Windows Analysis Report
PasswordStealer.NET.bin

Overview

General Information

Sample Name:	PasswordStealer.NET.bin (renamed file extension from bin to exe)
Analysis ID:	576204
MD5:	fb2ca93f987313108abdd4a6d687783a
SHA1:	0783b8327a88aff87c627497d4333fd778da59be
SHA256:	b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a
Infos:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Multi AV Scanner detection for submitted file

Yara detected HawkEye Keylogger

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected HawkEye Rat

Multi AV Scanner detection for domain / URL

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Yara detected WebBrowserPassView password recovery tool

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

PE file contains executable resources (Code or Archives)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: PasswordStealer.NET.exe	Virustotal: Detection: 85%	Perma Link
Source: PasswordStealer.NET.exe	Metadefender: Detection: 68%	Perma Link
Source: PasswordStealer.NET.exe	ReversingLabs: Detection: 89%

Antivirus / Scanner detection for submitted sample

Source: PasswordStealer.NET.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://a.pomf.cat/

Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: http://pomf.cat/upload.php

Virustotal: Detection: 7%

Perma Link

Machine Learning detection for sample

Source: PasswordStealer.NET.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.0.AppLaunch.exe.400000.3.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.AppLaunch.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.2.AppLaunch.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.AppLaunch.exe.400000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.AppLaunch.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.AppLaunch.exe.400000.4.unpack	Avira: Label: TR/Dropper.Gen

Uses 32bit PE files

Source: PasswordStealer.NET.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PasswordStealer.NET.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: robo.pdb source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.365829610.0000000002D00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp

Networking

May check the online IP address of the machine

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	DNS query: name: bot.whatismyipaddress.com
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	DNS query: name: bot.whatismyipaddress.com
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	DNS query: name: bot.whatismyipaddress.com
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	DNS query: name: bot.whatismyipaddress.com
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	DNS query: name: bot.whatismyipaddress.com

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 202.200.1.0.in-addr.arpa replaycode: Name error (3)

Source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)

Source: AppLaunch.exe, 0000000C.00000002.376516668.00000000072DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com
Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: AppLaunch.exe, 0000000C.00000002.376545778.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com4
Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pomf.cat/upload.php
Source: PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: AppLaunch.exe, 0000000C.00000002.376516668.00000000072DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.pomf.cat/

Source: unknown

DNS traffic detected: queries for: 202.200.1.0.in-addr.arpa

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected HawkEye Keylogger

Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR

Creates a DirectInput object (often for capturing keystrokes)

Source: PasswordStealer.NET.exe, 00000001.00000002.365348911.00000000010F8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.3.AppLaunch.exe.8b2db5a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 12.2.AppLaunch.exe.bc0834a.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 12.2.AppLaunch.exe.bc0834a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 12.3.AppLaunch.exe.8b2db5a.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth

.NET source code contains very large array initializations

Source: PasswordStealer.NET.exe, y/n.cs	Large array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840
Source: 1.0.PasswordStealer.NET.exe.9a0000.0.unpack, y/n.cs	Large array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840
Source: 1.2.PasswordStealer.NET.exe.9a0000.0.unpack, y/n.cs	Large array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840

Uses 32bit PE files

Source: PasswordStealer.NET.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 12.3.AppLaunch.exe.8b2db5a.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 12.2.AppLaunch.exe.bc0834a.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 12.2.AppLaunch.exe.bc0834a.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 12.3.AppLaunch.exe.8b2db5a.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870

Detected potential crypto function

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_009A4628	1_2_009A4628
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_009A4550	1_2_009A4550
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013FD9B8	1_2_013FD9B8
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013FD9B3	1_2_013FD9B3
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013FBA9C	1_2_013FBA9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F54B8	12_2_070F54B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F04D8	12_2_070F04D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F2068	12_2_070F2068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F3F53	12_2_070F3F53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F9F98	12_2_070F9F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F3EFB	12_2_070F3EFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F6C2A	12_2_070F6C2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F0C48	12_2_070F0C48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F9938	12_2_070F9938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F4519	12_2_070F4519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F4528	12_2_070F4528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F0527	12_2_070F0527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F8530	12_2_070F8530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F8540	12_2_070F8540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F3568	12_2_070F3568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F3563	12_2_070F3563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F0562	12_2_070F0562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F05A6	12_2_070F05A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F05ED	12_2_070F05ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F4168	12_2_070F4168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F4178	12_2_070F4178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F204F	12_2_070F204F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F3F33	12_2_070F3F33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F6E10	12_2_070F6E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F8E40	12_2_070F8E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F0C37	12_2_070F0C37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F9928	12_2_070F9928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F29E9	12_2_070F29E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F29F8	12_2_070F29F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F5880	12_2_070F5880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F5890	12_2_070F5890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F48D0	12_2_070F48D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F48E0	12_2_070F48E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F7FBD0	12_2_09F7FBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F74C00	12_2_09F74C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F74310	12_2_09F74310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F762B8	12_2_09F762B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F7FBC0	12_2_09F7FBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F78B70	12_2_09F78B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F78B60	12_2_09F78B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F73FC0	12_2_09F73FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F79090	12_2_09F79090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F79081	12_2_09F79081
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F7C2C8	12_2_09F7C2C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F7C2B8	12_2_09F7C2B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_0A270B90	12_2_0A270B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_0A270B80	12_2_0A270B80

PE file contains executable resources (Code or Archives)

Source: PasswordStealer.NET.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: PasswordStealer.NET.exe	Binary or memory string: OriginalFilename vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.364690039.00000000009A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename007.exeH vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.365348911.00000000010F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamerobo.dll4 vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.365877906.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.365829610.0000000002D00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamerobo.dll4 vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe	Binary or memory string: OriginalFilename007.exeH vs PasswordStealer.NET.exe

Source: PasswordStealer.NET.exe	Virustotal: Detection: 85%
Source: PasswordStealer.NET.exe	Metadefender: Detection: 68%
Source: PasswordStealer.NET.exe	ReversingLabs: Detection: 89%

Source: PasswordStealer.NET.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PasswordStealer.NET.exe "C:\Users\user\Desktop\PasswordStealer.NET.exe"
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PasswordStealer.NET.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Temp\5c9e99f0-aed9-08b2-ba3c-8df8e171ab02

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@2/0

Source: 12.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 12.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 12.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 12.0.AppLaunch.exe.400000.1.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 12.0.AppLaunch.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 12.2.AppLaunch.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 12.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 12.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 12.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 12.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 12.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 12.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 12.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.0.AppLaunch.exe.400000.4.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 12.0.AppLaunch.exe.400000.3.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 12.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 12.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 12.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 12.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 12.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 12.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Mutant created: \Sessions\1\BaseNamedObjects\3b4a4cc4-c9ba-470a-96db-668b03cd472a

Source: 12.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.0.AppLaunch.exe.400000.3.unpack, u206b????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.0.AppLaunch.exe.400000.0.unpack, u206b????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.AppLaunch.exe.400000.0.unpack, u206b????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PasswordStealer.NET.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: PasswordStealer.NET.exe

Static file information: File size 1272320 > 1048576

Source: PasswordStealer.NET.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PasswordStealer.NET.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x135e00

Source: PasswordStealer.NET.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: robo.pdb source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.365829610.0000000002D00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: PasswordStealer.NET.exe, y/h.cs	.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.PasswordStealer.NET.exe.9a0000.0.unpack, y/h.cs	.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.PasswordStealer.NET.exe.9a0000.0.unpack, y/h.cs	.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_009B1E18 push eax; iretd	1_2_009B1E2F
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_009B15A8 push es; retf	1_2_009B15A9
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_009B1D51 push C661B22Dh; iretd	1_2_009B1D56
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F41C3 push esi; ret	1_2_013F41CA
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F41C0 push esi; ret	1_2_013F41C2
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F403B push ebp; ret	1_2_013F4042
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F4020 push ebp; ret	1_2_013F403A
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F4073 push ebp; ret	1_2_013F407A
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F40F3 push esi; ret	1_2_013F40FA
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F68A9 pushfd ; ret	1_2_013F68AA
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F4BD3 pushad ; ret	1_2_013F4BDA
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013FFE60 push eax; iretd	1_2_013FFE6E
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F3E41 push edx; ret	1_2_013F3E42
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F3EE1 push ebp; ret	1_2_013F3EE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F326C push ss; retf	12_2_070F326D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F32F5 push ss; retf	12_2_070F32F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F735E0 pushad ; iretd	12_2_09F735E1

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe

File opened: C:\Users\user\Desktop\PasswordStealer.NET.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe TID: 4884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5732	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3248	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6452	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: AppLaunch.exe, 0000000C.00000002.376954301.000000000A080000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA

Enables debug privileges

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 12.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 12.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 12.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 12.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 12.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Queries volume information: C:\Users\user\Desktop\PasswordStealer.NET.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MailPassView

Source: Yara match	File source: 12.3.AppLaunch.exe.8b2db5a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bc0834a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bc0834a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.AppLaunch.exe.8b2db5a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR

Yara detected HawkEye Keylogger

Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bbb0345.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.AppLaunch.exe.8ad5b55.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR

Remote Access Functionality

Yara detected HawkEye Keylogger

Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR

Detected HawkEye Rat

Source: PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: AppLaunch.exe, 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: AppLaunch.exe, 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
202.200.1.0.in-addr.arpa	unknown	unknown
bot.whatismyipaddress.com	unknown	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: PasswordStealer.NET.exe	Virustotal: Detection: 85%	Perma Link
Source: PasswordStealer.NET.exe	Metadefender: Detection: 68%	Perma Link
Source: PasswordStealer.NET.exe	ReversingLabs: Detection: 89%

Antivirus / Scanner detection for submitted sample

Source: PasswordStealer.NET.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://a.pomf.cat/

Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: http://pomf.cat/upload.php

Virustotal: Detection: 7%

Perma Link

Machine Learning detection for sample

Source: PasswordStealer.NET.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.0.AppLaunch.exe.400000.3.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.AppLaunch.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.2.AppLaunch.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.AppLaunch.exe.400000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.AppLaunch.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.AppLaunch.exe.400000.4.unpack	Avira: Label: TR/Dropper.Gen

Uses 32bit PE files

Source: PasswordStealer.NET.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PasswordStealer.NET.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: robo.pdb source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.365829610.0000000002D00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp

Networking

May check the online IP address of the machine

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	DNS query: name: bot.whatismyipaddress.com
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	DNS query: name: bot.whatismyipaddress.com
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	DNS query: name: bot.whatismyipaddress.com
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	DNS query: name: bot.whatismyipaddress.com
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	DNS query: name: bot.whatismyipaddress.com

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 202.200.1.0.in-addr.arpa replaycode: Name error (3)

Source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)

Source: AppLaunch.exe, 0000000C.00000002.376516668.00000000072DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com
Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: AppLaunch.exe, 0000000C.00000002.376545778.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com4
Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pomf.cat/upload.php
Source: PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: AppLaunch.exe, 0000000C.00000002.376516668.00000000072DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.pomf.cat/

Source: unknown

DNS traffic detected: queries for: 202.200.1.0.in-addr.arpa

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected HawkEye Keylogger

Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR

Creates a DirectInput object (often for capturing keystrokes)

Source: PasswordStealer.NET.exe, 00000001.00000002.365348911.00000000010F8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.3.AppLaunch.exe.8b2db5a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 12.2.AppLaunch.exe.bc0834a.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 12.2.AppLaunch.exe.bc0834a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 12.3.AppLaunch.exe.8b2db5a.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth

.NET source code contains very large array initializations

Source: PasswordStealer.NET.exe, y/n.cs	Large array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840
Source: 1.0.PasswordStealer.NET.exe.9a0000.0.unpack, y/n.cs	Large array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840
Source: 1.2.PasswordStealer.NET.exe.9a0000.0.unpack, y/n.cs	Large array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840

Uses 32bit PE files

Source: PasswordStealer.NET.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 12.3.AppLaunch.exe.8b2db5a.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 12.2.AppLaunch.exe.bc0834a.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 12.2.AppLaunch.exe.bc0834a.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 12.3.AppLaunch.exe.8b2db5a.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870

Detected potential crypto function

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_009A4628	1_2_009A4628
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_009A4550	1_2_009A4550
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013FD9B8	1_2_013FD9B8
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013FD9B3	1_2_013FD9B3
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013FBA9C	1_2_013FBA9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F54B8	12_2_070F54B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F04D8	12_2_070F04D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F2068	12_2_070F2068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F3F53	12_2_070F3F53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F9F98	12_2_070F9F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F3EFB	12_2_070F3EFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F6C2A	12_2_070F6C2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F0C48	12_2_070F0C48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F9938	12_2_070F9938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F4519	12_2_070F4519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F4528	12_2_070F4528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F0527	12_2_070F0527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F8530	12_2_070F8530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F8540	12_2_070F8540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F3568	12_2_070F3568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F3563	12_2_070F3563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F0562	12_2_070F0562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F05A6	12_2_070F05A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F05ED	12_2_070F05ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F4168	12_2_070F4168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F4178	12_2_070F4178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F204F	12_2_070F204F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F3F33	12_2_070F3F33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F6E10	12_2_070F6E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F8E40	12_2_070F8E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F0C37	12_2_070F0C37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F9928	12_2_070F9928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F29E9	12_2_070F29E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F29F8	12_2_070F29F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F5880	12_2_070F5880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F5890	12_2_070F5890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F48D0	12_2_070F48D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F48E0	12_2_070F48E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F7FBD0	12_2_09F7FBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F74C00	12_2_09F74C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F74310	12_2_09F74310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F762B8	12_2_09F762B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F7FBC0	12_2_09F7FBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F78B70	12_2_09F78B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F78B60	12_2_09F78B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F73FC0	12_2_09F73FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F79090	12_2_09F79090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F79081	12_2_09F79081
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F7C2C8	12_2_09F7C2C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F7C2B8	12_2_09F7C2B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_0A270B90	12_2_0A270B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_0A270B80	12_2_0A270B80

PE file contains executable resources (Code or Archives)

Source: PasswordStealer.NET.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: PasswordStealer.NET.exe	Binary or memory string: OriginalFilename vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.364690039.00000000009A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename007.exeH vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.365348911.00000000010F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamerobo.dll4 vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.365877906.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe, 00000001.00000002.365829610.0000000002D00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamerobo.dll4 vs PasswordStealer.NET.exe
Source: PasswordStealer.NET.exe	Binary or memory string: OriginalFilename007.exeH vs PasswordStealer.NET.exe

Source: PasswordStealer.NET.exe	Virustotal: Detection: 85%
Source: PasswordStealer.NET.exe	Metadefender: Detection: 68%
Source: PasswordStealer.NET.exe	ReversingLabs: Detection: 89%

Source: PasswordStealer.NET.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PasswordStealer.NET.exe "C:\Users\user\Desktop\PasswordStealer.NET.exe"
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PasswordStealer.NET.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Temp\5c9e99f0-aed9-08b2-ba3c-8df8e171ab02

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@2/0

Source: 12.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 12.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 12.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 12.0.AppLaunch.exe.400000.1.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 12.0.AppLaunch.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 12.2.AppLaunch.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 12.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 12.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 12.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 12.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 12.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 12.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 12.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.0.AppLaunch.exe.400000.4.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 12.0.AppLaunch.exe.400000.3.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 12.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 12.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 12.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 12.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 12.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 12.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Mutant created: \Sessions\1\BaseNamedObjects\3b4a4cc4-c9ba-470a-96db-668b03cd472a

Source: 12.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.0.AppLaunch.exe.400000.3.unpack, u206b????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.0.AppLaunch.exe.400000.0.unpack, u206b????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.AppLaunch.exe.400000.0.unpack, u206b????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PasswordStealer.NET.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: PasswordStealer.NET.exe

Static file information: File size 1272320 > 1048576

Source: PasswordStealer.NET.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PasswordStealer.NET.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x135e00

Source: PasswordStealer.NET.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: robo.pdb source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.365829610.0000000002D00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: PasswordStealer.NET.exe, y/h.cs	.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.PasswordStealer.NET.exe.9a0000.0.unpack, y/h.cs	.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.PasswordStealer.NET.exe.9a0000.0.unpack, y/h.cs	.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_009B1E18 push eax; iretd	1_2_009B1E2F
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_009B15A8 push es; retf	1_2_009B15A9
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_009B1D51 push C661B22Dh; iretd	1_2_009B1D56
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F41C3 push esi; ret	1_2_013F41CA
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F41C0 push esi; ret	1_2_013F41C2
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F403B push ebp; ret	1_2_013F4042
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F4020 push ebp; ret	1_2_013F403A
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F4073 push ebp; ret	1_2_013F407A
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F40F3 push esi; ret	1_2_013F40FA
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F68A9 pushfd ; ret	1_2_013F68AA
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F4BD3 pushad ; ret	1_2_013F4BDA
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013FFE60 push eax; iretd	1_2_013FFE6E
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F3E41 push edx; ret	1_2_013F3E42
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Code function: 1_2_013F3EE1 push ebp; ret	1_2_013F3EE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F326C push ss; retf	12_2_070F326D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_070F32F5 push ss; retf	12_2_070F32F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 12_2_09F735E0 pushad ; iretd	12_2_09F735E1

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe

File opened: C:\Users\user\Desktop\PasswordStealer.NET.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe TID: 4884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5732	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3248	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6452	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: AppLaunch.exe, 0000000C.00000002.376954301.000000000A080000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA

Enables debug privileges

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 12.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 12.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 12.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 12.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 12.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Queries volume information: C:\Users\user\Desktop\PasswordStealer.NET.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PasswordStealer.NET.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PasswordStealer.NET.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MailPassView

Source: Yara match	File source: 12.3.AppLaunch.exe.8b2db5a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bc0834a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bc0834a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.AppLaunch.exe.8b2db5a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR

Yara detected HawkEye Keylogger

Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bbb0345.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.AppLaunch.exe.8ad5b55.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR

Remote Access Functionality

Yara detected HawkEye Keylogger

Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR

Detected HawkEye Rat

Source: PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: AppLaunch.exe, 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: AppLaunch.exe, 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

ID:	576204
Product:	CloudBasic
Start time:	09:21:39
Start date:	22.02.2022
Sample:	PasswordStealer.NET.bin
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	fb2ca93f987313108abdd4a6d687783a
SHA1:	0783b8327a88aff87c627497d4333fd778da59be
SHA256:	b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log	ASCII text, with CRLF line terminators	5B6EF9C36F177ED0124E042B9579BE85	1C8AFB1CA723ADC174C853F46CE2FF8748E08762	9905271FEFA625D10CC63C7EF369FB800B66C2FBEA20BED2136365007C7362BF
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PasswordStealer.NET.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Temp\5c9e99f0-aed9-08b2-ba3c-8df8e171ab02	ASCII text, with no line terminators	BB53A1C0B81C866F8BE64DD5532967B8	716BC31FB2FF50F8B8EAD2A4878B95F41AF6F9AF	DE572CC1E0A16905FF7C62D63B20668BD8BEA5527FFD2F196A001EFB7FB5926E

Windows Analysis Report
PasswordStealer.NET.bin

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report PasswordStealer.NET.bin

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
PasswordStealer.NET.bin