Click to jump to signature section
Source: ee2dh.exe | Virustotal: Detection: 41% | Perma Link |
Source: ee2dh.exe | Metadefender: Detection: 22% | Perma Link |
Source: ee2dh.exe | ReversingLabs: Detection: 42% |
Source: http://22ssh.com/32.exe | Avira URL Cloud: Label: PUA |
Source: http://22ssh.com/32.exe | Virustotal: Detection: 9% | Perma Link |
Source: ee2dh.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: ee2dh.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: D:\buildbot\slave1\desktop_screen\build\bin\active_desktop_launcher.pdb source: ee2dh.exe |
Source: | Binary string: C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: ee2dh.exe |
Source: | Binary string: ]C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: ee2dh.exe |
Source: | Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: ee2dh.exe |
Source: | Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: ee2dh.exe |
Source: | Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: ee2dh.exe |
Source: | Binary string: \MyDriver\x64\Release\MyDriver.pdb source: ee2dh.exe |
Source: ee2dh.exe | Binary or memory string: autorun.inf |
Source: ee2dh.exe | Binary or memory string: [autorun] |
Source: ee2dh.exe | String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook) |
Source: ee2dh.exe | String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo) |
Source: ee2dh.exe | String found in binary or memory: http://22ssh.com/32.exe |
Source: ee2dh.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0 |
Source: ee2dh.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: ee2dh.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0 |
Source: ee2dh.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: ee2dh.exe | String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r |
Source: ee2dh.exe | String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: ee2dh.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08 |
Source: ee2dh.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: ee2dh.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O |
Source: ee2dh.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: ee2dh.exe | String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05 |
Source: ee2dh.exe | String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: ee2dh.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w |
Source: ee2dh.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: ee2dh.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: ee2dh.exe | String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L |
Source: ee2dh.exe | String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: ee2dh.exe | String found in binary or memory: http://ocsp.comodoca.com0 |
Source: ee2dh.exe | String found in binary or memory: http://ocsp.digicert.com0A |
Source: ee2dh.exe | String found in binary or memory: http://ocsp.digicert.com0C |
Source: ee2dh.exe | String found in binary or memory: http://ocsp.digicert.com0N |
Source: ee2dh.exe | String found in binary or memory: http://ocsp.digicert.com0O |
Source: ee2dh.exe | String found in binary or memory: http://ocsp.thawte.com0 |
Source: ee2dh.exe | String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0 |
Source: ee2dh.exe | String found in binary or memory: http://s2.symcb.com0 |
Source: ee2dh.exe | String found in binary or memory: http://sv.symcb.com/sv.crl0a |
Source: ee2dh.exe | String found in binary or memory: http://sv.symcb.com/sv.crt0 |
Source: ee2dh.exe | String found in binary or memory: http://sv.symcd.com0& |
Source: ee2dh.exe | String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: ee2dh.exe | String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: ee2dh.exe | String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: ee2dh.exe | String found in binary or memory: http://whatismyipaddress.com/- |
Source: ee2dh.exe | String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0 |
Source: ee2dh.exe | String found in binary or memory: http://www.freeeim.com/D |
Source: ee2dh.exe | String found in binary or memory: http://www.nirsoft.net/ |
Source: ee2dh.exe | String found in binary or memory: http://www.symauth.com/cps0( |
Source: ee2dh.exe | String found in binary or memory: http://www.symauth.com/rpa00 |
Source: ee2dh.exe | String found in binary or memory: https://d.symcb.com/cps0% |
Source: ee2dh.exe | String found in binary or memory: https://d.symcb.com/rpa0 |
Source: ee2dh.exe | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: Yara match | File source: ee2dh.exe, type: SAMPLE |
Source: ee2dh.exe, type: SAMPLE | Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: ee2dh.exe, type: SAMPLE | Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen |
Source: ee2dh.exe, type: SAMPLE | Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: ee2dh.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: ee2dh.exe | Static PE information: No import functions for PE file found |
Source: ee2dh.exe, type: SAMPLE | Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: ee2dh.exe, type: SAMPLE | Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: ee2dh.exe, type: SAMPLE | Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime |
Source: ee2dh.exe, type: SAMPLE | Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: ee2dh.exe | Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs ee2dh.exe |
Source: ee2dh.exe | Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs ee2dh.exe |
Source: ee2dh.exe | Binary or memory string: OriginalFilenamemailpv.exe< vs ee2dh.exe |
Source: ee2dh.exe | Binary or memory string: OriginalFilenamePhulli.exe0 vs ee2dh.exe |
Source: ee2dh.exe | Binary or memory string: OriginalFilenameactive_desktop_launcher.exe, vs ee2dh.exe |
Source: ee2dh.exe | Binary or memory string: OriginalFilenameChrome.exe. vs ee2dh.exe |
Source: ee2dh.exe | Binary or memory string: OriginalFilenamefreeeim.exe vs ee2dh.exe |
Source: ee2dh.exe | Static PE information: Data appended to the last section found |
Source: ee2dh.exe | Virustotal: Detection: 41% |
Source: ee2dh.exe | Metadefender: Detection: 22% |
Source: ee2dh.exe | ReversingLabs: Detection: 42% |
Source: ee2dh.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: ee2dh.exe | String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05 |
Source: ee2dh.exe | Binary string: \Device\Orange64 |
Source: classification engine | Classification label: mal100.troj.spyw.winEXE@0/0@0/0 |
Source: ee2dh.exe | Static file information: File size 4644864 > 1048576 |
Source: ee2dh.exe | Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: ee2dh.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: ee2dh.exe | Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1689600 |
Source: ee2dh.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: D:\buildbot\slave1\desktop_screen\build\bin\active_desktop_launcher.pdb source: ee2dh.exe |
Source: | Binary string: C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: ee2dh.exe |
Source: | Binary string: ]C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: ee2dh.exe |
Source: | Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: ee2dh.exe |
Source: | Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: ee2dh.exe |
Source: | Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: ee2dh.exe |
Source: | Binary string: \MyDriver\x64\Release\MyDriver.pdb source: ee2dh.exe |
Source: Yara match | File source: ee2dh.exe, type: SAMPLE |
Source: Yara match | File source: ee2dh.exe, type: SAMPLE |
Source: Yara match | File source: ee2dh.exe, type: SAMPLE |
Source: Yara match | File source: ee2dh.exe, type: SAMPLE |
Source: ee2dh.exe | String found in binary or memory: \pidloc.txt!HawkEyeKeylogger |
Source: ee2dh.exe | String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed | |
Source: ee2dh.exe | String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records | |
Source: ee2dh.exe | String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_ |