Loading ...

Play interactive tourEdit tour

Analysis Report Payment Advice 80642111.exe

Overview

General Information

Sample Name:Payment Advice 80642111.exe
Analysis ID:357080
MD5:85bd30d4211b1dff2fe6847502341831
SHA1:74fdf25bef9f31e311b21d8ca572f834d03134c0
SHA256:6f2af9503a84bf2c99e0bbf735b953a7551f7ff78f87c9ad84e8aff091f2ae10
Tags:exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Beds Obfuscator
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Payment Advice 80642111.exe (PID: 6428 cmdline: 'C:\Users\user\Desktop\Payment Advice 80642111.exe' MD5: 85BD30D4211B1DFF2FE6847502341831)
    • Payment Advice 80642111.exe (PID: 6464 cmdline: C:\Users\user\Desktop\Payment Advice 80642111.exe MD5: 85BD30D4211B1DFF2FE6847502341831)
    • Payment Advice 80642111.exe (PID: 6488 cmdline: C:\Users\user\Desktop\Payment Advice 80642111.exe MD5: 85BD30D4211B1DFF2FE6847502341831)
    • Payment Advice 80642111.exe (PID: 6496 cmdline: C:\Users\user\Desktop\Payment Advice 80642111.exe MD5: 85BD30D4211B1DFF2FE6847502341831)
    • Payment Advice 80642111.exe (PID: 6508 cmdline: C:\Users\user\Desktop\Payment Advice 80642111.exe MD5: 85BD30D4211B1DFF2FE6847502341831)
      • vbc.exe (PID: 7116 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 3220 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 7124 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 204 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 5480 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 85BD30D4211B1DFF2FE6847502341831)
    • WindowsUpdate.exe (PID: 6228 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe MD5: 85BD30D4211B1DFF2FE6847502341831)
      • vbc.exe (PID: 6452 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6876 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • WindowsUpdate.exe (PID: 804 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 85BD30D4211B1DFF2FE6847502341831)
    • WindowsUpdate.exe (PID: 6992 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe MD5: 85BD30D4211B1DFF2FE6847502341831)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000004.00000002.293943590.0000000008500000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x39848:$hawkstr1: HawkEye Keylogger
        • 0x3cd6c:$hawkstr1: HawkEye Keylogger
        • 0x3d148:$hawkstr1: HawkEye Keylogger
        • 0x41d4c:$hawkstr1: HawkEye Keylogger
        • 0x1452f0:$hawkstr1: HawkEye Keylogger
        • 0x39300:$hawkstr2: Dear HawkEye Customers!
        • 0x3cdcc:$hawkstr2: Dear HawkEye Customers!
        • 0x3d1a8:$hawkstr2: Dear HawkEye Customers!
        • 0x3942e:$hawkstr3: HawkEye Logger Details:
        Click to see the 68 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.Payment Advice 80642111.exe.400000.0.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        4.2.Payment Advice 80642111.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b90f:$key: HawkEyeKeylogger
        • 0x7db45:$salt: 099u787978786
        • 0x7bf1c:$string1: HawkEye_Keylogger
        • 0x7cd6f:$string1: HawkEye_Keylogger
        • 0x7daa5:$string1: HawkEye_Keylogger
        • 0x7c305:$string2: holdermail.txt
        • 0x7c325:$string2: holdermail.txt
        • 0x7c247:$string3: wallet.dat
        • 0x7c25f:$string3: wallet.dat
        • 0x7c275:$string3: wallet.dat
        • 0x7d687:$string4: Keylog Records
        • 0x7d99f:$string4: Keylog Records
        • 0x7db9d:$string5: do not script -->
        • 0x7b8f7:$string6: \pidloc.txt
        • 0x7b951:$string7: BSPLIT
        • 0x7b961:$string7: BSPLIT
        4.2.Payment Advice 80642111.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          4.2.Payment Advice 80642111.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            4.2.Payment Advice 80642111.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 158 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: Payment Advice 80642111.exe.6428.0.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 18%Perma Link
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 67%
              Multi AV Scanner detection for submitted fileShow sources