Loading ...

Play interactive tourEdit tour

Windows Analysis Report 5.exe

Overview

General Information

Sample Name:5.exe
Analysis ID:535767
MD5:3f332b62eee0970f3189c689d5bd042a
SHA1:f68f7dcc8ffcdd3f93333e711779e8d02db2dfae
SHA256:7c7983ada08828ea0c0ed5b17b05f8dad5bf6fa44e1a4692c37f18c340e14219
Tags:exeHawkeye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected MSIL Injector
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Deletes itself after installation
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Installs a global keyboard hook
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
May infect USB drives
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Social media urls found in memory data
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 5.exe (PID: 1928 cmdline: "C:\Users\user\Desktop\5.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)
    • 5.exe (PID: 1060 cmdline: "C:\Users\user\Desktop\5.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)
      • Windows Update.exe (PID: 5844 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)
        • Windows Update.exe (PID: 6244 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)
          • dw20.exe (PID: 6640 cmdline: dw20.exe -x -s 2128 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
          • vbc.exe (PID: 6716 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • vbc.exe (PID: 6736 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 7152 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 2128 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
          • WerFault.exe (PID: 3456 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 2128 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 7036 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)
    • WindowsUpdate.exe (PID: 4320 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.391527665.00000000075C0000.00000004.00020000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000F.00000000.330182095.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000000A.00000000.357304833.00000000075C0000.00000004.00020000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
    00000010.00000000.331574384.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000006.00000002.309901601.00000000147A0000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x8ccca:$key: HawkEyeKeylogger
      • 0x8ef2c:$salt: 099u787978786
      • 0x8d30b:$string1: HawkEye_Keylogger
      • 0x8e15e:$string1: HawkEye_Keylogger
      • 0x8ee8c:$string1: HawkEye_Keylogger
      • 0x8d6f4:$string2: holdermail.txt
      • 0x8d714:$string2: holdermail.txt
      • 0x8d636:$string3: wallet.dat
      • 0x8d64e:$string3: wallet.dat
      • 0x8d664:$string3: wallet.dat
      • 0x8ea50:$string4: Keylog Records
      • 0x8ed68:$string4: Keylog Records
      • 0x8ef84:$string5: do not script -->
      • 0x8ccb2:$string6: \pidloc.txt
      • 0x8cd40:$string7: BSPLIT
      • 0x8cd50:$string7: BSPLIT
      Click to see the 229 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.0.Windows Update.exe.4b3fa72.56.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x1dc00:$key: HawkEyeKeylogger
      • 0x1fe62:$salt: 099u787978786
      • 0x1e241:$string1: HawkEye_Keylogger
      • 0x1f094:$string1: HawkEye_Keylogger
      • 0x1fdc2:$string1: HawkEye_Keylogger
      • 0x1e62a:$string2: holdermail.txt
      • 0x1e64a:$string2: holdermail.txt
      • 0x1e56c:$string3: wallet.dat
      • 0x1e584:$string3: wallet.dat
      • 0x1e59a:$string3: wallet.dat
      • 0x1f986:$string4: Keylog Records
      • 0x1fc9e:$string4: Keylog Records
      • 0x1feba:$string5: do not script -->
      • 0x1dbe8:$string6: \pidloc.txt
      • 0x1dc76:$string7: BSPLIT
      • 0x1dc86:$string7: BSPLIT
      10.0.Windows Update.exe.4b3fa72.56.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        10.0.Windows Update.exe.4b3fa72.56.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          10.0.Windows Update.exe.4b3fa72.56.raw.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
          • 0x1e299:$hawkstr1: HawkEye Keylogger
          • 0x1f0da:$hawkstr1: HawkEye Keylogger
          • 0x1f409:$hawkstr1: HawkEye Keylogger
          • 0x1f564:$hawkstr1: HawkEye Keylogger
          • 0x1f6c7:$hawkstr1: HawkEye Keylogger
          • 0x1f95e:$hawkstr1: HawkEye Keylogger
          • 0x1de27:$hawkstr2: Dear HawkEye Customers!
          • 0x1f45c:$hawkstr2: Dear HawkEye Customers!
          • 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
          • 0x1f71a:$hawkstr2: Dear HawkEye Customers!
          • 0x1df48:$hawkstr3: HawkEye Logger Details:
          2.2.5.exe.4a5dc92.9.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x1dc00:$key: HawkEyeKeylogger
          • 0x1fe62:$salt: 099u787978786
          • 0x1e241:$string1: HawkEye_Keylogger
          • 0x1f094:$string1: HawkEye_Keylogger
          • 0x1fdc2:$string1: HawkEye_Keylogger
          • 0x1e62a:$string2: holdermail.txt
          • 0x1e64a:$string2: holdermail.txt
          • 0x1e56c:$string3: wallet.dat
          • 0x1e584:$string3: wallet.dat
          • 0x1e59a:$string3: wallet.dat
          • 0x1f986:$string4: Keylog Records
          • 0x1fc9e:$string4: Keylog Records
          • 0x1feba:$string5: do not script -->
          • 0x1dbe8:$string6: \pidloc.txt
          • 0x1dc76:$string7: BSPLIT
          • 0x1dc86:$string7: BSPLIT