Loading ...

Play interactive tourEdit tour

Windows Analysis Report 5nXX3v5zWn

Overview

General Information

Sample Name:5nXX3v5zWn (renamed file extension from none to exe)
Analysis ID:448478
MD5:e35a0bdb66b37b80c51a1559058e326b
SHA1:42d31ffa8a8a38d5073220550cae44d3e91bf9d6
SHA256:4d16ac850f443e678e5cdc8c104f9369a97e8347c3a64f3fce173329072fee53
Tags:32exe
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
Adds a directory exclusion to Windows Defender
Changes the view of files in windows explorer (hidden files and folders)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5nXX3v5zWn.exe (PID: 3440 cmdline: 'C:\Users\user\Desktop\5nXX3v5zWn.exe' MD5: E35A0BDB66B37B80C51A1559058E326B)
    • powershell.exe (PID: 4116 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5796 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4420 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\egGZqtIOrEmq' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9C5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2396 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 5nXX3v5zWn.exe (PID: 5712 cmdline: C:\Users\user\Desktop\5nXX3v5zWn.exe MD5: E35A0BDB66B37B80C51A1559058E326B)
    • 5nXX3v5zWn.exe (PID: 3708 cmdline: C:\Users\user\Desktop\5nXX3v5zWn.exe MD5: E35A0BDB66B37B80C51A1559058E326B)
      • vbc.exe (PID: 2440 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5356 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • WindowsUpdate.exe (PID: 5096 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: E35A0BDB66B37B80C51A1559058E326B)
  • WindowsUpdate.exe (PID: 3412 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: E35A0BDB66B37B80C51A1559058E326B)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Sigma Overview

System Summary:

barindex
Sigma detected: Powershell Defender ExclusionShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\5nXX3v5zWn.exe' , ParentImage: C:\Users\user\Desktop\5nXX3v5zWn.exe, ParentProcessId: 3440, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe', ProcessId: 4116
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\5nXX3v5zWn.exe' , ParentImage: C:\Users\user\Desktop\5nXX3v5zWn.exe, ParentProcessId: 3440, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe', ProcessId: 4116

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 5nXX3v5zWn.exe.3708.17.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exeReversingLabs: Detection: 43%
Multi AV Scanner detection for submitted fileShow sources
Source: 5nXX3v5zWn.exeVirustotal: Detection: 46%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: 5nXX3v5zWn.exeJoe Sandbox ML: detected
Source: 17.2.5nXX3v5zWn.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
Source: 17.2.5nXX3v5zWn.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
Source: 5nXX3v5zWn.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 5nXX3v5zWn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: vbc.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,29_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,29_2_00407E0E
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeCode function: 4x nop then jmp 0572A630h17_2_0572A568
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeCode function: 4x nop then jmp 0572A630h17_2_0572A559
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]17_2_05729EF5
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]17_2_05722B75
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]17_2_05729A2D
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]17_2_078BFE8B
Source: global trafficTCP traffic: 192.168.2.3:49736 -> 185.26.106.194:587
Source: Joe Sandbox ViewIP Address: 91.199.212.52 91.199.212.52
Source: global trafficTCP traffic: 192.168.2.3:49736 -> 185.26.106.194:587
Source: global trafficHTTP traffic detected: GET /SectigoRSADomainValidationSecureServerCA.crt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: crt.sectigo.com
Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: unknownDNS traffic detected: queries for: 231.29.2.0.in-addr.arpa
Source: powershell.exe, 00000009.00000002.498582062.00000000009B8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 5nXX3v5zWn.exe, 00000011.00000002.522566342.00000000037CC000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: 5nXX3v5zWn.exe, 00000011.00000002.533674559.00000000078C0000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt5=
Source: 5nXX3v5zWn.exe, 00000011.00000003.287584915.00000000062C0000.00000004.00000001.sdmpString found in binary or memory: http://en.w
Source: 5nXX3v5zWn.exe, 00000011.00000003.288794721.00000000062CB000.00000004.00000001.sdmp, 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: 5nXX3v5zWn.exe, 00000011.00000003.288891184.00000000062CB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comq
Source: 5nXX3v5zWn.exe, 00000011.00000002.522566342.00000000037CC000.00000004.00000001.sdmpString found in binary or memory: http://mail.spamora.net
Source: powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.522566342.00000000037CC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0%
Source: powershell.exe, 0000000E.00000002.517938539.0000000004A23000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.518108271.0000000004D02000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngH
Source: powershell.exe, 00000007.00000002.519991834.0000000004DED000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.521443598.000000000485D000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.524687995.0000000004FC3000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000007.00000002.509134453.0000000004BC1000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.518972104.0000000004631000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.508174098.00000000048E1000.00000004.00000001.sdmp, 5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.519991834.0000000004DED000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.521443598.000000000485D000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.524687995.0000000004FC3000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 5nXX3v5zWn.exe, 00000011.00000003.295694072.00000000062C8000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000E.00000002.517938539.0000000004A23000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.518108271.0000000004D02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlH
Source: 5nXX3v5zWn.exe, 00000011.00000002.501039730.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
Source: 5nXX3v5zWn.exe, 00000011.00000003.314601492.00000000062BE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: 5nXX3v5zWn.exe, 00000011.00000003.315017748.00000000062BE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
Source: 5nXX3v5zWn.exe, 00000011.00000003.317306866.00000000062EA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: 5nXX3v5zWn.exe, 00000011.00000003.315017748.00000000062BE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersv
Source: 5nXX3v5zWn.exe, 00000011.00000002.501039730.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comF
Source: 5nXX3v5zWn.exe, 00000011.00000002.501039730.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comas
Source: 5nXX3v5zWn.exe, 00000011.00000002.501039730.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.come.com
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: 5nXX3v5zWn.exe, 00000011.00000003.287998940.00000000062CB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: powershell.exe, 0000000E.00000003.461384834.0000000009399000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co_
Source: vbc.exeString found in binary or memory: http://www.nirsoft.net/
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: 5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: 5nXX3v5zWn.exe, 00000011.00000003.290027281.00000000062CB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comt.j
Source: 5nXX3v5zWn.exe, 00000011.00000003.289228966.00000000062CB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comtn
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.517938539.0000000004A23000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.518108271.0000000004D02000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/PesterH
Source: powershell.exe, 00000007.00000003.429431833.000000000556E000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.525427017.00000000050E7000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000003.429673887.0000000004FDC000.00000004.00000001.sdmpString found in binary or memory: https://go.micro8
Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.522566342.00000000037CC000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 17.2.5nXX3v5zWn.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.5nXX3v5zWn.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.5nXX3v5zWn.exe.334b1ec.5.raw.unpack, type: UNPACKEDPE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,29_2_0040D674
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30D802E0E248FEE17AAF4A62594CC75AJump to dropped file

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 17.2.5nXX3v5zWn.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.5nXX3v5zWn.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.5nXX3v5zWn.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.5nXX3v5zWn.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.5nXX3v5zWn.exe.334b1ec.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,29_2_00408836
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_003882809_2_00388280
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0038D4B09_2_0038D4B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0038F6A99_2_0038F6A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0038B6889_2_0038B688
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0038BC089_2_0038BC08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_003873409_2_00387340
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_003854689_2_00385468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_003854579_2_00385457
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0038B6889_2_0038B688
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00388AAC9_2_00388AAC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00386ED09_2_00386ED0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_003996789_2_00399678
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00399BA09_2_00399BA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0039EC289_2_0039EC28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00398EB09_2_00398EB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_003946409_2_00394640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_003989589_2_00398958
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00399C989_2_00399C98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00399C889_2_00399C88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00394E009_2_00394E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_003A72D39_2_003A72D3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00B8004014_2_00B80040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00B8CB7814_2_00B8CB78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DC85C814_2_00DC85C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DCF70814_2_00DCF708
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DCE9F014_2_00DCE9F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DCA9B814_2_00DCA9B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DCAF4014_2_00DCAF40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DC728014_2_00DC7280
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DC539914_2_00DC5399
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DC53A814_2_00DC53A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DCF70814_2_00DCF708
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DCA9B814_2_00DCA9B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DC8DF814_2_00DC8DF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DC6E1014_2_00DC6E10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DF634814_2_00DF6348
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DFAE6014_2_00DFAE60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DF18A814_2_00DF18A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DF004014_2_00DF0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DF634814_2_00DF6348
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DFAE6014_2_00DFAE60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00DFAE6014_2_00DFAE60
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeCode function: 17_2_078BB4E017_2_078BB4E0
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeCode function: 17_2_078BB19817_2_078BB198
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeCode function: 17_2_078BEEC817_2_078BEEC8
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeCode function: 17_2_078BBDB017_2_078BBDB0
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeCode function: 17_2_078B000617_2_078B0006
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_0040441929_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_0040451629_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_0041353829_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_004145A129_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_0040E63929_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_004337AF29_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_004399B129_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_0043DAE729_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_00405CF629_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_00403F8529_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_00411F9929_2_00411F99
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
Source: 5nXX3v5zWn.exe, 00000001.00000000.210021618.0000000000F60000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSafeLsaPolicyHand.exe" vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exeBinary or memory string: OriginalFilename vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 0000000F.00000002.274022671.0000000000430000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSafeLsaPolicyHand.exe" vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exeBinary or memory string: OriginalFilename vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.536121035.00000000089F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.536223795.0000000008A10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.486267754.0000000000C50000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSafeLsaPolicyHand.exe" vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.482058861.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.536186099.0000000008A00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.536347422.0000000008F20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs 5nXX3v5zWn.exe
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: 5nXX3v5zWn.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 17.2.5nXX3v5zWn.exe.7d90000.12.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.5nXX3v5zWn.exe.7d80000.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.5nXX3v5zWn.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.5nXX3v5zWn.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.5nXX3v5zWn.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.5nXX3v5zWn.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.5nXX3v5zWn.exe.335ed8c.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.5nXX3v5zWn.exe.334b1ec.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.5nXX3v5zWn.exe.334b1ec.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5nXX3v5zWn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: egGZqtIOrEmq.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WindowsUpdate.exe.17.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@23/23@3/3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,29_2_00415AFD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,29_2_00415F87
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,29_2_00411196
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,29_2_00411EF8
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeFile created: C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2428:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3876:120:WilError_01
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeMutant created: \Sessions\1\BaseNamedObjects\gUNensdasyPYNch
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:592:120:WilError_01
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA9C5.tmpJump to behavior
Source: 5nXX3v5zWn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 5nXX3v5zWn.exeVirustotal: Detection: 46%
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeFile read: C:\Users\user\Desktop\5nXX3v5zWn.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\5nXX3v5zWn.exe 'C:\Users\user\Desktop\5nXX3v5zWn.exe'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\egGZqtIOrEmq' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9C5.tmp'
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Users\user\Desktop\5nXX3v5zWn.exe C:\Users\user\Desktop\5nXX3v5zWn.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Users\user\Desktop\5nXX3v5zWn.exe C:\Users\user\Desktop\5nXX3v5zWn.exe
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe'Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\egGZqtIOrEmq' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9C5.tmp'Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Users\user\Desktop\5nXX3v5zWn.exe C:\Users\user\Desktop\5nXX3v5zWn.exeJump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Users\user\Desktop\5nXX3v5zWn.exe C:\Users\user\Desktop\5nXX3v5zWn.exeJump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\5nXX3v5zWn.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: 5nXX3v5zWn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 5nXX3v5zWn.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 5nXX3v5zWn.exeStatic file information: File size 1261056 > 1048576
Source: 5nXX3v5zWn.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x131800
Source: 5nXX3v5zWn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: vbc.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 29_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,29_2_004422C7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0038E2E0 push es; ret 9_2_0038E2F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_003832E5 push eax; ret 9_2_00383351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00391C3D push ebx; iretd