Loading ...

Play interactive tourEdit tour

Windows Analysis Report FukQGQj7cl

Overview

General Information

Sample Name:FukQGQj7cl (renamed file extension from none to exe)
Analysis ID:462697
MD5:83f58ecf0778e3b0acca8497df23ef23
SHA1:a2123e816fcd387873272e022220fbc05b96d392
SHA256:437fae5aa2cad8ddb1fe3e316afdc6a1fdd2676084131fdc082ffdc8a53f066d
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains very large array initializations
Changes the view of files in windows explorer (hidden files and folders)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • FukQGQj7cl.exe (PID: 4792 cmdline: 'C:\Users\user\Desktop\FukQGQj7cl.exe' MD5: 83F58ECF0778E3B0ACCA8497DF23EF23)
    • InstallUtil.exe (PID: 6284 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • vbc.exe (PID: 6860 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6852 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000016.00000002.364855957.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7ba5a:$key: HawkEyeKeylogger
        • 0xfdd18:$key: HawkEyeKeylogger
        • 0x7dc58:$salt: 099u787978786
        • 0xfff16:$salt: 099u787978786
        • 0x7c073:$string1: HawkEye_Keylogger
        • 0x7cec6:$string1: HawkEye_Keylogger
        • 0x7dbb8:$string1: HawkEye_Keylogger
        • 0xfe331:$string1: HawkEye_Keylogger
        • 0xff184:$string1: HawkEye_Keylogger
        • 0xffe76:$string1: HawkEye_Keylogger
        • 0x7c45c:$string2: holdermail.txt
        • 0x7c47c:$string2: holdermail.txt
        • 0xfe71a:$string2: holdermail.txt
        • 0xfe73a:$string2: holdermail.txt
        • 0x7c39e:$string3: wallet.dat
        • 0x7c3b6:$string3: wallet.dat
        • 0x7c3cc:$string3: wallet.dat
        • 0xfe65c:$string3: wallet.dat
        • 0xfe674:$string3: wallet.dat
        • 0xfe68a:$string3: wallet.dat
        • 0x7d79a:$string4: Keylog Records
        00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          Click to see the 31 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          16.2.InstallUtil.exe.8460000.11.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
          • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
          21.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            16.2.InstallUtil.exe.4089930.8.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              1.2.FukQGQj7cl.exe.4acafa7.10.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                1.2.FukQGQj7cl.exe.478476a.4.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  Click to see the 100 entries

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Possible Applocker BypassShow sources
                  Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\Desktop\FukQGQj7cl.exe' , ParentImage: C:\Users\user\Desktop\FukQGQj7cl.exe, ParentProcessId: 4792, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 6284

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: vbc.exe.6852.22.memstrminMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: FukQGQj7cl.exeVirustotal: Detection: 45%Perma Link
                  Source: FukQGQj7cl.exeReversingLabs: Detection: 35%
                  Machine Learning detection for sampleShow sources
                  Source: FukQGQj7cl.exeJoe Sandbox ML: detected
                  Source: 16.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 16.2.InstallUtil.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpackAvira: Label: TR/Inject.vcoldi
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpackAvira: Label: TR/Inject.vcoldi
                  Source: FukQGQj7cl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: unknownHTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.3:49715 version: TLS 1.0
                  Source: FukQGQj7cl.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                  Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.501178621.00000000084C0000.00000004.00000001.sdmp
                  Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: FukQGQj7cl.exe, 00000001.00000003.299838271.0000000006CE4000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000000.297962667.0000000000D62000.00000002.00020000.sdmp, InstallUtil.exe.1.dr
                  Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exe
                  Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exe
                  Source: Binary string: InstallUtil.pdb source: FukQGQj7cl.exe, 00000001.00000003.299838271.0000000006CE4000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.1.dr
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmpBinary or memory string: [autorun]
                  Source: InstallUtil.exe, 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                  Source: InstallUtil.exe, 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,21_2_00406EC3
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,22_2_00408441
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,22_2_00407E0E

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.3:49745 -> 45.141.152.18:21
                  Source: global trafficTCP traffic: 192.168.2.3:49746 -> 45.141.152.18:62025
                  Source: Joe Sandbox ViewIP Address: 45.141.152.18 45.141.152.18
                  Source: Joe Sandbox ViewIP Address: 45.141.152.18 45.141.152.18
                  Source: Joe Sandbox ViewASN Name: M247GB M247GB
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownFTP traffic detected: 45.141.152.18:21 -> 192.168.2.3:49745 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 10:48. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 10:48. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 10:48. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 10:48. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                  Source: unknownHTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.3:49715 version: TLS 1.0
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exe, 00000016.00000002.364855957.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmp, vbc.exe, 00000016.00000002.364855957.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: unknownDNS traffic detected: queries for: www.google.com
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl0
                  Source: InstallUtil.exe, 00000010.00000003.314395304.00000000061EB000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: InstallUtil.exe, 00000010.00000003.314578251.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comB
                  Source: InstallUtil.exe, 00000010.00000003.314280047.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comsUKAi
                  Source: InstallUtil.exe, 00000010.00000002.494142383.0000000003476000.00000004.00000001.sdmpString found in binary or memory: http://ftp.badonfashoin.com
                  Source: FukQGQj7cl.exe, 00000001.00000003.306427088.0000000009950000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                  Source: FukQGQj7cl.exe, 00000001.00000003.230610513.000000000994A000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/12A
                  Source: FukQGQj7cl.exe, 00000001.00000003.306427088.0000000009950000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                  Source: FukQGQj7cl.exe, 00000001.00000003.230610513.000000000994A000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g2A
                  Source: FukQGQj7cl.exe, 00000001.00000003.306427088.0000000009950000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                  Source: FukQGQj7cl.exe, 00000001.00000003.230610513.000000000994A000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj2A
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.494750181.0000000004081000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr10)
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1c301
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
                  Source: FukQGQj7cl.exe, 00000001.00000002.312563898.0000000002ECF000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
                  Source: FukQGQj7cl.exe, 00000001.00000002.312280965.0000000002EA1000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: FukQGQj7cl.exe, 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, InstallUtil.exe, 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                  Source: InstallUtil.exe, 00000010.00000003.319415666.00000000061E8000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: InstallUtil.exe, 00000010.00000003.319806893.00000000061E9000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: InstallUtil.exe, 00000010.00000003.320005338.00000000061E7000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comLP
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmp, InstallUtil.exe, 00000010.00000003.326807641.00000000061DE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: InstallUtil.exe, 00000010.00000003.326807641.00000000061DE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: InstallUtil.exe, 00000010.00000003.329177139.000000000620A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmln-us
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: InstallUtil.exe, 00000010.00000003.326807641.00000000061DE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: InstallUtil.exe, 00000010.00000003.313190214.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comcNUlA(
                  Source: InstallUtil.exe, 00000010.00000003.313322897.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comicXU
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: vbc.exe, vbc.exe, 00000016.00000002.364855957.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: InstallUtil.exe, 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmp, InstallUtil.exe, 00000010.00000003.315759111.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: InstallUtil.exe, 00000010.00000003.315478837.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comEUuA
                  Source: InstallUtil.exe, 00000010.00000003.315250712.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comWUgA
                  Source: InstallUtil.exe, 00000010.00000003.315832509.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcomEUuA
                  Source: InstallUtil.exe, 00000010.00000003.315611989.00000000061EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comsUKAi
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: InstallUtil.exe, 00000010.00000002.498309994.00000000062C0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: FukQGQj7cl.exe, 00000001.00000002.310372719.00000000013A2000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
                  Source: FukQGQj7cl.exe, 00000001.00000002.312280965.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
                  Source: FukQGQj7cl.exe, 00000001.00000002.312280965.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
                  Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected HawkEye KeyloggerShow sources
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.408208.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac319a.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4acafa7.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.478476a.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.4ac95a2.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.472e905.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.472cf00.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48ba66a.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48c0a72.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.FukQGQj7cl.exe.48c2477.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.InstallUtil.exe.30ab2a0.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.325532719.0000000004AC3000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.324877095.0000000004838000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.324260828.0000000004726000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.483743736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.489551476.0000000003081000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: FukQGQj7cl.exe PID: 4792, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6284, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,21_2_0040AC8A
                  Source: FukQGQj7cl.exe, 00000001.00000002.309200167.000000000130A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 16.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 16.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 16.2.InstallUtil.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 16.2.InstallUtil.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.4ac319a.11.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.4acafa7.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.4acafa7.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.478476a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.478476a.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 16.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 16.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.4ac95a2.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.4ac95a2.9.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.472e905.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.472e905.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.472cf00.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.472cf00.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.48ba66a.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.48c0a72.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.FukQGQj7cl.exe.48c0a72.8.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.FukQGQj7cl.exe.48c2477.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.F