Loading ...

Play interactive tourEdit tour

Windows Analysis Report Hpdyv8oO3j.exe

Overview

General Information

Sample Name:Hpdyv8oO3j.exe
Analysis ID:524274
MD5:dffaf08a25150b38c19210c180862aeb
SHA1:a28b135b64a08d5ed30621aac5c3e955d4d090fb
SHA256:8fdbfbf55033187c6a4d3cd7d42394cd56cbd3b5a9dc905e72aef2886172be36
Tags:exenjratRAT
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Creates multiple autostart registry keys
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Uses cmd line tools excessively to alter registry or file data
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Creates files with lurking names (e.g. Crack.exe)
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Installs a global keyboard hook
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
.NET source code contains very large strings
Machine Learning detection for dropped file
Modifies the windows firewall
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Netsh Port or Application Allowed
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Creates files inside the system directory
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Social media urls found in memory data
Uses taskkill to terminate processes
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to query network adapater information
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Hpdyv8oO3j.exe (PID: 6436 cmdline: "C:\Users\user\Desktop\Hpdyv8oO3j.exe" MD5: DFFAF08A25150B38C19210C180862AEB)
    • Keylogger.exe (PID: 4492 cmdline: "C:\Users\user\AppData\Local\Temp\Keylogger.exe" MD5: C4E4A84909D8FF8DD222B8252365985D)
      • Windows Update.exe (PID: 5624 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: C4E4A84909D8FF8DD222B8252365985D)
        • dw20.exe (PID: 4332 cmdline: dw20.exe -x -s 2528 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
        • vbc.exe (PID: 6444 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • vbc.exe (PID: 1364 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • vbc.exe (PID: 1980 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • hhzclipper.exe (PID: 1244 cmdline: "C:\Users\user\AppData\Local\Temp\hhzclipper.exe" MD5: FC07BE5E90A1FFA22B22D3BC58A43E58)
    • RedLine.MainPanel-cracked.exe (PID: 4140 cmdline: "C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe" MD5: 098F7F40BACA320377ECA83FBF87F534)
      • RedLine.exe (PID: 4236 cmdline: "C:\Users\user\AppData\Roaming\RedLine.exe" MD5: 098F7F40BACA320377ECA83FBF87F534)
        • netsh.exe (PID: 7096 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\RedLine.exe" "RedLine.exe" ENABLE MD5: 98CC37BBF363A38834253E22C80A8F32)
          • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RedLine.MainPanel-cracked.exe (PID: 7032 cmdline: "C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe" MD5: 098F7F40BACA320377ECA83FBF87F534)
    • cmd.exe (PID: 3348 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HOST.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ViRuS.exe (PID: 2988 cmdline: "C:\Users\user\AppData\Local\Temp\ViRuS.exe" MD5: D0F09063EA6922ACBFC734145FA48203)
      • attrib.exe (PID: 5332 cmdline: C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\system32\user32dll.exe MD5: A5540E9F87D4CB083BDF8269DEC1CFF9)
        • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • attrib.exe (PID: 7160 cmdline: C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk MD5: A5540E9F87D4CB083BDF8269DEC1CFF9)
        • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • taskkill.exe (PID: 7116 cmdline: taskkill /f /im "ViRuS.exe" MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
        • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • user32dll.exe (PID: 7128 cmdline: "C:\Windows\SysWOW64\user32dll.exe" MD5: D0F09063EA6922ACBFC734145FA48203)
    • taskkill.exe (PID: 7156 cmdline: taskkill /f /im "user32dll.exe" MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WerFault.exe (PID: 1008 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • RedLine.exe (PID: 6688 cmdline: "C:\Users\user\AppData\Roaming\RedLine.exe" .. MD5: 098F7F40BACA320377ECA83FBF87F534)
  • WindowsUpdate.exe (PID: 6300 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: C4E4A84909D8FF8DD222B8252365985D)
    • Windows Update.exe (PID: 5248 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: C4E4A84909D8FF8DD222B8252365985D)
      • dw20.exe (PID: 7048 cmdline: dw20.exe -x -s 2472 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 4964 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7156 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • RedLine.exe (PID: 4864 cmdline: "C:\Users\user\AppData\Roaming\RedLine.exe" .. MD5: 098F7F40BACA320377ECA83FBF87F534)
  • WindowsUpdate.exe (PID: 4456 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: C4E4A84909D8FF8DD222B8252365985D)
  • RedLine.exe (PID: 3408 cmdline: "C:\Users\user\AppData\Roaming\RedLine.exe" .. MD5: 098F7F40BACA320377ECA83FBF87F534)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Keylogger.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b809:$key: HawkEyeKeylogger
  • 0x7db3f:$salt: 099u787978786
  • 0x7bec6:$string1: HawkEye_Keylogger
  • 0x7cd19:$string1: HawkEye_Keylogger
  • 0x7da9f:$string1: HawkEye_Keylogger
  • 0x7c2af:$string2: holdermail.txt
  • 0x7c2cf:$string2: holdermail.txt
  • 0x7c1f1:$string3: wallet.dat
  • 0x7c209:$string3: wallet.dat
  • 0x7c21f:$string3: wallet.dat
  • 0x7d663:$string4: Keylog Records
  • 0x7d97b:$string4: Keylog Records
  • 0x7db97:$string5: do not script -->
  • 0x7b7f1:$string6: \pidloc.txt
  • 0x7b87f:$string7: BSPLIT
  • 0x7b88f:$string7: BSPLIT
C:\Users\user\AppData\Local\Temp\Keylogger.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Local\Temp\Keylogger.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    C:\Users\user\AppData\Local\Temp\Keylogger.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      C:\Users\user\AppData\Local\Temp\Keylogger.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        Click to see the 13 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000011.00000002.401046205.000000000384C000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          0000001C.00000000.394707935.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            00000019.00000002.567099655.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              0000002A.00000002.490818765.0000000002EA1000.00000004.00000001.sdmpJoeSecurity_NjratYara detected NjratJoe Security
                0000002A.00000002.490818765.0000000002EA1000.00000004.00000001.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
                • 0x1e963:$a1: netsh firewall add allowedprogram
                • 0x341bb:$a1: netsh firewall add allowedprogram
                • 0x3c1d3:$a1: netsh firewall add allowedprogram
                • 0x1e933:$a2: SEE_MASK_NOZONECHECKS
                • 0x3418b:$a2: SEE_MASK_NOZONECHECKS
                • 0x3c1a3:$a2: SEE_MASK_NOZONECHECKS
                • 0x1eb53:$b1: [TAP]
                • 0x343ab:$b1: [TAP]
                • 0x3c3c3:$b1: [TAP]
                • 0x1ea4f:$c3: cmd.exe /c ping
                • 0x342a7:$c3: cmd.exe /c ping
                • 0x3c2bf:$c3: cmd.exe /c ping
                Click to see the 161 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                17.2.Windows Update.exe.350b42c.5.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                17.2.Windows Update.exe.7f20000.9.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.raw.unpackJoeSecurity_NjratYara detected NjratJoe Security
                  4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.raw.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
                  • 0x67d3:$a1: netsh firewall add allowedprogram
                  • 0x1c02b:$a1: netsh firewall add allowedprogram
                  • 0x24043:$a1: netsh firewall add allowedprogram
                  • 0x67a3:$a2: SEE_MASK_NOZONECHECKS
                  • 0x1bffb:$a2: SEE_MASK_NOZONECHECKS
                  • 0x24013:$a2: SEE_MASK_NOZONECHECKS
                  • 0x69c3:$b1: [TAP]
                  • 0x1c21b:$b1: [TAP]
                  • 0x24233:$b1: [TAP]
                  • 0x68bf:$c3: cmd.exe /c ping
                  • 0x1c117:$c3: cmd.exe /c ping
                  • 0x2412f:$c3: cmd.exe /c ping
                  4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.raw.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
                  • 0x67a3:$reg: SEE_MASK_NOZONECHECKS
                  • 0x1bffb:$reg: SEE_MASK_NOZONECHECKS
                  • 0x24013:$reg: SEE_MASK_NOZONECHECKS
                  • 0x64a4:$msg: Execute ERROR
                  • 0x653e:$msg: Execute ERROR
                  • 0x1bcfc:$msg: Execute ERROR
                  • 0x1bd96:$msg: Execute ERROR
                  • 0x23d14:$msg: Execute ERROR
                  • 0x23dae:$msg: Execute ERROR
                  • 0x68bf:$ping: cmd.exe /c ping 0 -n 2 & del
                  • 0x1c117:$ping: cmd.exe /c ping 0 -n 2 & del
                  • 0x2412f:$ping: cmd.exe /c ping 0 -n 2 & del