Loading ...

Play interactive tourEdit tour

Analysis Report Mixed Items.exe

Overview

General Information

Sample Name:Mixed Items.exe
Analysis ID:363869
MD5:017e52146c9131dbc9487d834cdfc247
SHA1:6dff831a7fd2a42ec3abe4c1ba51f3a9c9c6a25b
SHA256:26c230cde9fb7544f7e3762f1abac39f6c8f0d2db0689178b223e0e68d2a6a0a
Tags:exeRATRemcosRAT
Infos:

Most interesting Screenshot:

Detection

HawkEye AgentTesla MailPassView Matiex Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Matiex Keylogger
Yara detected Remcos RAT
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Installs a global keyboard hook
Machine Learning detection for dropped file
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Yara detected Beds Obfuscator
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • Mixed Items.exe (PID: 6248 cmdline: 'C:\Users\user\Desktop\Mixed Items.exe' MD5: 017E52146C9131DBC9487D834CDFC247)
    • AdvancedRun.exe (PID: 7032 cmdline: 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 7152 cmdline: 'C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe' /SpecialRun 4101d8 7032 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 2152 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6300 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Mixed Items.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4116 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Mixed Items.exe (PID: 7140 cmdline: C:\Users\user\Desktop\Mixed Items.exe MD5: 017E52146C9131DBC9487D834CDFC247)
    • Mixed Items.exe (PID: 6440 cmdline: C:\Users\user\Desktop\Mixed Items.exe MD5: 017E52146C9131DBC9487D834CDFC247)
    • Mixed Items.exe (PID: 1528 cmdline: C:\Users\user\Desktop\Mixed Items.exe MD5: 017E52146C9131DBC9487D834CDFC247)
      • hawkgoods.exe (PID: 1392 cmdline: 'C:\Users\user\AppData\Local\Temp\hawkgoods.exe' 0 MD5: FFDB58533D5D1362E896E96FB6F02A95)
      • Matiexgoods.exe (PID: 6780 cmdline: 'C:\Users\user\AppData\Local\Temp\Matiexgoods.exe' 0 MD5: 80C61B903400B534858D047DD0919F0E)
      • origigoods20.exe (PID: 6064 cmdline: 'C:\Users\user\AppData\Local\Temp\origigoods20.exe' 0 MD5: 61DC57C6575E1F3F2AE14C1B332AD2FB)
      • origigoods40.exe (PID: 5292 cmdline: 'C:\Users\user\AppData\Local\Temp\origigoods40.exe' 0 MD5: AE36F0D16230B9F41FFECBD3C5B1D660)
      • Purchase Order.exe (PID: 5352 cmdline: 'C:\Users\user\AppData\Local\Temp\Purchase Order.exe' 0 MD5: 4983412EC34657BAB4A9BD56617B9960)
  • svchost.exe (PID: 6664 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6908 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 204 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6460 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6636 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6800 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5720 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7116 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 592 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 6488 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 5508 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 5536 cmdline: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' MD5: 017E52146C9131DBC9487D834CDFC247)
  • svchost.exe (PID: 5540 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 5708 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 5276 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 7024 cmdline: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' MD5: 017E52146C9131DBC9487D834CDFC247)
  • svchost.exe (PID: 5880 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "sales1@midombo.comMARYolanmauluogwo@eversmtp.privateemail.com"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Purchase Order.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    C:\Users\user\AppData\Local\Temp\Purchase Order.exeREMCOS_RAT_variantsunknownunknown
    • 0x5eae4:$str_a1: C:\Windows\System32\cmd.exe
    • 0x5ea60:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x5ea60:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x5e088:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
    • 0x5e6e0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
    • 0x5dc2c:$str_b2: Executing file:
    • 0x5ec28:$str_b3: GetDirectListeningPort
    • 0x5e4a0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
    • 0x5e824:$str_b5: licence_code.txt
    • 0x5e6c8:$str_b7: \update.vbs
    • 0x5dc9c:$str_b9: Downloaded file:
    • 0x5dc68:$str_b10: Downloading file:
    • 0x5dc50:$str_b12: Failed to upload file:
    • 0x5ebf0:$str_b13: StartForward
    • 0x5ec10:$str_b14: StopForward
    • 0x5e670:$str_b15: fso.DeleteFile "
    • 0x5e604:$str_b16: On Error Resume Next
    • 0x5e6a0:$str_b17: fso.DeleteFolder "
    • 0x5dc40:$str_b18: Uploaded file:
    • 0x5dcdc:$str_b19: Unable to delete:
    • 0x5e638:$str_b20: while fso.FileExists("
    C:\Users\user\AppData\Local\Temp\origigoods20.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      C:\Users\user\AppData\Local\Temp\origigoods40.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        C:\Users\user\AppData\Local\Temp\Matiexgoods.exeJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
          Click to see the 7 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000019.00000003.321855545.0000000004361000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000024.00000002.510313698.0000000002771000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              00000024.00000002.510313698.0000000002771000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000019.00000003.328468981.00000000043CD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  00000025.00000002.488787782.0000000000982000.00000002.00020000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    Click to see the 36 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    30.2.hawkgoods.exe.2be8a9c.4.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                    30.0.hawkgoods.exe.51fa72.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                      30.2.hawkgoods.exe.300a1c4.5.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                      30.0.hawkgoods.exe.4c9c0d.1.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                        30.2.hawkgoods.exe.51fa72.2.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                        • 0x1dc55:$key: HawkEyeKeylogger
                        • 0x1fe99:$salt: 099u787978786
                        • 0x1e296:$string1: HawkEye_Keylogger
                        • 0x1f0e9:$string1: HawkEye_Keylogger
                        • 0x1fdf9:$string1: HawkEye_Keylogger
                        • 0x1e67f:$string2: holdermail.txt
                        • 0x1e69f:$string2: holdermail.txt
                        • 0x1e5c1:$string3: wallet.dat
                        • 0x1e5d9:$string3: wallet.dat
                        • 0x1e5ef:$string3: wallet.dat
                        • 0x1f9bd:$string4: Keylog Records
                        • 0x1fcd5:$string4: Keylog Records
                        • 0x1fef1:$string5: do not script -->
                        • 0x1dc3d:$string6: \pidloc.txt
                        • 0x1dccb:$string7: BSPLIT
                        • 0x1dcdb:$string7: BSPLIT
                        Click to see the 107 entries

                        Sigma Overview

                        System Summary:

                        barindex
                        Sigma detected: Suspicious Svchost ProcessShow sources
                        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5508, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , ProcessId: 5536
                        Sigma detected: System File Execution Location AnomalyShow sources
                        Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5508, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , ProcessId: 5536
                        Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
                        Source: Process startedAuthor: vburov: Data: Command: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5508, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe' , ProcessId: 5536

                        Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Antivirus detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeAvira: detection malicious, Label: TR/Spy.Gen8
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeAvira: detection malicious, Label: TR/Spy.Gen8
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeAvira: detection malicious, Label: TR/Redcap.jajcu
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                        Found malware configurationShow sources
                        Source: 33.2.origigoods20.exe.e50000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sales1@midombo.comMARYolanmauluogwo@eversmtp.privateemail.com"}
                        Source: hawkgoods.exe.1392.30.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                        Multi AV Scanner detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeMetadefender: Detection: 51%Perma Link
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeReversingLabs: Detection: 89%
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeReversingLabs: Detection: 95%
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeMetadefender: Detection: 40%Perma Link
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeReversingLabs: Detection: 92%
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeMetadefender: Detection: 37%Perma Link
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeReversingLabs: Detection: 85%
                        Source: C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exeReversingLabs: Detection: 21%
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: Mixed Items.exeReversingLabs: Detection: 17%
                        Yara detected Remcos RATShow sources
                        Source: Yara matchFile source: 00000025.00000002.488787782.0000000000982000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.347873362.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000025.00000002.490909756.0000000000A7A000.00000004.00000020.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Purchase Order.exe, type: DROPPED
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.40afcc.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.Mixed Items.exe.4031bf.3.raw.unpack, type: UNPACKEDPE
                        Machine Learning detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\Purchase Order.exeJoe Sandbox ML: detected
                        Source: 25.2.Mixed Items.exe.4031bf.3.unpackAvira: Label: TR/Inject.vcoldi
                        Source: 30.2.hawkgoods.exe.4c0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                        Source: 30.2.hawkgoods.exe.4c0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                        Source: 31.0.Matiexgoods.exe.4d0000.0.unpackAvira: Label: TR/Redcap.jajcu
                        Source: 30.0.hawkgoods.exe.4c0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                        Source: 30.0.hawkgoods.exe.4c0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                        Source: 31.2.Matiexgoods.exe.4d0000.0.unpackAvira: Label: TR/Redcap.jajcu
                        Source: 25.2.Mixed Items.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                        Source: 25.2.Mixed Items.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                        Source: 25.2.Mixed Items.exe.400000.0.unpackAvira: Label: TR/Redcap.jajcu
                        Source: 25.2.Mixed Items.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

                        Compliance:

                        barindex
                        Uses insecure TLS / SSL version for HTTPS connectionShow sources
                        Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49747 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49760 version: TLS 1.0
                        Uses new MSVCR DllsShow sources
                        Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                        Source: Mixed Items.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Binary contains paths to debug symbolsShow sources
                        Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000007.00000002.268206463.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000009.00000000.266715806.000000000040C000.00000002.00020000.sdmp
                        Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: hawkgoods.exe
                        Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: hawkgoods.exe
                        Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: hawkgoods.exe