Edit tour

Windows Analysis Report
tDb0ggawON

Overview

General Information

Sample Name:	tDb0ggawON (renamed file extension from none to exe)
Analysis ID:	571678
MD5:	91de6efc69676a4dd4ced5e2111ab489
SHA1:	262f23feee502e24d6d044c05bcb7b3153b3920e
SHA256:	57754827b4e179d20088be1aa0fec9d1f8e3a872e81103b2c7264f80a0a86b36
Tags:	32exeHawkEyetrojan
Infos:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected MailPassView

Multi AV Scanner detection for submitted file

Yara detected HawkEye Keylogger

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected HawkEye Rat

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality to log keystrokes (.Net Source)

Tries to steal Mail credentials (via file registry)

Changes the view of files in windows explorer (hidden files and folders)

Machine Learning detection for sample

.NET source code contains potential unpacker

Yara detected WebBrowserPassView password recovery tool

Tries to steal Instant Messenger accounts or passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

May infect USB drives

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Detected TCP or UDP traffic on non-standard ports

Uses FTP

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

tDb0ggawON.exe (PID: 5752 cmdline: "C:\Users\user\Desktop\tDb0ggawON.exe" MD5: 91DE6EFC69676A4DD4CED5E2111AB489)

tDb0ggawON.exe (PID: 3536 cmdline: C:\Users\user\Desktop\tDb0ggawON.exe MD5: 91DE6EFC69676A4DD4CED5E2111AB489)

vbc.exe (PID: 1632 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 2272 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000F.00000000.337528444.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b748:$key: HawkEyeKeylogger 0x7d946:$salt: 099u787978786 0x7bd61:$string1: HawkEye_Keylogger 0x7cbb4:$string1: HawkEye_Keylogger 0x7d8a6:$string1: HawkEye_Keylogger 0x7c14a:$string2: holdermail.txt 0x7c16a:$string2: holdermail.txt 0x7c08c:$string3: wallet.dat 0x7c0a4:$string3: wallet.dat 0x7c0ba:$string3: wallet.dat 0x7d488:$string4: Keylog Records 0x7d7a0:$string4: Keylog Records 0x7d99e:$string5: do not script --> 0x7b730:$string6: \pidloc.txt 0x7b796:$string7: BSPLIT 0x7b7a6:$string7: BSPLIT
0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bdb9:$hawkstr1: HawkEye Keylogger 0x7cbfa:$hawkstr1: HawkEye Keylogger 0x7cf29:$hawkstr1: HawkEye Keylogger 0x7d084:$hawkstr1: HawkEye Keylogger 0x7d1e7:$hawkstr1: HawkEye Keylogger 0x7d460:$hawkstr1: HawkEye Keylogger 0x7b947:$hawkstr2: Dear HawkEye Customers! 0x7cf7c:$hawkstr2: Dear HawkEye Customers! 0x7d0d3:$hawkstr2: Dear HawkEye Customers! 0x7d23a:$hawkstr2: Dear HawkEye Customers! 0x7ba68:$hawkstr3: HawkEye Logger Details:
0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000E.00000000.335816568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000F.00000000.337820875.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000F.00000000.337259386.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b748:$key: HawkEyeKeylogger 0x7d946:$salt: 099u787978786 0x7bd61:$string1: HawkEye_Keylogger 0x7cbb4:$string1: HawkEye_Keylogger 0x7d8a6:$string1: HawkEye_Keylogger 0x7c14a:$string2: holdermail.txt 0x7c16a:$string2: holdermail.txt 0x7c08c:$string3: wallet.dat 0x7c0a4:$string3: wallet.dat 0x7c0ba:$string3: wallet.dat 0x7d488:$string4: Keylog Records 0x7d7a0:$string4: Keylog Records 0x7d99e:$string5: do not script --> 0x7b730:$string6: \pidloc.txt 0x7b796:$string7: BSPLIT 0x7b7a6:$string7: BSPLIT
0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bdb9:$hawkstr1: HawkEye Keylogger 0x7cbfa:$hawkstr1: HawkEye Keylogger 0x7cf29:$hawkstr1: HawkEye Keylogger 0x7d084:$hawkstr1: HawkEye Keylogger 0x7d1e7:$hawkstr1: HawkEye Keylogger 0x7d460:$hawkstr1: HawkEye Keylogger 0x7b947:$hawkstr2: Dear HawkEye Customers! 0x7cf7c:$hawkstr2: Dear HawkEye Customers! 0x7d0d3:$hawkstr2: Dear HawkEye Customers! 0x7d23a:$hawkstr2: Dear HawkEye Customers! 0x7ba68:$hawkstr3: HawkEye Logger Details:
0000000B.00000002.520798219.00000000081E0000.00000004.08000000.00040000.00000000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000E.00000000.336658254.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000E.00000000.336146363.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000B.00000002.520764467.0000000008080000.00000004.08000000.00040000.00000000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b748:$key: HawkEyeKeylogger 0x7d946:$salt: 099u787978786 0x7bd61:$string1: HawkEye_Keylogger 0x7cbb4:$string1: HawkEye_Keylogger 0x7d8a6:$string1: HawkEye_Keylogger 0x7c14a:$string2: holdermail.txt 0x7c16a:$string2: holdermail.txt 0x7c08c:$string3: wallet.dat 0x7c0a4:$string3: wallet.dat 0x7c0ba:$string3: wallet.dat 0x7d488:$string4: Keylog Records 0x7d7a0:$string4: Keylog Records 0x7d99e:$string5: do not script --> 0x7b730:$string6: \pidloc.txt 0x7b796:$string7: BSPLIT 0x7b7a6:$string7: BSPLIT
0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bdb9:$hawkstr1: HawkEye Keylogger 0x7cbfa:$hawkstr1: HawkEye Keylogger 0x7cf29:$hawkstr1: HawkEye Keylogger 0x7d084:$hawkstr1: HawkEye Keylogger 0x7d1e7:$hawkstr1: HawkEye Keylogger 0x7d460:$hawkstr1: HawkEye Keylogger 0x7b947:$hawkstr2: Dear HawkEye Customers! 0x7cf7c:$hawkstr2: Dear HawkEye Customers! 0x7d0d3:$hawkstr2: Dear HawkEye Customers! 0x7d23a:$hawkstr2: Dear HawkEye Customers! 0x7ba68:$hawkstr3: HawkEye Logger Details:
0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b748:$key: HawkEyeKeylogger 0x7d946:$salt: 099u787978786 0x7bd61:$string1: HawkEye_Keylogger 0x7cbb4:$string1: HawkEye_Keylogger 0x7d8a6:$string1: HawkEye_Keylogger 0x7c14a:$string2: holdermail.txt 0x7c16a:$string2: holdermail.txt 0x7c08c:$string3: wallet.dat 0x7c0a4:$string3: wallet.dat 0x7c0ba:$string3: wallet.dat 0x7d488:$string4: Keylog Records 0x7d7a0:$string4: Keylog Records 0x7d99e:$string5: do not script --> 0x7b730:$string6: \pidloc.txt 0x7b796:$string7: BSPLIT 0x7b7a6:$string7: BSPLIT
0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bdb9:$hawkstr1: HawkEye Keylogger 0x7cbfa:$hawkstr1: HawkEye Keylogger 0x7cf29:$hawkstr1: HawkEye Keylogger 0x7d084:$hawkstr1: HawkEye Keylogger 0x7d1e7:$hawkstr1: HawkEye Keylogger 0x7d460:$hawkstr1: HawkEye Keylogger 0x7b947:$hawkstr2: Dear HawkEye Customers! 0x7cf7c:$hawkstr2: Dear HawkEye Customers! 0x7d0d3:$hawkstr2: Dear HawkEye Customers! 0x7d23a:$hawkstr2: Dear HawkEye Customers! 0x7ba68:$hawkstr3: HawkEye Logger Details:
0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b748:$key: HawkEyeKeylogger 0x7d946:$salt: 099u787978786 0x7bd61:$string1: HawkEye_Keylogger 0x7cbb4:$string1: HawkEye_Keylogger 0x7d8a6:$string1: HawkEye_Keylogger 0x7c14a:$string2: holdermail.txt 0x7c16a:$string2: holdermail.txt 0x7c08c:$string3: wallet.dat 0x7c0a4:$string3: wallet.dat 0x7c0ba:$string3: wallet.dat 0x7d488:$string4: Keylog Records 0x7d7a0:$string4: Keylog Records 0x7d99e:$string5: do not script --> 0x7b730:$string6: \pidloc.txt 0x7b796:$string7: BSPLIT 0x7b7a6:$string7: BSPLIT
0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bdb9:$hawkstr1: HawkEye Keylogger 0x7cbfa:$hawkstr1: HawkEye Keylogger 0x7cf29:$hawkstr1: HawkEye Keylogger 0x7d084:$hawkstr1: HawkEye Keylogger 0x7d1e7:$hawkstr1: HawkEye Keylogger 0x7d460:$hawkstr1: HawkEye Keylogger 0x7b947:$hawkstr2: Dear HawkEye Customers! 0x7cf7c:$hawkstr2: Dear HawkEye Customers! 0x7d0d3:$hawkstr2: Dear HawkEye Customers! 0x7d23a:$hawkstr2: Dear HawkEye Customers! 0x7ba68:$hawkstr3: HawkEye Logger Details:
00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b980:$key: HawkEyeKeylogger 0xfdba0:$key: HawkEyeKeylogger 0x7db7e:$salt: 099u787978786 0xffd9e:$salt: 099u787978786 0x7bf99:$string1: HawkEye_Keylogger 0x7cdec:$string1: HawkEye_Keylogger 0x7dade:$string1: HawkEye_Keylogger 0xfe1b9:$string1: HawkEye_Keylogger 0xff00c:$string1: HawkEye_Keylogger 0xffcfe:$string1: HawkEye_Keylogger 0x7c382:$string2: holdermail.txt 0x7c3a2:$string2: holdermail.txt 0xfe5a2:$string2: holdermail.txt 0xfe5c2:$string2: holdermail.txt 0x7c2c4:$string3: wallet.dat 0x7c2dc:$string3: wallet.dat 0x7c2f2:$string3: wallet.dat 0xfe4e4:$string3: wallet.dat 0xfe4fc:$string3: wallet.dat 0xfe512:$string3: wallet.dat 0x7d6c0:$string4: Keylog Records
00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bff1:$hawkstr1: HawkEye Keylogger 0x7ce32:$hawkstr1: HawkEye Keylogger 0x7d161:$hawkstr1: HawkEye Keylogger 0x7d2bc:$hawkstr1: HawkEye Keylogger 0x7d41f:$hawkstr1: HawkEye Keylogger 0x7d698:$hawkstr1: HawkEye Keylogger 0xfe211:$hawkstr1: HawkEye Keylogger 0xff052:$hawkstr1: HawkEye Keylogger 0xff381:$hawkstr1: HawkEye Keylogger 0xff4dc:$hawkstr1: HawkEye Keylogger 0xff63f:$hawkstr1: HawkEye Keylogger 0xff8b8:$hawkstr1: HawkEye Keylogger 0x7bb7f:$hawkstr2: Dear HawkEye Customers! 0x7d1b4:$hawkstr2: Dear HawkEye Customers! 0x7d30b:$hawkstr2: Dear HawkEye Customers! 0x7d472:$hawkstr2: Dear HawkEye Customers! 0xfdd9f:$hawkstr2: Dear HawkEye Customers! 0xff3d4:$hawkstr2: Dear HawkEye Customers! 0xff52b:$hawkstr2: Dear HawkEye Customers! 0xff692:$hawkstr2: Dear HawkEye Customers! 0x7bca0:$hawkstr3: HawkEye Logger Details:
00000000.00000002.302607622.00000000034EA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x37e58:$hawkstr1: HawkEye Keylogger 0x3aff0:$hawkstr1: HawkEye Keylogger 0x3b370:$hawkstr1: HawkEye Keylogger 0x3dee4:$hawkstr1: HawkEye Keylogger 0x409dc:$hawkstr1: HawkEye Keylogger 0x37910:$hawkstr2: Dear HawkEye Customers! 0x3b050:$hawkstr2: Dear HawkEye Customers! 0x3b3d0:$hawkstr2: Dear HawkEye Customers! 0x40a38:$hawkstr2: Dear HawkEye Customers! 0x37a3e:$hawkstr3: HawkEye Logger Details:
00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7eca38:$key: HawkEyeKeylogger 0x7eec36:$salt: 099u787978786 0x7ed051:$string1: HawkEye_Keylogger 0x7edea4:$string1: HawkEye_Keylogger 0x7eeb96:$string1: HawkEye_Keylogger 0x7ed43a:$string2: holdermail.txt 0x7ed45a:$string2: holdermail.txt 0x7ed37c:$string3: wallet.dat 0x7ed394:$string3: wallet.dat 0x7ed3aa:$string3: wallet.dat 0x7ee778:$string4: Keylog Records 0x7eea90:$string4: Keylog Records 0x7eec8e:$string5: do not script --> 0x7eca20:$string6: \pidloc.txt 0x7eca86:$string7: BSPLIT 0x7eca96:$string7: BSPLIT
00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7ed0a9:$hawkstr1: HawkEye Keylogger 0x7edeea:$hawkstr1: HawkEye Keylogger 0x7ee219:$hawkstr1: HawkEye Keylogger 0x7ee374:$hawkstr1: HawkEye Keylogger 0x7ee4d7:$hawkstr1: HawkEye Keylogger 0x7ee750:$hawkstr1: HawkEye Keylogger 0x7ecc37:$hawkstr2: Dear HawkEye Customers! 0x7ee26c:$hawkstr2: Dear HawkEye Customers! 0x7ee3c3:$hawkstr2: Dear HawkEye Customers! 0x7ee52a:$hawkstr2: Dear HawkEye Customers! 0x7ecd58:$hawkstr3: HawkEye Logger Details:
Process Memory Space: tDb0ggawON.exe PID: 5752	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tDb0ggawON.exe PID: 5752	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: tDb0ggawON.exe PID: 5752	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: tDb0ggawON.exe PID: 5752	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: tDb0ggawON.exe PID: 3536	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: tDb0ggawON.exe PID: 3536	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: tDb0ggawON.exe PID: 3536	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 1632	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 2272	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Click to see the 54 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.tDb0ggawON.exe.81e0000.10.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
11.2.tDb0ggawON.exe.45fa72.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.0.vbc.exe.400000.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.0.vbc.exe.400000.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.0.vbc.exe.400000.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
11.2.tDb0ggawON.exe.8080000.9.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.tDb0ggawON.exe.630ecaa.7.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
14.0.vbc.exe.400000.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
14.0.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.2.tDb0ggawON.exe.409c0d.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.0.tDb0ggawON.exe.45fa72.13.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dcd6:$key: HawkEyeKeylogger 0x1fed4:$salt: 099u787978786 0x1e2ef:$string1: HawkEye_Keylogger 0x1f142:$string1: HawkEye_Keylogger 0x1fe34:$string1: HawkEye_Keylogger 0x1e6d8:$string2: holdermail.txt 0x1e6f8:$string2: holdermail.txt 0x1e61a:$string3: wallet.dat 0x1e632:$string3: wallet.dat 0x1e648:$string3: wallet.dat 0x1fa16:$string4: Keylog Records 0x1fd2e:$string4: Keylog Records 0x1ff2c:$string5: do not script --> 0x1dcbe:$string6: \pidloc.txt 0x1dd24:$string7: BSPLIT 0x1dd34:$string7: BSPLIT
11.0.tDb0ggawON.exe.45fa72.13.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
11.0.tDb0ggawON.exe.45fa72.13.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
11.0.tDb0ggawON.exe.45fa72.13.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e347:$hawkstr1: HawkEye Keylogger 0x1f188:$hawkstr1: HawkEye Keylogger 0x1f4b7:$hawkstr1: HawkEye Keylogger 0x1f612:$hawkstr1: HawkEye Keylogger 0x1f775:$hawkstr1: HawkEye Keylogger 0x1f9ee:$hawkstr1: HawkEye Keylogger 0x1ded5:$hawkstr2: Dear HawkEye Customers! 0x1f50a:$hawkstr2: Dear HawkEye Customers! 0x1f661:$hawkstr2: Dear HawkEye Customers! 0x1f7c8:$hawkstr2: Dear HawkEye Customers! 0x1dff6:$hawkstr3: HawkEye Logger Details:
11.0.tDb0ggawON.exe.409c0d.14.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
14.0.vbc.exe.400000.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.0.tDb0ggawON.exe.409c0d.18.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
14.0.vbc.exe.400000.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.tDb0ggawON.exe.62b8e45.5.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.0.tDb0ggawON.exe.45fa72.19.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.0.vbc.exe.400000.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
11.2.tDb0ggawON.exe.4021b50.8.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.0.tDb0ggawON.exe.408208.24.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75540:$key: HawkEyeKeylogger 0x7773e:$salt: 099u787978786 0x75b59:$string1: HawkEye_Keylogger 0x769ac:$string1: HawkEye_Keylogger 0x7769e:$string1: HawkEye_Keylogger 0x75f42:$string2: holdermail.txt 0x75f62:$string2: holdermail.txt 0x75e84:$string3: wallet.dat 0x75e9c:$string3: wallet.dat 0x75eb2:$string3: wallet.dat 0x77280:$string4: Keylog Records 0x77598:$string4: Keylog Records 0x77796:$string5: do not script --> 0x75528:$string6: \pidloc.txt 0x7558e:$string7: BSPLIT 0x7559e:$string7: BSPLIT
11.0.tDb0ggawON.exe.408208.24.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
11.0.tDb0ggawON.exe.408208.24.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
11.0.tDb0ggawON.exe.408208.24.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
11.0.tDb0ggawON.exe.408208.24.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.0.tDb0ggawON.exe.408208.24.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75bb1:$hawkstr1: HawkEye Keylogger 0x769f2:$hawkstr1: HawkEye Keylogger 0x76d21:$hawkstr1: HawkEye Keylogger 0x76e7c:$hawkstr1: HawkEye Keylogger 0x76fdf:$hawkstr1: HawkEye Keylogger 0x77258:$hawkstr1: HawkEye Keylogger 0x7573f:$hawkstr2: Dear HawkEye Customers! 0x76d74:$hawkstr2: Dear HawkEye Customers! 0x76ecb:$hawkstr2: Dear HawkEye Customers! 0x77032:$hawkstr2: Dear HawkEye Customers! 0x75860:$hawkstr3: HawkEye Logger Details:
14.0.vbc.exe.400000.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
14.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.0.tDb0ggawON.exe.400000.21.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b948:$key: HawkEyeKeylogger 0x7db46:$salt: 099u787978786 0x7bf61:$string1: HawkEye_Keylogger 0x7cdb4:$string1: HawkEye_Keylogger 0x7daa6:$string1: HawkEye_Keylogger 0x7c34a:$string2: holdermail.txt 0x7c36a:$string2: holdermail.txt 0x7c28c:$string3: wallet.dat 0x7c2a4:$string3: wallet.dat 0x7c2ba:$string3: wallet.dat 0x7d688:$string4: Keylog Records 0x7d9a0:$string4: Keylog Records 0x7db9e:$string5: do not script --> 0x7b930:$string6: \pidloc.txt 0x7b996:$string7: BSPLIT 0x7b9a6:$string7: BSPLIT
11.0.tDb0ggawON.exe.400000.21.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
11.0.tDb0ggawON.exe.400000.21.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
11.0.tDb0ggawON.exe.400000.21.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
11.0.tDb0ggawON.exe.400000.21.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.0.tDb0ggawON.exe.400000.21.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bfb9:$hawkstr1: HawkEye Keylogger 0x7cdfa:$hawkstr1: HawkEye Keylogger 0x7d129:$hawkstr1: HawkEye Keylogger 0x7d284:$hawkstr1: HawkEye Keylogger 0x7d3e7:$hawkstr1: HawkEye Keylogger 0x7d660:$hawkstr1: HawkEye Keylogger 0x7bb47:$hawkstr2: Dear HawkEye Customers! 0x7d17c:$hawkstr2: Dear HawkEye Customers! 0x7d2d3:$hawkstr2: Dear HawkEye Customers! 0x7d43a:$hawkstr2: Dear HawkEye Customers! 0x7bc68:$hawkstr3: HawkEye Logger Details:
11.0.tDb0ggawON.exe.408208.17.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75540:$key: HawkEyeKeylogger 0x7773e:$salt: 099u787978786 0x75b59:$string1: HawkEye_Keylogger 0x769ac:$string1: HawkEye_Keylogger 0x7769e:$string1: HawkEye_Keylogger 0x75f42:$string2: holdermail.txt 0x75f62:$string2: holdermail.txt 0x75e84:$string3: wallet.dat 0x75e9c:$string3: wallet.dat 0x75eb2:$string3: wallet.dat 0x77280:$string4: Keylog Records 0x77598:$string4: Keylog Records 0x77796:$string5: do not script --> 0x75528:$string6: \pidloc.txt 0x7558e:$string7: BSPLIT 0x7559e:$string7: BSPLIT
11.0.tDb0ggawON.exe.408208.17.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
11.0.tDb0ggawON.exe.408208.17.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
11.0.tDb0ggawON.exe.408208.17.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
11.0.tDb0ggawON.exe.408208.17.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.0.tDb0ggawON.exe.408208.17.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75bb1:$hawkstr1: HawkEye Keylogger 0x769f2:$hawkstr1: HawkEye Keylogger 0x76d21:$hawkstr1: HawkEye Keylogger 0x76e7c:$hawkstr1: HawkEye Keylogger 0x76fdf:$hawkstr1: HawkEye Keylogger 0x77258:$hawkstr1: HawkEye Keylogger 0x7573f:$hawkstr2: Dear HawkEye Customers! 0x76d74:$hawkstr2: Dear HawkEye Customers! 0x76ecb:$hawkstr2: Dear HawkEye Customers! 0x77032:$hawkstr2: Dear HawkEye Customers! 0x75860:$hawkstr3: HawkEye Logger Details:
15.0.vbc.exe.400000.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
14.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
15.0.vbc.exe.400000.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
11.0.tDb0ggawON.exe.45fa72.19.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dcd6:$key: HawkEyeKeylogger 0x1fed4:$salt: 099u787978786 0x1e2ef:$string1: HawkEye_Keylogger 0x1f142:$string1: HawkEye_Keylogger 0x1fe34:$string1: HawkEye_Keylogger 0x1e6d8:$string2: holdermail.txt 0x1e6f8:$string2: holdermail.txt 0x1e61a:$string3: wallet.dat 0x1e632:$string3: wallet.dat 0x1e648:$string3: wallet.dat 0x1fa16:$string4: Keylog Records 0x1fd2e:$string4: Keylog Records 0x1ff2c:$string5: do not script --> 0x1dcbe:$string6: \pidloc.txt 0x1dd24:$string7: BSPLIT 0x1dd34:$string7: BSPLIT
11.0.tDb0ggawON.exe.45fa72.19.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
tDb0ggawON

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tDb0ggawON

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Windows Analysis Report
tDb0ggawON