Loading ...

Play interactive tourEdit tour

Analysis Report 5O857649056366403032021.PDF.exe

Overview

General Information

Sample Name:5O857649056366403032021.PDF.exe
Analysis ID:362120
MD5:a67f05d542bcee462ecc03ae4d8195d6
SHA1:eeb590aaa3c47851ae6f678c29aec2ba1b54df8f
SHA256:1e96629ba4b537932150cc517455a0cfddcb7c35a4a0998d107643dc887b31c3
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Opens the same file many times (likely Sandbox evasion)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 5O857649056366403032021.PDF.exe (PID: 3468 cmdline: 'C:\Users\user\Desktop\5O857649056366403032021.PDF.exe' MD5: A67F05D542BCEE462ECC03AE4D8195D6)
    • 5O857649056366403032021.PDF.exe (PID: 5444 cmdline: C:\Users\user\Desktop\5O857649056366403032021.PDF.exe MD5: A67F05D542BCEE462ECC03AE4D8195D6)
      • vbc.exe (PID: 6732 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 6844 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 516 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 6724 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.218552903.00000000027D1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000002.00000002.784876138.0000000008720000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
    00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b719:$key: HawkEyeKeylogger
    • 0x7d917:$salt: 099u787978786
    • 0x7bd32:$string1: HawkEye_Keylogger
    • 0x7cb85:$string1: HawkEye_Keylogger
    • 0x7d877:$string1: HawkEye_Keylogger
    • 0x7c11b:$string2: holdermail.txt
    • 0x7c13b:$string2: holdermail.txt
    • 0x7c05d:$string3: wallet.dat
    • 0x7c075:$string3: wallet.dat
    • 0x7c08b:$string3: wallet.dat
    • 0x7d459:$string4: Keylog Records
    • 0x7d771:$string4: Keylog Records
    • 0x7d96f:$string5: do not script -->
    • 0x7b701:$string6: \pidloc.txt
    • 0x7b767:$string7: BSPLIT
    • 0x7b777:$string7: BSPLIT
    00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        Click to see the 23 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          2.2.5O857649056366403032021.PDF.exe.8890000.12.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
          • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
          2.2.5O857649056366403032021.PDF.exe.8720000.11.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
          • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
          2.2.5O857649056366403032021.PDF.exe.41a9930.7.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            2.2.5O857649056366403032021.PDF.exe.41a9930.7.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 58 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Suspicious Double ExtensionShow sources
              Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\5O857649056366403032021.PDF.exe, CommandLine: C:\Users\user\Desktop\5O857649056366403032021.PDF.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\5O857649056366403032021.PDF.exe, NewProcessName: C:\Users\user\Desktop\5O857649056366403032021.PDF.exe, OriginalFileName: C:\Users\user\Desktop\5O857649056366403032021.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\5O857649056366403032021.PDF.exe' , ParentImage: C:\Users\user\Desktop\5O857649056366403032021.PDF.exe, ParentProcessId: 3468, ProcessCommandLine: C:\Users\user\Desktop\5O857649056366403032021.PDF.exe, ProcessId: 5444

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 5O857649056366403032021.PDF.exe.5444.2.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}
              Multi AV Scanner detection for submitted fileShow sources
              Source: 5O857649056366403032021.PDF.exeReversingLabs: Detection: 23%
              Machine Learning detection for sampleShow sources
              Source: 5O857649056366403032021.PDF.exeJoe Sandbox ML: detected
              Source: 2.2.5O857649056366403032021.PDF.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.2.5O857649056366403032021.PDF.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 0.2.5O857649056366403032021.PDF.exe.3c22610.5.unpackAvira: Label: TR/Inject.vcoldi

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: 5O857649056366403032021.PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: 5O857649056366403032021.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Binary contains paths to debug symbolsShow sources
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 5O857649056366403032021.PDF.exe, 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmp, 5O857649056366403032021.PDF.exe, 00000002.00000002.774686882.00000000031A1000.00000004.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 5O857649056366403032021.PDF.exe, 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmp, 5O857649056366403032021.PDF.exe, 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmp, vbc.exe
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 5O857649056366403032021.PDF.exe, 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmp, 5O857649056366403032021.PDF.exe, 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmp, vbc.exe
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,7_2_00408441
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,7_2_00407E0E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,8_2_00406EC3
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_073DFE8A
              Source: unknownDNS traffic detected: query: 203.215.12.0.in-addr.arpa replaycode: Name error (3)
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmp, 5O857649056366403032021.PDF.exe, 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.275551658.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmp, 5O857649056366403032021.PDF.exe, 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.275551658.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: unknownDNS traffic detected: queries for: 203.215.12.0.in-addr.arpa
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmp, 5O857649056366403032021.PDF.exe, 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224554700.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://en.w
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmp, 5O857649056366403032021.PDF.exe, 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.218552903.00000000027D1000.00000004.00000001.sdmp, 5O857649056366403032021.PDF.exe, 00000002.00000002.774686882.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmp, 5O857649056366403032021.PDF.exe, 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.243737730.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.0
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224083852.0000000006268000.00000004.00000001.sdmp, 5O857649056366403032021.PDF.exe, 00000002.00000003.224185573.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.223882735.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com/
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224083852.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224185573.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC/
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224083852.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC1
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224554700.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC3
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224083852.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comadeh
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224323142.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comark
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224554700.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comb
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.227770906.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comf
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224083852.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comghtv
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224554700.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comht
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224083852.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comies
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224083852.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comitk
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224083852.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224083852.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.commpa
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224083852.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.224083852.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsof
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmp, 5O857649056366403032021.PDF.exe, 00000002.00000003.243602370.0000000006268000.00000004.00000001.sdmp, 5O857649056366403032021.PDF.exe, 00000002.00000003.243672472.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.229567284.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.229591196.0000000006278000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/O
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.231534012.0000000006268000.00000004.00000001.sdmp, 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.231609808.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.232516116.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersW
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.232557212.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersr
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.233214847.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.772908055.00000000014F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.772908055.00000000014F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comceTF
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.772908055.00000000014F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.come.com
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.222841537.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.223199362.0000000006265000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn&
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.223388192.0000000006265000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/X
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.222841537.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnO
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.223199362.0000000006265000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-c
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.235768370.0000000006278000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.235768370.0000000006278000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/9
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.236539415.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmR
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmp, 5O857649056366403032021.PDF.exe, 00000002.00000003.222340087.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.222340087.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krF
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.222340087.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krny
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.238156321.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.234952955.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.-
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.240555318.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.t
              Source: vbc.exe, vbc.exe, 00000008.00000002.262898420.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.227490771.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.227490771.0000000006268000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com8
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.222273989.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.222652479.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000003.222340087.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn-u
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.774686882.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.782376344.0000000007452000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.218552903.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.774686882.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 5O857649056366403032021.PDF.exe PID: 5444, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 5O857649056366403032021.PDF.exe PID: 3468, type: MEMORY
              Source: Yara matchFile source: 0.2.5O857649056366403032021.PDF.exe.3c22610.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.5O857649056366403032021.PDF.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.5O857649056366403032021.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.5O857649056366403032021.PDF.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.5O857649056366403032021.PDF.exe.3c22610.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.5O857649056366403032021.PDF.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.5O857649056366403032021.PDF.exe.3a73b90.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.5O857649056366403032021.PDF.exe.387bbb0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.5O857649056366403032021.PDF.exe.31cb310.6.raw.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 2.2.5O857649056366403032021.PDF.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,7_2_0040D674

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000002.774686882.00000000031A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.5O857649056366403032021.PDF.exe.3c22610.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.5O857649056366403032021.PDF.exe.3c22610.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.5O857649056366403032021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.5O857649056366403032021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.5O857649056366403032021.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.5O857649056366403032021.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.5O857649056366403032021.PDF.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.5O857649056366403032021.PDF.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.5O857649056366403032021.PDF.exe.3c22610.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.5O857649056366403032021.PDF.exe.3c22610.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.5O857649056366403032021.PDF.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.5O857649056366403032021.PDF.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.5O857649056366403032021.PDF.exe.3a73b90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.5O857649056366403032021.PDF.exe.3a73b90.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.5O857649056366403032021.PDF.exe.387bbb0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.5O857649056366403032021.PDF.exe.387bbb0.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.5O857649056366403032021.PDF.exe.31cb310.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: 5O857649056366403032021.PDF.exe
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeCode function: 0_2_0267E3300_2_0267E330
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeCode function: 0_2_0267C6900_2_0267C690
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeCode function: 0_2_02679D780_2_02679D78
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeCode function: 2_2_0151B29C2_2_0151B29C
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeCode function: 2_2_0151C3102_2_0151C310
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeCode function: 2_2_0151B2902_2_0151B290
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeCode function: 2_2_015199D02_2_015199D0
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeCode function: 2_2_0151DFD02_2_0151DFD0
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeCode function: 2_2_073DB4E02_2_073DB4E0
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeCode function: 2_2_073DEEC82_2_073DEEC8
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeCode function: 2_2_073DBDB02_2_073DBDB0
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeCode function: 2_2_073DB1982_2_073DB198
              Source: C:\Users\user\Desktop\5O857649056366403032021.PDF.exeCode function: 2_2_073D00062_2_073D0006
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004044197_2_00404419
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004045167_2_00404516
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004135387_2_00413538
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004145A17_2_004145A1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040E6397_2_0040E639
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004337AF7_2_004337AF
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004399B17_2_004399B1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0043DAE77_2_0043DAE7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00405CF67_2_00405CF6
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00403F857_2_00403F85
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411F997_2_00411F99
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404DDB8_2_00404DDB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040BD8A8_2_0040BD8A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404E4C8_2_00404E4C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404EBD8_2_00404EBD
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404F4E8_2_00404F4E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 516
              Source: 5O857649056366403032021.PDF.exeBinary or memory string: OriginalFilename vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.223255879.0000000005980000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.218552903.00000000027D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.218552903.00000000027D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000000.210356525.0000000000342000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNotSupportedException.exe6 vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exe, 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exeBinary or memory string: OriginalFilename vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000000.216226088.0000000000CA2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNotSupportedException.exe6 vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.774686882.00000000031A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exe, 00000002.00000002.768924491.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exeBinary or memory string: OriginalFilenameNotSupportedException.exe6 vs 5O857649056366403032021.PDF.exe
              Source: 5O857649056366403032021.PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 00000002.00000002.784876138.0000000008720000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000002.00000002.767924598.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.219158430.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000002.785047145.0000000008890000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.774686882.00000000031A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.5O857649056366403032021.PDF.exe.8890000.12.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.5O857649056366403032021.PDF.exe.8720000.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.5O857649056366403032021.PDF.exe.3c22610.5.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.5O857649056366403032021.PDF.exe.3c22610.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.5O857649056366403032021.PDF.exe.3c22610.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.5O857649056366403032021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.5O857649056366403032021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 2.2.5O857649056366403032021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.5O857649056366403032021.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.5O857649056366403032021.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 2.2.5O857649056366403032021.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.5O857649056366403032021.PDF.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 2.2.5O857649056366403032021.PDF.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.5O857649056366403032021.PDF.exe.3c22610.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.5O857649056366403032021.PDF.exe.3c22610.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.5O857649056366403032021.PDF.exe.3c22610.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.5O857649056366403032021.PDF.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 2.2.5O857649056366403032021.PDF.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.5O857649056366403032021.PDF.exe.3a73b90.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.5O857649056366403032021.PDF.exe.3a73b90.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.5O857649056366403032021.PDF.exe.3a73b90.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.5O857649056366403032021.PDF.exe.387bbb0.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.5O857649056366403032021.PDF.exe.387bbb0.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.5O857649056366403032021.PDF.exe.387bbb0.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.5O857649056366403032021.PDF.exe.31cb310.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.5O857649056366403032021.PDF.exe.31cb310.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.5O857649056366403032021.PDF.exe.31def9c.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5O857649056366403032021.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 2.2.5O857649056366403032021.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 2.2.5O857649056366403032021.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 2.2.5O857649056366403032021.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 2.2.5O857649056366403032021.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'