Loading ...

Play interactive tourEdit tour

Windows Analysis Report 280072109764552.doc

Overview

General Information

Sample Name:280072109764552.doc
Analysis ID:455555
MD5:ae01f0cc63c8a3b7bb239976c56788c3
SHA1:cd86bb62ab645cab4d20ec8a931ca9e84801ea36
SHA256:fde845dc869db03ce766a34d4d325cfb60ea5e605244e823fcfea5b3135aacb7
Tags:doc
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sample uses process hollowing technique
Searches for Windows Mail specific files
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2700 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2376 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • name.exe (PID: 1776 cmdline: 'C:\Users\user\AppData\Roaming\name.exe' MD5: FA0A3ED04EEC65D6D3FB55AA7D2497C1)
      • InstallUtil.exe (PID: 2964 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: BB85AA6D90A4157ED799257072B265FF)
        • vbc.exe (PID: 944 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: 1672D0478049ABDAF0197BE64A7F867F)
        • vbc.exe (PID: 2460 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: 1672D0478049ABDAF0197BE64A7F867F)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2363878816.00000000004E0000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000005.00000002.2363914554.00000000005E0000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000007.00000002.2179402637.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000006.00000002.2176599122.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b697:$key: HawkEyeKeylogger
      • 0x7d895:$salt: 099u787978786
      • 0x7bcb0:$string1: HawkEye_Keylogger
      • 0x7cb03:$string1: HawkEye_Keylogger
      • 0x7d7f5:$string1: HawkEye_Keylogger
      • 0x7c099:$string2: holdermail.txt
      • 0x7c0b9:$string2: holdermail.txt
      • 0x7bfdb:$string3: wallet.dat
      • 0x7bff3:$string3: wallet.dat
      • 0x7c009:$string3: wallet.dat
      • 0x7d3d7:$string4: Keylog Records
      • 0x7d6ef:$string4: Keylog Records
      • 0x7d8ed:$string5: do not script -->
      • 0x7b67f:$string6: \pidloc.txt
      • 0x7b6e5:$string7: BSPLIT
      • 0x7b6f5:$string7: BSPLIT
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.InstallUtil.exe.5e0000.5.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      5.2.InstallUtil.exe.36594d0.12.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        4.2.name.exe.368a90f.10.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          5.2.InstallUtil.exe.36716f0.11.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            4.2.name.exe.349032a.9.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x7548f:$key: HawkEyeKeylogger
            • 0x7768d:$salt: 099u787978786
            • 0x75aa8:$string1: HawkEye_Keylogger
            • 0x768fb:$string1: HawkEye_Keylogger
            • 0x775ed:$string1: HawkEye_Keylogger
            • 0x75e91:$string2: holdermail.txt
            • 0x75eb1:$string2: holdermail.txt
            • 0x75dd3:$string3: wallet.dat
            • 0x75deb:$string3: wallet.dat
            • 0x75e01:$string3: wallet.dat
            • 0x771cf:$string4: Keylog Records
            • 0x774e7:$string4: Keylog Records
            • 0x776e5:$string5: do not script -->
            • 0x75477:$string6: \pidloc.txt
            • 0x754dd:$string7: BSPLIT
            • 0x754ed:$string7: BSPLIT