Windows Analysis Report E-Remittance Form_z.TXT.exe

Overview

General Information

Sample Name: E-Remittance Form_z.TXT.exe
Analysis ID: 465268
MD5: 0c3bdc11fd6454bb67da849864170b44
SHA1: 1c925518e075761758a47f677016c95f5e80c92c
SHA256: bdade907a458b6c9d2e87af5667c3b8a16aa7804535634ed662b0e07c34f64b1
Tags: exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected AntiVM autoit script
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: RegSvcs.exe.4684.28.memstrmin Malware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView", "browserpv"], "Version": "HawkEye Keylogger - Reborn v9{"}
Multi AV Scanner detection for domain / URL
Source: https://a.pomf.cat/ Virustotal: Detection: 7% Perma Link
Source: http://pomf.cat/upload.php Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Metadefender: Detection: 31% Perma Link
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif ReversingLabs: Detection: 46%
Antivirus or Machine Learning detection for unpacked file
Source: 28.2.RegSvcs.exe.980000.0.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Uses 32bit PE files
Source: E-Remittance Form_z.TXT.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: E-Remittance Form_z.TXT.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: E-Remittance Form_z.TXT.exe
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009EA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 1_2_009EA2DF
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009FAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 1_2_009FAFB9
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_00A09FD3 FindFirstFileExA, 1_2_00A09FD3
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose, 2_2_00AC399B
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose, 10_2_00AC399B
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AE2408 FindFirstFileW,Sleep,FindNextFileW,FindClose, 10_2_00AE2408
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AD280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00AD280D
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00B08877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_00B08877
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AECAE7 FindFirstFileW,FindNextFileW,FindClose, 10_2_00AECAE7
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AC1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00AC1A73
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00ADBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 10_2_00ADBCB3
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AEDE7C FindFirstFileW,FindClose, 10_2_00AEDE7C
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00ADBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00ADBF17
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif File opened: C:\Users\user\AppData\Local\Temp\82139548\rpgc.htg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif File opened: C:\Users\user\AppData\Local\Temp\82139548 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AD2285 InternetQueryDataAvailable,InternetReadFile, 10_2_00AD2285
Source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp String found in binary or memory: http://bot.whatismyipaddress.com/
Source: urdavsa.pif.1.dr String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: urdavsa.pif.1.dr String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: urdavsa.pif.1.dr String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: urdavsa.pif.1.dr String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: urdavsa.pif.1.dr String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php
Source: urdavsa.pif, 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: urdavsa.pif.1.dr String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: urdavsa.pif.1.dr String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: urdavsa.pif.1.dr String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: urdavsa.pif.1.dr String found in binary or memory: http://www.globalsign.net/repository/0
Source: urdavsa.pif.1.dr String found in binary or memory: http://www.globalsign.net/repository/03
Source: urdavsa.pif.1.dr String found in binary or memory: http://www.globalsign.net/repository09
Source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp String found in binary or memory: https://a.pomf.cat/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AEA0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 10_2_00AEA0FC
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AFD8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 10_2_00AFD8E9
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AD42E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW, 10_2_00AD42E1
Creates a DirectInput object (often for capturing keystrokes)
Source: urdavsa.pif, 00000002.00000002.392280466.0000000000CCA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00B0C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 10_2_00B0C7D6

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 28.2.RegSvcs.exe.7da834a.4.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 28.3.RegSvcs.exe.4aedbda.2.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 28.3.RegSvcs.exe.4aedbda.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 28.2.RegSvcs.exe.7d50000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 28.3.RegSvcs.exe.4a95890.1.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 28.2.RegSvcs.exe.7d50000.3.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 28.2.RegSvcs.exe.7da834a.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 28.3.RegSvcs.exe.4a95890.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 28.3.RegSvcs.exe.4a95bd5.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 28.2.RegSvcs.exe.7d50345.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009E6FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 1_2_009E6FC6
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AD6219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 10_2_00AD6219
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AC33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 10_2_00AC33A3
Detected potential crypto function
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009E83C0 1_2_009E83C0
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_00A0C0B0 1_2_00A0C0B0
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009E30FC 1_2_009E30FC
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_00A00113 1_2_00A00113
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009F626D 1_2_009F626D
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009F33D3 1_2_009F33D3
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009FF3CA 1_2_009FF3CA
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009EF5C5 1_2_009EF5C5
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009EE510 1_2_009EE510
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_00A00548 1_2_00A00548
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_00A0C55E 1_2_00A0C55E
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009E2692 1_2_009E2692
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009F66A2 1_2_009F66A2
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009F364E 1_2_009F364E
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_00A10654 1_2_00A10654
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009F589E 1_2_009F589E
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009FF8C6 1_2_009FF8C6
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009F397F 1_2_009F397F
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009EE973 1_2_009EE973
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009EDADD 1_2_009EDADD
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009EBAD1 1_2_009EBAD1
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_00A03CBA 1_2_00A03CBA
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009FFCDE 1_2_009FFCDE
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009F6CDB 1_2_009F6CDB
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009E5D7E 1_2_009E5D7E
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009E3EAD 1_2_009E3EAD
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_00A03EE9 1_2_00A03EE9
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009EDF12 1_2_009EDF12
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00A998F0 2_2_00A998F0
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00A935F0 2_2_00A935F0
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00AB088F 2_2_00AB088F
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00AAC8CE 2_2_00AAC8CE
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00AAA137 2_2_00AAA137
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00AA1903 2_2_00AA1903
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00AB1F2C 2_2_00AB1F2C
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00AA3721 2_2_00AA3721
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00A9F730 2_2_00A9F730
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00A935F0 10_2_00A935F0
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00A998F0 10_2_00A998F0
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AA2136 10_2_00AA2136
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AAA137 10_2_00AAA137
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AB427D 10_2_00AB427D
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00ADF3A6 10_2_00ADF3A6
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00A998F0 10_2_00A998F0
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AA2508 10_2_00AA2508
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AD655F 10_2_00AD655F
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AA3721 10_2_00AA3721
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00A9F730 10_2_00A9F730
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AB088F 10_2_00AB088F
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AA28F0 10_2_00AA28F0
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AAC8CE 10_2_00AAC8CE
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AA1903 10_2_00AA1903
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00ADEAD5 10_2_00ADEAD5
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00B0EA2B 10_2_00B0EA2B
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AB3BA1 10_2_00AB3BA1
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AA1D98 10_2_00AA1D98
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AB0DE0 10_2_00AB0DE0
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AD2D2D 10_2_00AD2D2D
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AD4EB7 10_2_00AD4EB7
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00ADCE8D 10_2_00ADCE8D
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AB1F2C 10_2_00AB1F2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01709912 28_2_01709912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01702068 28_2_01702068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01700C48 28_2_01700C48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01706C28 28_2_01706C28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_017004E8 28_2_017004E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_017054B8 28_2_017054B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703F68 28_2_01703F68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01702ECD 28_2_01702ECD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_017029F8 28_2_017029F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_017029E9 28_2_017029E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_017039D7 28_2_017039D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703981 28_2_01703981
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01707870 28_2_01707870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_017048E0 28_2_017048E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_017038E6 28_2_017038E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_017010E8 28_2_017010E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703B60 28_2_01703B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703B1E 28_2_01703B1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703BF1 28_2_01703BF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703BCE 28_2_01703BCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01700BA8 28_2_01700BA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703A77 28_2_01703A77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703A02 28_2_01703A02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703ADD 28_2_01703ADD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703AAA 28_2_01703AAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01700562 28_2_01700562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703567 28_2_01703567
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703568 28_2_01703568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703D40 28_2_01703D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_0170053B 28_2_0170053B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01704528 28_2_01704528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_017005ED 28_2_017005ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703DDD 28_2_01703DDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703DA0 28_2_01703DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_017005A6 28_2_017005A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703C73 28_2_01703C73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703C1D 28_2_01703C1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_0170540F 28_2_0170540F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_017004D8 28_2_017004D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_017054A8 28_2_017054A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_0170174D 28_2_0170174D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01709F90 28_2_01709F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01709F86 28_2_01709F86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703E75 28_2_01703E75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01708E38 28_2_01708E38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01708E28 28_2_01708E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01706E10 28_2_01706E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_01703E1A 28_2_01703E1A
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 07E5F6D7EC7CCBC3D742658E9161D799934C6F7F6A3EBF560F361B4EE1730B6A
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: String function: 00AA8115 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: String function: 00AA333F appears 36 times
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: String function: 00A91D10 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: String function: 00AA14F7 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: String function: 00AD59E6 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: String function: 00AA6B90 appears 71 times
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: String function: 009FE2F0 appears 31 times
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: String function: 009FD870 appears 35 times
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: String function: 009FD940 appears 51 times
PE file contains strange resources
Source: urdavsa.pif.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.328087251.0000000001A70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs E-Remittance Form_z.TXT.exe
Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330334339.0000000005760000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs E-Remittance Form_z.TXT.exe
Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330306521.0000000003A20000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs E-Remittance Form_z.TXT.exe
Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330172881.0000000003910000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs E-Remittance Form_z.TXT.exe
Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330293563.0000000003A00000.00000002.00000001.sdmp Binary or memory string: originalfilename vs E-Remittance Form_z.TXT.exe
Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330293563.0000000003A00000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs E-Remittance Form_z.TXT.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Section loaded: dxgidebug.dll Jump to behavior
Uses 32bit PE files
Source: E-Remittance Form_z.TXT.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 28.2.RegSvcs.exe.7da834a.4.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 28.3.RegSvcs.exe.4aedbda.2.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 28.3.RegSvcs.exe.4aedbda.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 28.2.RegSvcs.exe.7d50000.3.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 28.3.RegSvcs.exe.4a95890.1.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 28.2.RegSvcs.exe.7d50000.3.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 28.2.RegSvcs.exe.7da834a.4.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 28.3.RegSvcs.exe.4a95890.1.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 28.3.RegSvcs.exe.4a95bd5.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 28.2.RegSvcs.exe.7d50345.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 28.2.RegSvcs.exe.980000.0.unpack, u206b????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 28.2.RegSvcs.exe.980000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 28.2.RegSvcs.exe.980000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: 28.2.RegSvcs.exe.980000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 28.2.RegSvcs.exe.980000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.RegSvcs.exe.980000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 28.2.RegSvcs.exe.980000.0.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 28.2.RegSvcs.exe.980000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 28.2.RegSvcs.exe.980000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 28.2.RegSvcs.exe.980000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@17/20@0/0
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009E6D06 GetLastError,FormatMessageW, 1_2_009E6D06
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AC33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 10_2_00AC33A3
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AF4AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 10_2_00AF4AEB
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AED606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 10_2_00AED606
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00AC3EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,FindCloseChangeNotification, 2_2_00AC3EC5
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AFE0F6 CoInitialize,CoCreateInstance,CoUninitialize, 10_2_00AFE0F6
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009F963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 1_2_009F963A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\0afb590f-6441-4e30-9017-486274a19cc9
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe File created: C:\Users\user\AppData\Local\Temp\82139548 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Command line argument: sfxname 1_2_009FCBB8
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Command line argument: sfxstime 1_2_009FCBB8
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Command line argument: STARTDLG 1_2_009FCBB8
Source: E-Remittance Form_z.TXT.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe File read: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe 'C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe'
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe File written: C:\Users\user\AppData\Local\Temp\82139548\pojm.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: E-Remittance Form_z.TXT.exe Static file information: File size 1441541 > 1048576
Source: E-Remittance Form_z.TXT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: E-Remittance Form_z.TXT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: E-Remittance Form_z.TXT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: E-Remittance Form_z.TXT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: E-Remittance Form_z.TXT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: E-Remittance Form_z.TXT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: E-Remittance Form_z.TXT.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: E-Remittance Form_z.TXT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: E-Remittance Form_z.TXT.exe
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp
Source: E-Remittance Form_z.TXT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: E-Remittance Form_z.TXT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: E-Remittance Form_z.TXT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: E-Remittance Form_z.TXT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: E-Remittance Form_z.TXT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00A9EE30 LoadLibraryA,GetProcAddress, 2_2_00A9EE30
File is packed with WinRar
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe File created: C:\Users\user\AppData\Local\Temp\82139548\__tmp_rar_sfx_access_check_6736515 Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009FE336 push ecx; ret 1_2_009FE349
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009FD870 push eax; ret 1_2_009FD88E
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00AA6BD5 push ecx; ret 2_2_00AA6BE8
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00ABD53C push 7400ABCFh; iretd 10_2_00ABD541
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AA6BD5 push ecx; ret 10_2_00AA6BE8
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 25_2_00F44708 push esp; iretd 25_2_00F4470B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_0170326C push ss; retf 28_2_0170326D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 28_2_017032F5 push ss; retf 28_2_017032F6

Persistence and Installation Behavior:

barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe File created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe File created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: txt.exe Static PE information: E-Remittance Form_z.TXT.exe
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00B0A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 10_2_00B0A2EA
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AC43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 10_2_00AC43FF
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM autoit script
Source: Yara match File source: Process Memory Space: urdavsa.pif PID: 3588, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: urdavsa.pif PID: 5708, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: urdavsa.pif PID: 2232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Window / User API: threadDelayed 1185 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Window / User API: threadDelayed 1173 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Window / User API: threadDelayed 1101 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Window / User API: threadDelayed 1097
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 5696 Thread sleep count: 1185 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 5696 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 1972 Thread sleep count: 1173 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 1972 Thread sleep count: 55 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 2072 Thread sleep count: 1101 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 2072 Thread sleep count: 53 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 5392 Thread sleep count: 1097 > 30
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 5392 Thread sleep count: 80 > 30
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Thread sleep count: Count: 1185 delay: -10 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Thread sleep count: Count: 1173 delay: -10 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Thread sleep count: Count: 1101 delay: -10 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Thread sleep count: Count: 1097 delay: -10
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009EA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 1_2_009EA2DF
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009FAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 1_2_009FAFB9
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_00A09FD3 FindFirstFileExA, 1_2_00A09FD3
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose, 2_2_00AC399B
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose, 10_2_00AC399B
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AE2408 FindFirstFileW,Sleep,FindNextFileW,FindClose, 10_2_00AE2408
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AD280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00AD280D
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00B08877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_00B08877
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AECAE7 FindFirstFileW,FindNextFileW,FindClose, 10_2_00AECAE7
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AC1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00AC1A73
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00ADBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 10_2_00ADBCB3
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AEDE7C FindFirstFileW,FindClose, 10_2_00AEDE7C
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00ADBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00ADBF17
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009FD353 VirtualQuery,GetSystemInfo, 1_2_009FD353
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif File opened: C:\Users\user\AppData\Local\Temp\82139548\rpgc.htg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif File opened: C:\Users\user\AppData\Local\Temp\82139548 Jump to behavior
Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmp Binary or memory string: VBoxTray.exe@
Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmp Binary or memory string: VboxService.exe=
Source: urdavsa.pif, 0000000A.00000003.399515071.00000000038A1000.00000004.00000001.sdmp Binary or memory string: If ProcessExists("VMwaretray.exe") Then}
Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmp Binary or memory string: VMwareUser.exe5FB536C7
Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmp Binary or memory string: VboxService.exez
Source: rpgc.htg.1.dr Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: rpgc.htg.1.dr Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmp Binary or memory string: VMwareUser.exe6BA444D6
Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmp Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmp Binary or memory string: VMwaretray.exer
Source: urdavsa.pif, 00000015.00000003.517916403.0000000001C45000.00000004.00000001.sdmp Binary or memory string: rocessExists("VboxService.exe") ThenM72
Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmp Binary or memory string: VMwareService.exe536C7jz
Source: urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmp Binary or memory string: VMwareService.exe,r
Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmp Binary or memory string: If ProcessExists("VboxService.exe") ThenM72
Source: rpgc.htg.1.dr Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmp Binary or memory string: VMwareService.exe637D6
Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmp Binary or memory string: VMwaretray.exe
Source: rpgc.htg.1.dr Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmp Binary or memory string: VboxService.exe:~
Source: urdavsa.pif, 00000015.00000003.519079213.0000000001C47000.00000004.00000001.sdmp Binary or memory string: Exists("VMwareUser.exe") Then
Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmp Binary or memory string: VBoxTray.exe
Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenv
Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmp Binary or memory string: VMwareUser.exeE97637D6
Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmp Binary or memory string: VMwareService.exeU
Source: urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmp Binary or memory string: VBoxTray.exeFs
Source: urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmp Binary or memory string: VboxService.exe
Source: urdavsa.pif, 00000002.00000003.386710610.0000000000B66000.00000004.00000001.sdmp, urdavsa.pif, 0000000A.00000003.399515071.00000000038A1000.00000004.00000001.sdmp, urdavsa.pif, 00000015.00000003.517916403.0000000001C45000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmp Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: rpgc.htg.1.dr Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AEA35D BlockInput, 10_2_00AEA35D
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009FE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_009FE4F5
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00A9EE30 LoadLibraryA,GetProcAddress, 2_2_00A9EE30
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_00A06AF3 mov eax, dword ptr fs:[00000030h] 1_2_00A06AF3
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_00A0ACA1 GetProcessHeap, 1_2_00A0ACA1
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009FE643 SetUnhandledExceptionFilter, 1_2_009FE643
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009FE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_009FE4F5
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009FE7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_009FE7FB
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_00A07BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00A07BE1
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00AAA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00AAA128
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00AA7CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00AA7CCD
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AAF170 SetUnhandledExceptionFilter, 10_2_00AAF170
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AAA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00AAA128
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AA7CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00AA7CCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 28.2.RegSvcs.exe.980000.0.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 980000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 980000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 980000
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 624000
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AC6C61 LogonUserW, 10_2_00AC6C61
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00A9D7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 2_2_00A9D7A0
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AC43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 10_2_00AC43FF
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AC3321 __wcsicoll,mouse_event,__wcsicoll,mouse_event, 10_2_00AC3321
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AD602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_00AD602A
Source: urdavsa.pif, 00000002.00000003.391144529.0000000000B88000.00000004.00000001.sdmp, urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmp, urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: urdavsa.pif.1.dr Binary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: urdavsa.pif, urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmp Binary or memory string: Progman
Source: urdavsa.pif, 00000002.00000003.386710610.0000000000B66000.00000004.00000001.sdmp, urdavsa.pif, 0000000A.00000003.399515071.00000000038A1000.00000004.00000001.sdmp, urdavsa.pif, 00000015.00000003.517916403.0000000001C45000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmp Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: rpgc.htg.1.dr Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: urdavsa.pif, 00000002.00000002.391973257.0000000000B12000.00000002.00020000.sdmp, urdavsa.pif, 0000000A.00000002.458737854.0000000000B12000.00000002.00020000.sdmp, urdavsa.pif, 00000015.00000000.457959788.0000000000B12000.00000002.00020000.sdmp, urdavsa.pif, 00000019.00000002.585114275.0000000000B12000.00000002.00020000.sdmp Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009FE34B cpuid 1_2_009FE34B
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: GetLocaleInfoW,GetNumberFormatW, 1_2_009F9D99
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009FCBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle, 1_2_009FCBB8
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00B02BF9 GetUserNameW, 10_2_00B02BF9
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 2_2_00AAE284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 2_2_00AAE284
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe Code function: 1_2_009EA995 GetVersionExW, 1_2_009EA995
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
Yara detected MailPassView
Source: Yara match File source: 28.2.RegSvcs.exe.7da834a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.RegSvcs.exe.4aedbda.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.RegSvcs.exe.4aedbda.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegSvcs.exe.7d50000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.RegSvcs.exe.4a95890.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegSvcs.exe.7d50000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegSvcs.exe.7da834a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.RegSvcs.exe.4a95890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.RegSvcs.exe.4a95bd5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegSvcs.exe.7d50345.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.582261171.0000000004A95000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 28.3.RegSvcs.exe.4a95bd5.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegSvcs.exe.7d50000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegSvcs.exe.7d50345.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.RegSvcs.exe.4a95890.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegSvcs.exe.7d50000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.RegSvcs.exe.4a95890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.RegSvcs.exe.4a95bd5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegSvcs.exe.7d50345.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.582261171.0000000004A95000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: urdavsa.pif Binary or memory string: WIN_XP
Source: urdavsa.pif Binary or memory string: WIN_XPe
Source: urdavsa.pif Binary or memory string: WIN_VISTA
Source: urdavsa.pif.1.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
Source: urdavsa.pif Binary or memory string: WIN_7
Source: urdavsa.pif Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: urdavsa.pif, 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegSvcs.exe, 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Yara detected HawkEye Keylogger
Source: Yara match File source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AFC06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 10_2_00AFC06C
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00B065D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 10_2_00B065D3
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif Code function: 10_2_00AF4EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 10_2_00AF4EFB
No contacted IP infos