Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDER-NEW....pdf.exe

Overview

General Information

Sample Name:ORDER-NEW....pdf.exe
Analysis ID:557358
MD5:1baec657210438b896934a7a793c204c
SHA1:4729717dab3dd01b2ca591c86a02176386e02356
SHA256:b041030454ea89a3ff2326405d3bf230f53daa9ecd50c3e3882a1ad6c0d2427c
Infos:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected HawkEye Rat
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
PE file has nameless sections
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • ORDER-NEW....pdf.exe (PID: 6860 cmdline: "C:\Users\user\Desktop\ORDER-NEW....pdf.exe" MD5: 1BAEC657210438B896934A7A793C204C)
    • AppLaunch.exe (PID: 7160 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
      • vbc.exe (PID: 6356 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB254.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 4296 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB202.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • WerFault.exe (PID: 6432 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4100 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x8793a:$s1: HawkEye Keylogger
    • 0x879a3:$s1: HawkEye Keylogger
    • 0x80d7d:$s2: _ScreenshotLogger
    • 0x80d4a:$s3: _PasswordStealer
    00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 52 entries
          SourceRuleDescriptionAuthorStrings
          18.0.vbc.exe.400000.4.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x147b0:$a1: logins.json
          • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x14f34:$s4: \mozsqlite3.dll
          • 0x137a4:$s5: SMTP Password
          18.0.vbc.exe.400000.4.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
            • 0x87b3a:$s1: HawkEye Keylogger
            • 0x87ba3:$s1: HawkEye Keylogger
            • 0x11205a:$s1: HawkEye Keylogger
            • 0x1120c3:$s1: HawkEye Keylogger
            • 0x80f7d:$s2: _ScreenshotLogger
            • 0x10b49d:$s2: _ScreenshotLogger
            • 0x80f4a:$s3: _PasswordStealer
            • 0x10b46a:$s3: _PasswordStealer
            0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
            • 0x8750d:$name: ConfuserEx
            • 0x111a2d:$name: ConfuserEx
            • 0x8621a:$compile: AssemblyTitle
            • 0x11073a:$compile: AssemblyTitle
            0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              Click to see the 211 entries
              No Sigma rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: ORDER-NEW....pdf.exeVirustotal: Detection: 62%Perma Link
              Source: ORDER-NEW....pdf.exeReversingLabs: Detection: 93%
              Source: ORDER-NEW....pdf.exeAvira: detected
              Source: https://a.pomf.cat/Avira URL Cloud: Label: phishing
              Source: ORDER-NEW....pdf.exeJoe Sandbox ML: detected
              Source: 5.0.AppLaunch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.0.AppLaunch.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.0.AppLaunch.exe.400000.3.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.2.AppLaunch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.0.AppLaunch.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.0.AppLaunch.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
              Source: ORDER-NEW....pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: ORDER-NEW....pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: mscorlib.pdbD source: ORDER-NEW....pdf.exe, 00000000.00000000.716149183.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.706455152.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740808600.00000000082D5000.00000004.00000001.sdmp
              Source: Binary string: System.pdbd source: WER450B.tmp.dmp.9.dr
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp
              Source: Binary string: System.Core.ni.pdbRSDSD source: WER450B.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.716135209.00000000082D2000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740801711.00000000082D2000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER450B.tmp.dmp.9.dr
              Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: AppLaunch.exe, 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, AppLaunch.exe, 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER450B.tmp.dmp.9.dr
              Source: Binary string: .pdb+ source: