Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PasswordStealer.NET.bin

Overview

General Information

Sample Name:PasswordStealer.NET.bin (renamed file extension from bin to exe)
Analysis ID:576204
MD5:fb2ca93f987313108abdd4a6d687783a
SHA1:0783b8327a88aff87c627497d4333fd778da59be
SHA256:b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a
Infos:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected HawkEye Rat
Multi AV Scanner detection for domain / URL
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Yara detected WebBrowserPassView password recovery tool
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PasswordStealer.NET.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\PasswordStealer.NET.exe" MD5: FB2CA93F987313108ABDD4A6D687783A)
    • AppLaunch.exe (PID: 6788 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x878fa:$s1: HawkEye Keylogger
  • 0x87963:$s1: HawkEye Keylogger
  • 0x80d3d:$s2: _ScreenshotLogger
  • 0x80d0a:$s3: _PasswordStealer
0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x8881a:$s1: HawkEye Keylogger
    • 0x88883:$s1: HawkEye Keylogger
    • 0x81c5d:$s2: _ScreenshotLogger
    • 0x81c2a:$s3: _PasswordStealer
    00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x878fa:$s1: HawkEye Keylogger
      • 0x87963:$s1: HawkEye Keylogger
      • 0x80d3d:$s2: _ScreenshotLogger
      • 0x80d0a:$s3: _PasswordStealer
      Click to see the 23 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.3.AppLaunch.exe.8b2db5a.1.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x131b0:$a1: logins.json
      • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x13934:$s4: \mozsqlite3.dll
      • 0x121a4:$s5: SMTP Password
      12.3.AppLaunch.exe.8b2db5a.1.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        12.2.AppLaunch.exe.bc0834a.1.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
        • 0x11bb0:$a1: logins.json
        • 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
        • 0x12334:$s4: \mozsqlite3.dll
        • 0x115a4:$s5: SMTP Password
        12.2.AppLaunch.exe.bc0834a.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          12.2.AppLaunch.exe.bc0834a.1.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x131b0:$a1: logins.json
          • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x13934:$s4: \mozsqlite3.dll
          • 0x121a4:$s5: SMTP Password
          Click to see the 88 entries

          Sigma Signatures

          No Sigma rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: PasswordStealer.NET.exeVirustotal: Detection: 85%Perma Link
          Source: PasswordStealer.NET.exeMetadefender: Detection: 68%Perma Link
          Source: PasswordStealer.NET.exeReversingLabs: Detection: 89%
          Antivirus / Scanner detection for submitted sample
          Source: PasswordStealer.NET.exeAvira: detected
          Antivirus detection for URL or domain
          Source: https://a.pomf.cat/Avira URL Cloud: Label: phishing
          Multi AV Scanner detection for domain / URL
          Source: http://pomf.cat/upload.phpVirustotal: Detection: 7%Perma Link
          Machine Learning detection for sample
          Source: PasswordStealer.NET.exeJoe Sandbox ML: detected
          Source: 12.0.AppLaunch.exe.400000.3.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.0.AppLaunch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.2.AppLaunch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.0.AppLaunch.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.0.AppLaunch.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.0.AppLaunch.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
          Source: PasswordStealer.NET.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: PasswordStealer.NET.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: robo.pdb source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.365829610.0000000002D00000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp

          Networking

          barindex
          May check the online IP address of the machine
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS traffic detected: query: 202.200.1.0.in-addr.arpa replaycode: Name error (3)
          Source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: AppLaunch.exe, 0000000C.00000002.376516668.00000000072DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
          Source: AppLaunch.exe, 0000000C.00000002.376545778.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bot.whatismyipaddress.com4
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pomf.cat/upload.php
          Source: PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
          Source: AppLaunch.exe, 0000000C.00000002.376516668.00000000072DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://a.pomf.cat/
          Source: unknownDNS traffic detected: queries for: 202.200.1.0.in-addr.arpa

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected HawkEye Keylogger
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR
          Source: PasswordStealer.NET.exe, 00000001.00000002.365348911.00000000010F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 12.3.AppLaunch.exe.8b2db5a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.2.AppLaunch.exe.bc0834a.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.2.AppLaunch.exe.bc0834a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.3.AppLaunch.exe.8b2db5a.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          .NET source code contains very large array initializations
          Source: PasswordStealer.NET.exe, y/n.csLarge array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840
          Source: 1.0.PasswordStealer.NET.exe.9a0000.0.unpack, y/n.csLarge array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840
          Source: 1.2.PasswordStealer.NET.exe.9a0000.0.unpack, y/n.csLarge array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840
          Source: PasswordStealer.NET.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 12.3.AppLaunch.exe.8b2db5a.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.2.AppLaunch.exe.bc0834a.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.2.AppLaunch.exe.bc0834a.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.3.AppLaunch.exe.8b2db5a.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_009A4628
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_009A4550
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013FD9B8
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013FD9B3
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013FBA9C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F54B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F04D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F2068
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F3F53
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F9F98
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F3EFB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F6C2A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F0C48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F9938
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F4519
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F4528
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F0527
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F8530
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F8540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F3568
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F3563
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F0562
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F05A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F05ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F4168
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F4178
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F204F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F3F33
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F6E10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F8E40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F0C37
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F9928
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F29E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F29F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F5880
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F5890
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F48D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F48E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F7FBD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F74C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F74310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F762B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F7FBC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F78B70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F78B60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F73FC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F79090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F79081
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F7C2C8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F7C2B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_0A270B90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_0A270B80
          Source: PasswordStealer.NET.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: PasswordStealer.NET.exeBinary or memory string: OriginalFilename vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.364690039.00000000009A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename007.exeH vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.365348911.00000000010F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerobo.dll4 vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.365877906.0000000002E31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.365829610.0000000002D00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamerobo.dll4 vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exeBinary or memory string: OriginalFilename007.exeH vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exeVirustotal: Detection: 85%
          Source: PasswordStealer.NET.exeMetadefender: Detection: 68%
          Source: PasswordStealer.NET.exeReversingLabs: Detection: 89%
          Source: PasswordStealer.NET.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\PasswordStealer.NET.exe "C:\Users\user\Desktop\PasswordStealer.NET.exe"
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PasswordStealer.NET.exe.logJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\Temp\5c9e99f0-aed9-08b2-ba3c-8df8e171ab02Jump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@2/0
          Source: 12.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 12.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 12.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 12.0.AppLaunch.exe.400000.1.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 12.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 12.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 12.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 12.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 12.0.AppLaunch.exe.400000.4.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 12.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 12.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 12.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMutant created: \Sessions\1\BaseNamedObjects\3b4a4cc4-c9ba-470a-96db-668b03cd472a
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: PasswordStealer.NET.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: PasswordStealer.NET.exeStatic file information: File size 1272320 > 1048576
          Source: PasswordStealer.NET.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PasswordStealer.NET.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x135e00
          Source: PasswordStealer.NET.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: robo.pdb source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.365829610.0000000002D00000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: PasswordStealer.NET.exe, y/h.cs.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.PasswordStealer.NET.exe.9a0000.0.unpack, y/h.cs.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.PasswordStealer.NET.exe.9a0000.0.unpack, y/h.cs.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_009B1E18 push eax; iretd
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_009B15A8 push es; retf
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_009B1D51 push C661B22Dh; iretd
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F41C3 push esi; ret
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F41C0 push esi; ret
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F403B push ebp; ret
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F4020 push ebp; ret
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F4073 push ebp; ret
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F40F3 push esi; ret
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F68A9 pushfd ; ret
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F4BD3 pushad ; ret
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013FFE60 push eax; iretd
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F3E41 push edx; ret
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F3EE1 push ebp; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F326C push ss; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F32F5 push ss; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F735E0 pushad ; iretd

          Hooking and other Techniques for Hiding and Protection

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeFile opened: C:\Users\user\Desktop\PasswordStealer.NET.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exe TID: 4884Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5732Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3248Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6452Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
          Source: AppLaunch.exe, 0000000C.00000002.376954301.000000000A080000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Source: 12.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Source: 12.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeQueries volume information: C:\Users\user\Desktop\PasswordStealer.NET.exe VolumeInformation
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected MailPassView
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8b2db5a.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bc0834a.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bc0834a.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8b2db5a.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR
          Yara detected HawkEye Keylogger
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR
          Yara detected WebBrowserPassView password recovery tool
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bbb0345.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8ad5b55.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected HawkEye Keylogger
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR
          Detected HawkEye Rat
          Source: PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
          Source: PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
          Source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
          Source: AppLaunch.exe, 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
          Source: AppLaunch.exe, 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts111
          Windows Management Instrumentation          		Path Interception11
          Process Injection          		1
          Masquerading          		1
          Input Capture          		211
          Security Software Discovery          		Remote Services1
          Input Capture          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts1
          Native API          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory131
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol11
          Archive Collected Data          		Exfiltration Over Bluetooth1
          Remote Access Software          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
          Virtualization/Sandbox Evasion          		Security Account Manager1
          Remote System Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
          Process Injection          		NTDS1
          System Network Configuration Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer1
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets13
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Hidden Files and Directories          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Obfuscated Files or Information          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
          Software Packing          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PasswordStealer.NET.exe85%VirustotalBrowse
          PasswordStealer.NET.exe69%MetadefenderBrowse
          PasswordStealer.NET.exe90%ReversingLabsByteCode-MSIL.Spyware.Remcos
          PasswordStealer.NET.exe100%AviraHEUR/AGEN.1131977
          PasswordStealer.NET.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          12.0.AppLaunch.exe.400000.3.unpack100%AviraTR/Dropper.GenDownload File
          12.0.AppLaunch.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          1.0.PasswordStealer.NET.exe.9a0000.0.unpack100%AviraHEUR/AGEN.1131977Download File
          12.2.AppLaunch.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          12.0.AppLaunch.exe.400000.2.unpack100%AviraTR/Dropper.GenDownload File
          12.0.AppLaunch.exe.400000.1.unpack100%AviraTR/Dropper.GenDownload File
          12.0.AppLaunch.exe.400000.4.unpack100%AviraTR/Dropper.GenDownload File
          1.2.PasswordStealer.NET.exe.9a0000.0.unpack100%AviraHEUR/AGEN.1131977Download File

          Domains

          SourceDetectionScannerLabelLink
          202.200.1.0.in-addr.arpa0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://a.pomf.cat/4%VirustotalBrowse
          https://a.pomf.cat/100%Avira URL Cloudphishing
          http://pomf.cat/upload.php&https://a.pomf.cat/0%Avira URL Cloudsafe
          http://pomf.cat/upload.php8%VirustotalBrowse
          http://pomf.cat/upload.php0%Avira URL Cloudsafe
          http://bot.whatismyipaddress.com40%Avira URL Cloudsafe
          http://pomf.cat/upload.phpCContent-Disposition:0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          202.200.1.0.in-addr.arpa
          		unknown
          		unknownfalseunknown
          bot.whatismyipaddress.com
          		unknown
          		unknownfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://a.pomf.cat/AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmptrue
            • 4%, Virustotal, Browse
            • Avira URL Cloud: phishing
            		unknown
            http://pomf.cat/upload.php&https://a.pomf.cat/PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
            • Avira URL Cloud: safe
            		unknown
            http://bot.whatismyipaddress.comAppLaunch.exe, 0000000C.00000002.376516668.00000000072DB000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://pomf.cat/upload.phpAppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmptrue
              • 8%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.nirsoft.net/AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmpfalse
                		high
                http://bot.whatismyipaddress.com4AppLaunch.exe, 0000000C.00000002.376545778.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 0000000C.00000002.376516668.00000000072DB000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://bot.whatismyipaddress.com/AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://pomf.cat/upload.phpCContent-Disposition:AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:576204
                    Start date:22.02.2022
                    Start time:09:21:39
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 7m 36s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:PasswordStealer.NET.bin (renamed file extension from bin to exe)
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:25
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/3@2/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 0.9% (good quality ratio 0.6%)
                    • Quality average: 42%
                    • Quality standard deviation: 38.6%
                    HCA Information:
                    • Successful, ratio: 97%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded IPs from analysis (whitelisted): 23.211.4.86
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    09:22:57API Interceptor1x Sleep call for process: PasswordStealer.NET.exe modified
                    09:23:12API Interceptor2x Sleep call for process: AppLaunch.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1220
                    Entropy (8bit):5.354495486938689
                    Encrypted:false
                    SSDEEP:24:MLUE4Ko84qpE4Ks2vsXE4G1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MIHKov2HKXCHG1qHiYHKhQnoPtHoxHhA
                    MD5:5B6EF9C36F177ED0124E042B9579BE85
                    SHA1:1C8AFB1CA723ADC174C853F46CE2FF8748E08762
                    SHA-256:9905271FEFA625D10CC63C7EF369FB800B66C2FBEA20BED2136365007C7362BF
                    SHA-512:6CA97E07E2EFFEAC30F22C9FC493010C1A161DDC2D4999814EF14DC70DC223F8419363EC1BFA97D8EA5267CC3249CDEEE3DE04F3517F0C00B9B45A57D50DD545
                    Malicious:false
                    Reputation:low
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.C

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PasswordStealer.NET.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\PasswordStealer.NET.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.355304211458859
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                    C:\Users\user\AppData\Local\Temp\5c9e99f0-aed9-08b2-ba3c-8df8e171ab02

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):88
                    Entropy (8bit):5.38967064718937
                    Encrypted:false
                    SSDEEP:3:Gulft/nKhyDrV/2TOA4LiUQF5DvDRI+:DtfQQrV/2TOA4LgF5D1I+
                    MD5:BB53A1C0B81C866F8BE64DD5532967B8
                    SHA1:716BC31FB2FF50F8B8EAD2A4878B95F41AF6F9AF
                    SHA-256:DE572CC1E0A16905FF7C62D63B20668BD8BEA5527FFD2F196A001EFB7FB5926E
                    SHA-512:98CC3A8A8FB57E8339B9AE0BD436A4F756E6378E92F97B569231A09C76345254994CBC70AFE779F9C963AAA32F114B985224C5AD2E79FDE09C20942C302D6D82
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:6C+hP5HoTpHrvlsqBHBHoAd4oFxWfNp+z/Sv5IQWNOfLdMd/OERNbN8eWAq7MV256h0Abi93JHh7y5stlf4OVA==

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):6.299563056438947
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    • Win32 Executable (generic) a (10002005/4) 49.78%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    • DOS Executable Generic (2002/1) 0.01%
                    File name:PasswordStealer.NET.exe
                    File size:1272320
                    MD5:fb2ca93f987313108abdd4a6d687783a
                    SHA1:0783b8327a88aff87c627497d4333fd778da59be
                    SHA256:b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a
                    SHA512:6fc15ca06da66661c733ed4aeeff40a11791739ab104e607262b55e217658277246cfec7b2dd586bbd58067bf1a67a4fd7e9462ffe5f591fc7a2ee1cfefcab25
                    SSDEEP:12288:KKn7XIK6rFQuoa+xhXy7CNI7TMq9IOvK2TaSJbeWBSuIGZi0k:K6XIFxxh+xhUCCTMyIOv52DWBQGI
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................^...........}... ........@.. ....................................@................................

                    File Icon

                    Icon Hash:00828e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x537d2e
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0xF0A0ADD [Fri Dec 30 07:53:01 1977 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:v4.0.30319
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x137cdc0x4f.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1380000x644.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x13a0000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x135d340x135e00False0.526958482503data6.30284310521IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rsrc0x1380000x6440x800False0.35400390625data4.61936656922IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x13a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_VERSION0x1380a00x3b8COM executable for DOS
                    RT_MANIFEST0x1384580x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Version Infos

                    DescriptionData
                    Translation0x0000 0x04b0
                    LegalCopyrightCopyright 2018 Granite Construction Incorporated
                    Assembly Version0.0.0.0
                    InternalName007.exe
                    FileVersion1.13.31.2
                    CompanyNameGranite Construction Incorporated
                    Commentsoyelodozotecepitucazad
                    ProductNameIIS request monitor
                    ProductVersion1.13.31.2
                    FileDescriptionIIS request monitor
                    OriginalFilename007.exe

                    Network Behavior

                    Network Port Distribution

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Feb 22, 2022 09:23:16.302151918 CET6078453192.168.2.38.8.8.8
                    Feb 22, 2022 09:23:16.318984985 CET53607848.8.8.8192.168.2.3
                    Feb 22, 2022 09:23:16.601305962 CET5114353192.168.2.38.8.8.8
                    Feb 22, 2022 09:23:16.619818926 CET53511438.8.8.8192.168.2.3

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    Feb 22, 2022 09:23:16.302151918 CET192.168.2.38.8.8.80x9a04Standard query (0)202.200.1.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                    Feb 22, 2022 09:23:16.601305962 CET192.168.2.38.8.8.80xdcebStandard query (0)bot.whatismyipaddress.comA (IP address)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    Feb 22, 2022 09:23:16.318984985 CET8.8.8.8192.168.2.30x9a04Name error (3)202.200.1.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:1
                    Start time:09:22:29
                    Start date:22/02/2022
                    Path:C:\Users\user\Desktop\PasswordStealer.NET.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\PasswordStealer.NET.exe"
                    Imagebase:0x9a0000
                    File size:1272320 bytes
                    MD5 hash:FB2CA93F987313108ABDD4A6D687783A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low

                    General

                    Target ID:12
                    Start time:09:23:03
                    Start date:22/02/2022
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    Imagebase:0xf20000
                    File size:98912 bytes
                    MD5 hash:6807F903AC06FF7E1670181378690B22
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                    Reputation:moderate

                    Disassembly

                    No disassembly