Loading ...

Play interactive tourEdit tour

Windows Analysis Report Costa Order.exe

Overview

General Information

Sample Name:Costa Order.exe
Analysis ID:453873
MD5:bc4e444c2dd7463dc563119593bc7764
SHA1:d54092772dd1d8ca8b20b84f44e0931d089d79d7
SHA256:fd95b0eb1d2a5650592de694cda956d9dcf0b1c3312fcb3273571f858762ae15
Tags:exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Launches processes in debugging mode, may be used to hinder debugging
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Costa Order.exe (PID: 4788 cmdline: 'C:\Users\user\Desktop\Costa Order.exe' MD5: BC4E444C2DD7463DC563119593BC7764)
    • Costa Order.exe (PID: 5540 cmdline: {path} MD5: BC4E444C2DD7463DC563119593BC7764)
    • Costa Order.exe (PID: 5640 cmdline: {path} MD5: BC4E444C2DD7463DC563119593BC7764)
      • Windows Update.exe (PID: 1328 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: BC4E444C2DD7463DC563119593BC7764)
        • Windows Update.exe (PID: 4848 cmdline: {path} MD5: BC4E444C2DD7463DC563119593BC7764)
          • vbc.exe (PID: 3880 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • vbc.exe (PID: 1036 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 5172 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
          • WerFault.exe (PID: 5324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 2992 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: BC4E444C2DD7463DC563119593BC7764)
  • WindowsUpdate.exe (PID: 5432 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: BC4E444C2DD7463DC563119593BC7764)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b6f2:$key: HawkEyeKeylogger
  • 0x7d954:$salt: 099u787978786
  • 0x7bd33:$string1: HawkEye_Keylogger
  • 0x7cb86:$string1: HawkEye_Keylogger
  • 0x7d8b4:$string1: HawkEye_Keylogger
  • 0x7c11c:$string2: holdermail.txt
  • 0x7c13c:$string2: holdermail.txt
  • 0x7c05e:$string3: wallet.dat
  • 0x7c076:$string3: wallet.dat
  • 0x7c08c:$string3: wallet.dat
  • 0x7d478:$string4: Keylog Records
  • 0x7d790:$string4: Keylog Records
  • 0x7d9ac:$string5: do not script -->
  • 0x7b6da:$string6: \pidloc.txt
  • 0x7b768:$string7: BSPLIT
  • 0x7b778:$string7: BSPLIT
0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bd8b:$hawkstr1: HawkEye Keylogger
        • 0x7cbcc:$hawkstr1: HawkEye Keylogger
        • 0x7cefb:$hawkstr1: HawkEye Keylogger
        • 0x7d056:$hawkstr1: HawkEye Keylogger
        • 0x7d1b9:$hawkstr1: HawkEye Keylogger
        • 0x7d450:$hawkstr1: HawkEye Keylogger
        • 0x7b919:$hawkstr2: Dear HawkEye Customers!
        • 0x7cf4e:$hawkstr2: Dear HawkEye Customers!
        • 0x7d0a5:$hawkstr2: Dear HawkEye Customers!
        • 0x7d20c:$hawkstr2: Dear HawkEye Customers!
        • 0x7ba3a:$hawkstr3: HawkEye Logger Details:
        Click to see the 56 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        24.2.Windows Update.exe.7d50000.12.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        24.2.Windows Update.exe.2d1b48c.5.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        24.2.Windows Update.exe.2d1b48c.5.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          24.2.Windows Update.exe.2d1b48c.5.raw.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
          • 0xf8e0:$hawkstr1: HawkEye Keylogger
          • 0x12df0:$hawkstr1: HawkEye Keylogger
          • 0x131cc:$hawkstr1: HawkEye Keylogger
          • 0x141bc:$hawkstr1: HawkEye Keylogger
          • 0xf398:$hawkstr2: Dear HawkEye Customers!
          • 0x12e50:$hawkstr2: Dear HawkEye Customers!
          • 0x1322c:$hawkstr2: Dear HawkEye Customers!
          • 0xf4c6:$hawkstr3: HawkEye Logger Details:
          24.0.Windows Update.exe.3d12370.10.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            Click to see the 174 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeVirustotal: Detection: 46%Perma Link
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeReversingLabs: Detection: 28%
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeVirustotal: Detection: 46%Perma Link
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 28%
            Multi AV Scanner detection for submitted fileShow sources
            Source: Costa Order.exeVirustotal: Detection: 46%Perma Link
            Source: Costa Order.exeReversingLabs: Detection: 28%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Windows Update.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: Costa Order.exeJoe Sandbox ML: detected
            Source: 2.2.Costa Order.exe.3dbbd60.2.unpackAvira: Label: TR/Inject.vcoldi
            Source: 24.2.Windows Update.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 24.2.Windows Update.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 24.0.Windows Update.exe.400000.15.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 24.0.Windows Update.exe.400000.15.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 10.2.Costa Order.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 10.2.Costa Order.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 24.0.Windows Update.exe.400000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 24.0.Windows Update.exe.400000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 17.2.Windows Update.exe.415bd60.2.unpackAvira: Label: TR/Inject.vcoldi
            Source: Costa Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Costa Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT