Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
PE file has nameless sections
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Contains capabilities to detect virtual machines
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)