Loading ...

Play interactive tourEdit tour

Analysis Report Sample_B.exe

Overview

General Information

Sample Name:Sample_B.exe
Analysis ID:354163
MD5:78300bd48d50fa7e5f3f6a933cc5f739
SHA1:03157f27b0d5141465adeeaf9b3a7b5f3e60f614
SHA256:424212e76c0e660538ee49126079980b34f4dd343e002004f67ea71a937af5e3

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • Sample_B.exe (PID: 2368 cmdline: 'C:\Users\user\Desktop\Sample_B.exe' MD5: 78300BD48D50FA7E5F3F6A933CC5F739)
    • Windows Update.exe (PID: 2360 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: 78300BD48D50FA7E5F3F6A933CC5F739)
      • dw20.exe (PID: 2932 cmdline: dw20.exe -x -s 1708 MD5: FBA78261A16C65FA44145613E3669E6E)
      • vbc.exe (PID: 2852 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: 1672D0478049ABDAF0197BE64A7F867F)
      • vbc.exe (PID: 2816 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: 1672D0478049ABDAF0197BE64A7F867F)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Sample_B.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
Sample_B.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7ba1d:$key: HawkEyeKeylogger
  • 0x7dd13:$salt: 099u787978786
  • 0x7c09a:$string1: HawkEye_Keylogger
  • 0x7ceed:$string1: HawkEye_Keylogger
  • 0x7dc73:$string1: HawkEye_Keylogger
  • 0x7c483:$string2: holdermail.txt
  • 0x7c4a3:$string2: holdermail.txt
  • 0x7c3c5:$string3: wallet.dat
  • 0x7c3dd:$string3: wallet.dat
  • 0x7c3f3:$string3: wallet.dat
  • 0x7d837:$string4: Keylog Records
  • 0x7db4f:$string4: Keylog Records
  • 0x7dd6b:$string5: do not script -->
  • 0x7ba05:$string6: \pidloc.txt
  • 0x7ba93:$string7: BSPLIT
  • 0x7baa3:$string7: BSPLIT
Sample_B.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    Sample_B.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      Sample_B.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7ba1d:$key: HawkEyeKeylogger
        • 0x7dd13:$salt: 099u787978786
        • 0x7c09a:$string1: HawkEye_Keylogger
        • 0x7ceed:$string1: HawkEye_Keylogger
        • 0x7dc73:$string1: HawkEye_Keylogger
        • 0x7c483:$string2: holdermail.txt
        • 0x7c4a3:$string2: holdermail.txt
        • 0x7c3c5:$string3: wallet.dat
        • 0x7c3dd:$string3: wallet.dat
        • 0x7c3f3:$string3: wallet.dat
        • 0x7d837:$string4: Keylog Records
        • 0x7db4f:$string4: Keylog Records
        • 0x7dd6b:$string5: do not script -->
        • 0x7ba05:$string6: \pidloc.txt
        • 0x7ba93:$string7: BSPLIT
        • 0x7baa3:$string7: BSPLIT
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 7 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000002.00000002.2112965167.0000000003610000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                00000002.00000002.2112485117.0000000003371000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                  • 0x7b81d:$key: HawkEyeKeylogger
                  • 0x7db13:$salt: 099u787978786
                  • 0x7be9a:$string1: HawkEye_Keylogger
                  • 0x7cced:$string1: HawkEye_Keylogger
                  • 0x7da73:$string1: HawkEye_Keylogger
                  • 0x7c283:$string2: holdermail.txt
                  • 0x7c2a3:$string2: holdermail.txt
                  • 0x7c1c5:$string3: wallet.dat
                  • 0x7c1dd:$string3: wallet.dat
                  • 0x7c1f3:$string3: wallet.dat
                  • 0x7d637:$string4: Keylog Records
                  • 0x7d94f:$string4: Keylog Records
                  • 0x7db6b:$string5: do not script -->
                  • 0x7b805:$string6: \pidloc.txt
                  • 0x7b893:$string7: BSPLIT
                  • 0x7b8a3:$string7: BSPLIT
                  00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                    00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                      Click to see the 34 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      0.0.Sample_B.exe.bc9c0d.1.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                        0.2.Sample_B.exe.2577280.5.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                        2.2.Windows Update.exe.46e0000.9.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                        2.2.Windows Update.exe.46f0000.10.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                        0.2.Sample_B.exe.c1fa72.2.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                          Click to see the 104 entries

                          Sigma Overview

                          No Sigma rule has matched

                          Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Antivirus / Scanner detection for submitted sampleShow sources
                          Source: Sample_B.exeAvira: detected
                          Source: Sample_B.exeAvira: detected
                          Antivirus detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                          Found malware configurationShow sources
                          Source: Windows Update.exe.2360.2.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}
                          Machine Learning detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                          Machine Learning detection for sampleShow sources
                          Source: Sample_B.exeJoe Sandbox ML: detected
                          Source: 0.0.Sample_B.exe.bc0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 0.0.Sample_B.exe.bc0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 2.2.Windows Update.exe.ee0000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 2.2.Windows Update.exe.ee0000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 0.2.Sample_B.exe.bc0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 0.2.Sample_B.exe.bc0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 2.0.Windows Update.exe.ee0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 2.0.Windows Update.exe.ee0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473

                          Compliance:

                          barindex
                          Uses 32bit PE filesShow sources
                          Source: Sample_B.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Uses new MSVCR DllsShow sources
                          Source: C:\Users\user\Desktop\Sample_B.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dllJump to behavior
                          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                          Source: Sample_B.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Binary contains paths to debug symbolsShow sources
                          Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: pC:\Win.pdbassembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: F^symbols\dll\mscorlib.pdb^ source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: .pdb; source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: ^indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: mscorlib.pdbs\AppData\Roaming\Windows Update.exe source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: C:\Windows\mscorlib.pdb8 source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Sample_B.exe
                          Source: Binary string: dows\mC:\Users\user\AppData\Roaming__b77a5c561934e089\mscorlib.pdbne_d08cc06a442b34fc source: Windows Update.exe, 00000002.00000002.2110645505.00000000003A0000.00000004.00000020.sdmp
                          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Sample_B.exe
                          Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Sample_B.exe
                          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbFP source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: ^T3/pC:\Windows\mscorlib.pdb4 source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: mscorrc.pdb source: Sample_B.exe, 00000000.00000002.2076293431.0000000002050000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2111699782.0000000000E70000.00000002.00000001.sdmp
                          Source: Sample_B.exeBinary or memory string: autorun.inf
                          Source: Sample_B.exeBinary or memory string: [autorun]
                          Source: Windows Update.exeBinary or memory string: [autorun]
                          Source: Windows Update.exeBinary or memory string: autorun.inf
                          Source: Sample_B.exeBinary or memory string: autorun.inf
                          Source: Sample_B.exeBinary or memory string: [autorun]
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]0_2_005514C0
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]0_2_00550728
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]0_2_005517F8
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 4x nop then jmp 00551A73h0_2_005519B0
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_004E7810
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E6059
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004EC627
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E9C3F
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then call 004E1B20h2_2_004E9634
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E9634
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then mov esp, ebp2_2_004E48C7
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E14C0
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E5CEE
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E98F9
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004EA2F0
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004EC48F
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then call 004E1B20h2_2_004E954A
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E954A
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E0728
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E6731
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004EA3DA
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then call 004E1B20h2_2_004E8DE8
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E8DE8
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E17F8
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then jmp 004E1A73h2_2_004E19A0
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then jmp 004E1A73h2_2_004E19B0

                          Networking:

                          barindex
                          May check the online IP address of the machineShow sources
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 66.102.1.108:587
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                          Source: Joe Sandbox ViewIP Address: 66.102.1.108 66.102.1.108
                          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 66.102.1.108:587
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_0011A09A recv,2_2_0011A09A
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                          Source: Sample_B.exeString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                          Source: Sample_B.exeString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                          Source: Sample_B.exe, 00000000.00000002.2075873795.00000000004C2000.00000004.00000020.sdmpString found in binary or memory: WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                          Source: Sample_B.exe, 00000000.00000002.2075873795.00000000004C2000.00000004.00000020.sdmpString found in binary or memory: WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                          Source: Sample_B.exe, Windows Update.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                          Source: unknownDNS traffic detected: queries for: 163.190.5.0.in-addr.arpa
                          Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
                          Source: Sample_B.exeString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                          Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                          Source: Windows Update.exe, 00000002.00000002.2110645505.00000000003A0000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                          Source: 77EC63BDA74BD0D0E0426DC8F8008506.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                          Source: Sample_B.exeString found in binary or memory: http://ocsp.comodoca.com0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                          Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                          Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2113827446.0000000004A30000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                          Source: Sample_B.exe, Windows Update.exeString found in binary or memory: http://whatismyipaddress.com/
                          Source: Sample_B.exeString found in binary or memory: http://whatismyipaddress.com/-
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2113827446.0000000004A30000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                          Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                          Source: Sample_B.exeString found in binary or memory: http://www.nirsoft.net/
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                          Source: Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                          Source: Sample_B.exe, Windows Update.exeString found in binary or memory: https://login.yahoo.com/config/login
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                          Source: Sample_B.exe, Windows Update.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                          Key, Mouse, Clipboard, Microphone and Screen Capturing:

                          barindex
                          Yara detected HawkEye KeyloggerShow sources
                          Source: Yara matchFile source: Sample_B.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE
                          Contains functionality to log keystrokes (.Net Source)Show sources
                          Source: Sample_B.exe, Form1.cs.Net Code: HookKeyboard
                          Source: Windows Update.exe.0.dr, Form1.cs.Net Code: HookKeyboard
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                          Source: WindowsUpdate.exe.2.dr, Form1.cs.Net Code: HookKeyboard
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs.Net Code: HookKeyboard
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                          Installs a global keyboard hookShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exeJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                          System Summary:

                          barindex
                          Malicious sample detected (through community Yara rule)Show sources
                          Source: Sample_B.exe, type: SAMPLEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: Sample_B.exe, type: SAMPLEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY