Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tDb0ggawON

Overview

General Information

Sample Name:tDb0ggawON (renamed file extension from none to exe)
Analysis ID:571678
MD5:91de6efc69676a4dd4ced5e2111ab489
SHA1:262f23feee502e24d6d044c05bcb7b3153b3920e
SHA256:57754827b4e179d20088be1aa0fec9d1f8e3a872e81103b2c7264f80a0a86b36
Tags:32exeHawkEyetrojan
Infos:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected HawkEye Rat
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to log keystrokes (.Net Source)
Tries to steal Mail credentials (via file registry)
Changes the view of files in windows explorer (hidden files and folders)
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected WebBrowserPassView password recovery tool
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Uses FTP
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • tDb0ggawON.exe (PID: 5752 cmdline: "C:\Users\user\Desktop\tDb0ggawON.exe" MD5: 91DE6EFC69676A4DD4CED5E2111AB489)
    • tDb0ggawON.exe (PID: 3536 cmdline: C:\Users\user\Desktop\tDb0ggawON.exe MD5: 91DE6EFC69676A4DD4CED5E2111AB489)
      • vbc.exe (PID: 1632 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 2272 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000000F.00000000.337528444.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b748:$key: HawkEyeKeylogger
        • 0x7d946:$salt: 099u787978786
        • 0x7bd61:$string1: HawkEye_Keylogger
        • 0x7cbb4:$string1: HawkEye_Keylogger
        • 0x7d8a6:$string1: HawkEye_Keylogger
        • 0x7c14a:$string2: holdermail.txt
        • 0x7c16a:$string2: holdermail.txt
        • 0x7c08c:$string3: wallet.dat
        • 0x7c0a4:$string3: wallet.dat
        • 0x7c0ba:$string3: wallet.dat
        • 0x7d488:$string4: Keylog Records
        • 0x7d7a0:$string4: Keylog Records
        • 0x7d99e:$string5: do not script -->
        • 0x7b730:$string6: \pidloc.txt
        • 0x7b796:$string7: BSPLIT
        • 0x7b7a6:$string7: BSPLIT
        0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          Click to see the 54 entries
          SourceRuleDescriptionAuthorStrings
          11.2.tDb0ggawON.exe.81e0000.10.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
          • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
          11.2.tDb0ggawON.exe.45fa72.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            15.0.vbc.exe.400000.4.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              15.0.vbc.exe.400000.2.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                15.0.vbc.exe.400000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security