Loading ...

Play interactive tourEdit tour

Windows Analysis Report NEW PO.exe

Overview

General Information

Sample Name:NEW PO.exe
Analysis ID:511007
MD5:770f6e88b7bf3fe3aae144a5aa41dc96
SHA1:ed96d179403ab319da62c092a817a5ebeea8c3da
SHA256:08187be5bb78da6c7751c5d870d46e43e6b4204db6abf2cc2d80e9830fd136ba
Tags:exehawkeye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Yara detected AntiVM3
Malicious sample detected (through community Yara rule)
Detected HawkEye Rat
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Installs a global keyboard hook
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Checks if the current process is being debugged
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • NEW PO.exe (PID: 7156 cmdline: 'C:\Users\user\Desktop\NEW PO.exe' MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)
    • NEW PO.exe (PID: 6044 cmdline: C:\Users\user\Desktop\NEW PO.exe MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)
      • vbc.exe (PID: 6692 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6728 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • WerFault.exe (PID: 6724 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 2424 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 6976 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)
    • WindowsUpdate.exe (PID: 7120 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)
  • WindowsUpdate.exe (PID: 4816 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)
    • WindowsUpdate.exe (PID: 3996 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)
      • vbc.exe (PID: 6828 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5076 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • WerFault.exe (PID: 6008 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 5028 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x25f8:$hawkstr1: HawkEye Keylogger
    • 0x2088:$hawkstr2: Dear HawkEye Customers!
    • 0x21b6:$hawkstr3: HawkEye Logger Details:
    00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
    00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
      • 0x7230:$hawkstr1: HawkEye Keylogger
      • 0xc090:$hawkstr1: HawkEye Keylogger
      • 0xc0f0:$hawkstr2: Dear HawkEye Customers!
      • 0x126:$hawkstr3: HawkEye Logger Details:
      Click to see the 200 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.0.NEW PO.exe.2d9bffc.45.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      7.0.NEW PO.exe.2afd174.43.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      7.0.NEW PO.exe.7ee0000.37.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      7.0.NEW PO.exe.45fa72.29.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        16.0.WindowsUpdate.exe.45fa72.22.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security