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_044EF068	8_2_044EF068
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_044EA5B0	8_2_044EA5B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_044EA82B	8_2_044EA82B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_044E6A18	8_2_044E6A18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_001C8710	9_2_001C8710
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_001C66F8	9_2_001C66F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_001C7780	9_2_001C7780
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_001C29B0	9_2_001C29B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_006AF2C8	9_2_006AF2C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_006AA810	9_2_006AA810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_006AAA8B	9_2_006AAA8B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_006A6C78	9_2_006A6C78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_006AF2C8	9_2_006AF2C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_006A8FA8	9_2_006A8FA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00C3C9B0	9_2_00C3C9B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00C3EA10	9_2_00C3EA10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00C7E818	12_2_00C7E818
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_031FBD30	12_2_031FBD30
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Code function: 20_2_01574A80	20_2_01574A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 25_2_028EB29C	25_2_028EB29C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 25_2_028EB1E4	25_2_028EB1E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 25_2_028EC310	25_2_028EC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 25_2_028EB290	25_2_028EB290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 25_2_028E99D0	25_2_028E99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 25_2_028EDFD0	25_2_028EDFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 25_2_075EB4E0	25_2_075EB4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 25_2_075EEEC8	25_2_075EEEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 25_2_075EBDB0	25_2_075EBDB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 25_2_075EB198	25_2_075EB198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 25_2_075E0006	25_2_075E0006

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6320 -s 2356

Source: QuotationTXCtyres.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000019.00000002.452936886.0000000000D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000019.00000002.468178579.0000000002C68000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.453010740.0000000000D40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 25.2.RegSvcs.exe.d40000.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 25.2.RegSvcs.exe.2c8e168.7.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.RegSvcs.exe.2c94dd4.8.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.RegSvcs.exe.d30000.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.RegSvcs.exe.2a2b7a8.6.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 25.2.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 25.2.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 25.2.RegSvcs.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 25.2.RegSvcs.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs

Base64 encoded string: 'v5WL2NHSlgg63F1NfR2aR6g9h0gfWR8N+GP/UFVCtJkDDYPZkr2E+r1UVbTAuMU5ECRkSfAQftTbilbZSEDKHs/x/Ht/+M4keqrxuFN0ot0=', 'jQLYiTJKF11sw5sSNstFGe3izohG9YmwBLLBbFvxDFHA3kgG80r+KIMea4T97QWo', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@33/24@7/2

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6320
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_01

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe

File created: C:\Users\user\AppData\Local\Temp\44e61677-7e29-4236-baa6-6da2ca395576

Jump to behavior

Source: QuotationTXCtyres.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: QuotationTXCtyres.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe

File read: C:\Users\user\Desktop\QuotationTXCtyres.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\QuotationTXCtyres.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6320 -s 2356
Source: unknown	Process created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe'
Source: unknown	Process created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe'
Source: unknown	Process created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe'
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\QuotationTXCtyres.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: QuotationTXCtyres.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QuotationTXCtyres.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: QuotationTXCtyres.exe

Static file information: File size 4525056 > 1048576

Source: QuotationTXCtyres.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x450800

Source: QuotationTXCtyres.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000019.00000002.491465902.0000000005AAF000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbA source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp
Source:	Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\QuotationTXCtyres.PDB source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
Source:	Binary string: iVisualBasic.pdb source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdby source: RegSvcs.exe, 00000019.00000002.491465902.0000000005AAF000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: RegSvcs.exe, 00000019.00000002.468996361.0000000002C8C000.00000004.00000001.sdmp
Source:	Binary string: .pdb- source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbl source: powershell.exe, 00000006.00000003.567199772.000000000822B000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp
Source:	Binary string: QuotationTXCtyres.PDB source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbo source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbI source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Code function: 0_2_00CC8F48 push ds; iretd	0_2_00CC8F4A
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Code function: 0_2_00CC8F40 push ds; iretd	0_2_00CC8F42
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Code function: 0_2_00CC8F11 push ds; iretd	0_2_00CC8F12
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035757F8 push eax; mov dword ptr [esp], edx	6_2_0357580C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_03578E01 push eax; mov dword ptr [esp], ecx	6_2_03578E54
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_03575CF8 push eax; mov dword ptr [esp], edx	6_2_03575CFC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_035C5AAF push es; ret	6_2_035C5AC6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0361281A push ebx; ret	6_2_0361287A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_03613EB0 pushfd ; iretd	6_2_03613EB9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00B21D20 pushfd ; ret	8_2_00B21D21
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_044B1F20 push es; ret	8_2_044B1F30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_044E0D68 push eax; mov dword ptr [esp], edx	8_2_044E0D6C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_044E3D00 push eax; mov dword ptr [esp], ecx	8_2_044E3D14
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_044E05B2 push eax; mov dword ptr [esp], edx	8_2_044E05C4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_044E6A18 pushfd ; ret	8_2_044E6D29
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_001B1ED8 push eax; mov dword ptr [esp], edx	9_2_001B1EEC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_006A0A7F push eax; mov dword ptr [esp], edx	9_2_006A0A84
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_006A0E28 push eax; mov dword ptr [esp], edx	9_2_006A0E2C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_006A3F60 push eax; mov dword ptr [esp], ecx	9_2_006A3F74
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00C752C9 push esp; iretd	12_2_00C752D1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00C72D68 push eax; mov dword ptr [esp], edx	12_2_00C72D7C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00C7ED1F push edi; retf	12_2_00C7ED2E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_031F2D24 push FFFFFF8Bh; iretd	12_2_031F2D26
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Code function: 20_2_01572BB0 push eax; mov dword ptr [esp], ecx	20_2_01572D29

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon shell

Jump to behavior

Creates autostart registry keys with suspicious names

Show sources

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>

Jump to behavior

Creates multiple autostart registry keys

Show sources

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>			Jump to behavior
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run QuotationTXCtyres.exe			Jump to behavior

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe

Jump to dropped file

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe

Jump to behavior

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe			Jump to behavior
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>	Jump to behavior
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>	Jump to behavior
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run QuotationTXCtyres.exe	Jump to behavior
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run QuotationTXCtyres.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report QuotationTXCtyres.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: HawkEye

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection: