Loading ...

Play interactive tourEdit tour

Windows Analysis Report aaVb1xEmrd

Overview

General Information

Sample Name:aaVb1xEmrd (renamed file extension from none to exe)
Analysis ID:478309
MD5:c428b176eca6b17cda3f5729abaddf0b
SHA1:65262ee5ea9c832436c6eba4a5e58d69900aea72
SHA256:b139dd73d811c0d20602ebd74f962724d2c9e31958bdea9326473bf4bbd746b9
Tags:exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView PredatorPainRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Yara detected PredatorPainRAT
System process connects to network (likely due to code injection or exploit)
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Sigma detected: System File Execution Location Anomaly
Creates multiple autostart registry keys
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Tries to steal Mail credentials (via file access)
Drops PE files with benign system names
Sample uses process hollowing technique
Installs a global keyboard hook
Disables Windows system restore
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Sigma detected: PowerShell Script Run in AppData
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Contains functionality to query network adapater information
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • aaVb1xEmrd.exe (PID: 2432 cmdline: 'C:\Users\user\Desktop\aaVb1xEmrd.exe' MD5: C428B176ECA6B17CDA3F5729ABADDF0B)
    • MULTIBOT_NEWW.exe (PID: 4768 cmdline: 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe' MD5: 3F620FFD8BE649D1D31AB54F73A559BE)
    • svchost.exe (PID: 4280 cmdline: 'C:\Users\user\AppData\Local\Temp\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
      • svchost.exe (PID: 6256 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
    • taskhost.exe (PID: 4548 cmdline: 'C:\Users\user\AppData\Local\Temp\taskhost.exe' MD5: 83827B8CFFE67A789B03E342ED3B1572)
      • dw20.exe (PID: 6148 cmdline: dw20.exe -x -s 2200 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 6280 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 6612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 6292 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 6624 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • iExplorer.exe (PID: 1352 cmdline: 'C:\Users\user\AppData\Local\Temp\iExplorer.exe' MD5: A0DBD1314D214588960B1E0BCED5F4E0)
      • Windows Update.exe (PID: 5204 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: A0DBD1314D214588960B1E0BCED5F4E0)
        • dw20.exe (PID: 6724 cmdline: dw20.exe -x -s 2324 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
        • vbc.exe (PID: 6912 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • vbc.exe (PID: 6928 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 5276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • WerFault.exe (PID: 5200 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6440 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6740 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
  • svchost.exe (PID: 6960 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7088 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4920 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • WindowsUpdate.exe (PID: 6112 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 83827B8CFFE67A789B03E342ED3B1572)
    • dw20.exe (PID: 4068 cmdline: dw20.exe -x -s 1168 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • svchost.exe (PID: 3396 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6376 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6468 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
  • WindowsUpdate.exe (PID: 6656 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 83827B8CFFE67A789B03E342ED3B1572)
    • dw20.exe (PID: 7084 cmdline: dw20.exe -x -s 1096 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • svchost.exe (PID: 1752 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5168 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Windows Update.exeRAT_PredatorPainDetects PredatorPain RATKevin Breen <kevin@techanarchy.net>
  • 0x7b7df:$string1: holderwb.txt
  • 0x7b7fb:$string1: holderwb.txt
  • 0x7b961:$string3: There is a file attached to this email
  • 0x7bf35:$string4: screens\screenshot
  • 0x7a364:$string5: Disablelogger
  • 0x7a30e:$string6: \pidloc.txt
  • 0x79e1c:$string7: clearie
  • 0x79e34:$string8: clearff
  • 0x7a5c5:$string9: emails should be sent to you shortly
  • 0x7aad9:$string11: open=Sys.exe
  • 0x7a326:$ver1: PredatorLogger
  • 0x7a9a8:$ver3: Predator Pain
  • 0x7b79b:$ver3: Predator Pain
  • 0x7b910:$ver3: Predator Pain
  • 0x7bb27:$ver3: Predator Pain
C:\Users\user\AppData\Roaming\Windows Update.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x615f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Roaming\Windows Update.exeJoeSecurity_PredatorPainRATYara detected PredatorPainRATKevin Breen <kevin@techanarchy.net>
    C:\Users\user\AppData\Roaming\Windows Update.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      C:\Users\user\AppData\Roaming\Windows Update.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        Click to see the 19 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b68e:$key: HawkEyeKeylogger
        • 0x7d8e0:$salt: 099u787978786
        • 0x7bcdd:$string1: HawkEye_Keylogger
        • 0x7cb30:$string1: HawkEye_Keylogger
        • 0x7d840:$string1: HawkEye_Keylogger
        • 0x7c0c6:$string2: holdermail.txt
        • 0x7c0e6:$string2: holdermail.txt
        • 0x7c008:$string3: wallet.dat
        • 0x7c020:$string3: wallet.dat
        • 0x7c036:$string3: wallet.dat
        • 0x7d422:$string4: Keylog Records
        • 0x7d73a:$string4: Keylog Records
        • 0x7d938:$string5: do not script -->
        • 0x7b676:$string6: \pidloc.txt
        • 0x7b704:$string7: BSPLIT
        • 0x7b714:$string7: BSPLIT
        00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x7bd35:$hawkstr1: HawkEye Keylogger
              • 0x7cb76:$hawkstr1: HawkEye Keylogger
              • 0x7cea5:$hawkstr1: HawkEye Keylogger
              • 0x7d000:$hawkstr1: HawkEye Keylogger
              • 0x7d163:$hawkstr1: HawkEye Keylogger
              • 0x7d3fa:$hawkstr1: HawkEye Keylogger
              • 0x7b8c3:$hawkstr2: Dear HawkEye Customers!
              • 0x7cef8:$hawkstr2: Dear HawkEye Customers!
              • 0x7d04f:$hawkstr2: Dear HawkEye Customers!
              • 0x7d1b6:$hawkstr2: Dear HawkEye Customers!
              • 0x7b9e4:$hawkstr3: HawkEye Logger Details:
              Click to see the 65 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.0.Windows Update.exe.3d0000.10.unpackRAT_PredatorPainDetects PredatorPain RATKevin Breen <kevin@techanarchy.net>
              • 0x7b7df:$string1: holderwb.txt
              • 0x7b7fb:$string1: holderwb.txt
              • 0x7b961:$string3: There is a file attached to this email
              • 0x7bf35:$string4: screens\screenshot
              • 0x7a364:$string5: Disablelogger
              • 0x7a30e:$string6: \pidloc.txt
              • 0x79e1c:$string7: clearie
              • 0x79e34:$string8: clearff
              • 0x7a5c5:$string9: emails should be sent to you shortly
              • 0x7aad9:$string11: open=Sys.exe
              • 0x7a326:$ver1: PredatorLogger
              • 0x7a9a8:$ver3: Predator Pain
              • 0x7b79b:$ver3: Predator Pain
              • 0x7b910:$ver3: Predator Pain
              • 0x7bb27:$ver3: Predator Pain
              8.0.Windows Update.exe.3d0000.10.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
              • 0x615f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
              8.0.Windows Update.exe.3d0000.10.unpackJoeSecurity_PredatorPainRATYara detected PredatorPainRATKevin Breen <kevin@techanarchy.net>
                8.0.Windows Update.exe.3d0000.10.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  8.0.Windows Update.exe.3d0000.10.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security