Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample Name:tDb0ggawON (renamed file extension from none to exe)
Analysis ID:571678


HawkEye MailPassView
Range:0 - 100


Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected HawkEye Rat
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to log keystrokes (.Net Source)
Tries to steal Mail credentials (via file registry)
Changes the view of files in windows explorer (hidden files and folders)
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected WebBrowserPassView password recovery tool
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Uses FTP
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard


  • System is w10x64
  • tDb0ggawON.exe (PID: 5752 cmdline: "C:\Users\user\Desktop\tDb0ggawON.exe" MD5: 91DE6EFC69676A4DD4CED5E2111AB489)
    • tDb0ggawON.exe (PID: 3536 cmdline: C:\Users\user\Desktop\tDb0ggawON.exe MD5: 91DE6EFC69676A4DD4CED5E2111AB489)
      • vbc.exe (PID: 1632 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 2272 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup
No configs have been found
0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000000F.00000000.337528444.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b748:$key: HawkEyeKeylogger
        • 0x7d946:$salt: 099u787978786
        • 0x7bd61:$string1: HawkEye_Keylogger
        • 0x7cbb4:$string1: HawkEye_Keylogger
        • 0x7d8a6:$string1: HawkEye_Keylogger
        • 0x7c14a:$string2: holdermail.txt
        • 0x7c16a:$string2: holdermail.txt
        • 0x7c08c:$string3: wallet.dat
        • 0x7c0a4:$string3: wallet.dat
        • 0x7c0ba:$string3: wallet.dat
        • 0x7d488:$string4: Keylog Records
        • 0x7d7a0:$string4: Keylog Records
        • 0x7d99e:$string5: do not script -->
        • 0x7b730:$string6: \pidloc.txt
        • 0x7b796:$string7: BSPLIT
        • 0x7b7a6:$string7: BSPLIT
        0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          Click to see the 54 entries
          11.2.tDb0ggawON.exe.81e0000.10.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
          • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
          11.2.tDb0ggawON.exe.45fa72.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            15.0.vbc.exe.400000.4.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              15.0.vbc.exe.400000.2.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                15.0.vbc.exe.400000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security