Edit tour

Windows Analysis Report
ee2dh.exe

Overview

General Information

Sample Name:	ee2dh.exe
Analysis ID:	590130
MD5:	1eb820e4003cdcd9b2ee3252d4333950
SHA1:	489e4e88c6bbd601ceeeddb629d5f05b2a43bfc6
SHA256:	ee2d920c7fa032c3bc22365770ea3b79b2d97c4177438758e95d8d31b37b9a92
Tags:	exe
Infos:
Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Multi AV Scanner detection for submitted file

Yara detected HawkEye Keylogger

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Detected HawkEye Rat

Multi AV Scanner detection for domain / URL

Yara detected WebBrowserPassView password recovery tool

Uses 32bit PE files

PE file does not import any functions

Yara signature match

Sample file is different than original file name gathered from version info

May infect USB drives

PE file overlay found

Classification

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ee2dh.exe	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7bdb7:$key: HawkEyeKeylogger 0x7dff3:$salt: 099u787978786 0x7c3f0:$string1: HawkEye_Keylogger 0x7d243:$string1: HawkEye_Keylogger 0x7df53:$string1: HawkEye_Keylogger 0x7c7d9:$string2: holdermail.txt 0x7c7f9:$string2: holdermail.txt 0x7c71b:$string3: wallet.dat 0x7c733:$string3: wallet.dat 0x7c749:$string3: wallet.dat 0x7db35:$string4: Keylog Records 0x7de4d:$string4: Keylog Records 0x7e04b:$string5: do not script --> 0x7bd9f:$string6: \pidloc.txt 0x7be05:$string7: BSPLIT 0x7be15:$string7: BSPLIT
ee2dh.exe	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7901:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
ee2dh.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
ee2dh.exe	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
ee2dh.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
ee2dh.exe	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x28e00b:$s1: blackmoon 0x360dbc:$s1: blackmoon 0x28e04b:$s2: BlackMoon RunTime Error: 0x360dfc:$s2: BlackMoon RunTime Error:
ee2dh.exe	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7c448:$hawkstr1: HawkEye Keylogger 0x7d289:$hawkstr1: HawkEye Keylogger 0x7d5b8:$hawkstr1: HawkEye Keylogger 0x7d713:$hawkstr1: HawkEye Keylogger 0x7d876:$hawkstr1: HawkEye Keylogger 0x7db0d:$hawkstr1: HawkEye Keylogger 0x7bfd6:$hawkstr2: Dear HawkEye Customers! 0x7d60b:$hawkstr2: Dear HawkEye Customers! 0x7d762:$hawkstr2: Dear HawkEye Customers! 0x7d8c9:$hawkstr2: Dear HawkEye Customers! 0x7c0f7:$hawkstr3: HawkEye Logger Details:
Click to see the 2 entries

Sigma Signatures

⊘No Sigma rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ee2dh.exe	Virustotal: Detection: 41%	Perma Link
Source: ee2dh.exe	Metadefender: Detection: 22%	Perma Link
Source: ee2dh.exe	ReversingLabs: Detection: 42%

Antivirus detection for URL or domain

Source: http://22ssh.com/32.exe

Avira URL Cloud: Label: PUA

Multi AV Scanner detection for domain / URL

Source: http://22ssh.com/32.exe

Virustotal: Detection: 9%

Perma Link

Source: ee2dh.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: ee2dh.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\buildbot\slave1\desktop_screen\build\bin\active_desktop_launcher.pdb source: ee2dh.exe
Source:	Binary string: C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: ee2dh.exe
Source:	Binary string: ]C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: ee2dh.exe
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: ee2dh.exe
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: ee2dh.exe
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: ee2dh.exe
Source:	Binary string: \MyDriver\x64\Release\MyDriver.pdb source: ee2dh.exe

Source: ee2dh.exe	Binary or memory string: autorun.inf
Source: ee2dh.exe	Binary or memory string: [autorun]

Source: ee2dh.exe	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: ee2dh.exe	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)

Source: ee2dh.exe	String found in binary or memory: http://22ssh.com/32.exe
Source: ee2dh.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: ee2dh.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ee2dh.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: ee2dh.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ee2dh.exe	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: ee2dh.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ee2dh.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: ee2dh.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ee2dh.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: ee2dh.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ee2dh.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: ee2dh.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ee2dh.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: ee2dh.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ee2dh.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ee2dh.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: ee2dh.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ee2dh.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: ee2dh.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: ee2dh.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: ee2dh.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: ee2dh.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: ee2dh.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: ee2dh.exe	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ee2dh.exe	String found in binary or memory: http://s2.symcb.com0
Source: ee2dh.exe	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: ee2dh.exe	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ee2dh.exe	String found in binary or memory: http://sv.symcd.com0&
Source: ee2dh.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ee2dh.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ee2dh.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: ee2dh.exe	String found in binary or memory: http://whatismyipaddress.com/-
Source: ee2dh.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ee2dh.exe	String found in binary or memory: http://www.freeeim.com/D
Source: ee2dh.exe	String found in binary or memory: http://www.nirsoft.net/
Source: ee2dh.exe	String found in binary or memory: http://www.symauth.com/cps0(
Source: ee2dh.exe	String found in binary or memory: http://www.symauth.com/rpa00
Source: ee2dh.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: ee2dh.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: ee2dh.exe	String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected HawkEye Keylogger

Source: Yara match

File source: ee2dh.exe, type: SAMPLE

System Summary

Malicious sample detected (through community Yara rule)

Source: ee2dh.exe, type: SAMPLE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: ee2dh.exe, type: SAMPLE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: ee2dh.exe, type: SAMPLE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Source: ee2dh.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: ee2dh.exe

Static PE information: No import functions for PE file found

Source: ee2dh.exe, type: SAMPLE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: ee2dh.exe, type: SAMPLE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: ee2dh.exe, type: SAMPLE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: ee2dh.exe, type: SAMPLE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: ee2dh.exe	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs ee2dh.exe
Source: ee2dh.exe	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs ee2dh.exe
Source: ee2dh.exe	Binary or memory string: OriginalFilenamemailpv.exe< vs ee2dh.exe
Source: ee2dh.exe	Binary or memory string: OriginalFilenamePhulli.exe0 vs ee2dh.exe
Source: ee2dh.exe	Binary or memory string: OriginalFilenameactive_desktop_launcher.exe, vs ee2dh.exe
Source: ee2dh.exe	Binary or memory string: OriginalFilenameChrome.exe. vs ee2dh.exe
Source: ee2dh.exe	Binary or memory string: OriginalFilenamefreeeim.exe vs ee2dh.exe

Source: ee2dh.exe

Static PE information: Data appended to the last section found

Source: ee2dh.exe	Virustotal: Detection: 41%
Source: ee2dh.exe	Metadefender: Detection: 22%
Source: ee2dh.exe	ReversingLabs: Detection: 42%

Source: ee2dh.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: ee2dh.exe

String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

Source: ee2dh.exe

Binary string: \Device\Orange64

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@0/0@0/0

Source: ee2dh.exe

Static file information: File size 4644864 > 1048576

Source: ee2dh.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ee2dh.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ee2dh.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1689600

Source: ee2dh.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\buildbot\slave1\desktop_screen\build\bin\active_desktop_launcher.pdb source: ee2dh.exe
Source:	Binary string: C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: ee2dh.exe
Source:	Binary string: ]C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: ee2dh.exe
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: ee2dh.exe
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: ee2dh.exe
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: ee2dh.exe
Source:	Binary string: \MyDriver\x64\Release\MyDriver.pdb source: ee2dh.exe

Stealing of Sensitive Information

Yara detected MailPassView

Source: Yara match

File source: ee2dh.exe, type: SAMPLE

Yara detected HawkEye Keylogger

Source: Yara match

File source: ee2dh.exe, type: SAMPLE

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: ee2dh.exe, type: SAMPLE

Remote Access Functionality

Yara detected HawkEye Keylogger

Source: Yara match

File source: ee2dh.exe, type: SAMPLE

Detected HawkEye Rat

Source: ee2dh.exe	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: ee2dh.exe	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: ee2dh.exe	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: ee2dh.exe	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	2 Command and Scripting Interpreter	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 Peripheral Device Discovery	1 Replication Through Removable Media	Data from Local System	Exfiltration Over Other Network Medium	1 Remote Access Software	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ee2dh.exe	42%	Virustotal		Browse
ee2dh.exe	23%	Metadefender		Browse
ee2dh.exe	43%	ReversingLabs	ByteCode-MSIL.Hacktool.MailPassView

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://22ssh.com/32.exe	10%	Virustotal		Browse
http://22ssh.com/32.exe	100%	Avira URL Cloud	PUA
http://www.freeeim.com/D	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://22ssh.com/32.exe	ee2dh.exe	true	10%, Virustotal, Browse Avira URL Cloud: PUA	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	ee2dh.exe	false		high
http://www.nirsoft.net/	ee2dh.exe	false		high
http://www.freeeim.com/D	ee2dh.exe	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	ee2dh.exe	false		high
http://www.symauth.com/rpa00	ee2dh.exe	false		high
http://ocsp.thawte.com0	ee2dh.exe	false	URL Reputation: safe	unknown
http://whatismyipaddress.com/-	ee2dh.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	590130
Start date and time:	2022-03-16 05:41:20 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ee2dh.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@0/0@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

No process behavior to analyse as no analysis process or sample was found
Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

Exclude process from analysis (whitelisted): svchost.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.160142050290745
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% InstallShield setup (43055/19) 0.21% UPX compressed Win32 Executable (30571/9) 0.15% Generic Win/DOS Executable (2004/3) 0.01%
File name:	ee2dh.exe
File size:	4644864
MD5:	1eb820e4003cdcd9b2ee3252d4333950
SHA1:	489e4e88c6bbd601ceeeddb629d5f05b2a43bfc6
SHA256:	ee2d920c7fa032c3bc22365770ea3b79b2d97c4177438758e95d8d31b37b9a92
SHA512:	763ea3fd4ced8906b818428469948ce2d57c96578ed9729e6e395f084e17e442fce47b4ae71dda31656e16b39f9f60d407828465bde2e440f3282c2623365b3e
SSDEEP:	98304:NtqB4mDphEHZ/rDjfLe9cygGdVyVT9nOgmhh:CDw9rLe9dWT9nO7H
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e..a..................h...........h.. ....h...@.. ........................i...........@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x1a8b4ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61B51365 [Sat Dec 11 21:08:53 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x168b454	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x168c000	0x598	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x168e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16894b4	0x1689600	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x168c000	0x598	0x600	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x168e000	0xc	0x200	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

⊘No system behavior

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ee2dh.exe

Overview

General Information

Detection

Signatures

Classification

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Data Directories

Sections

Network Behavior

Statistics

System Behavior

Disassembly

Windows Analysis Report
ee2dh.exe