Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
steg.exe

Overview

General Information

Sample Name:steg.exe
Analysis ID:593806
MD5:30747bb37997b54d37bae65ae590b7e8
SHA1:d702ffaac8bf35f3372ef2c310b21eef8a91f6ea
SHA256:a39f2e3d1a27bd091c689a09499b374e5f6743de23b42bfd9c7a17c1d49dfad7
Tags:NETexehawkeyekeylogger
Infos:

Detection

HawkEye BrowserPasswordDump Tool EmailPasswordDump Tool
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HawkEye Keylogger
Yara detected AntiVM3
Antivirus detection for dropped file
Yara detected EmailPasswordDump Tool by SecurityXploded
Yara detected BrowserPasswordDump Tool by SecurityXploded
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Installs a global keyboard hook
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: CurrentVersion Autorun Keys Modification
May infect USB drives
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Sigma detected: Suspicious Outbound SMTP Connections
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Contains functionality to query network adapater information
Sigma detected: Autorun Keys Modification
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • steg.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\steg.exe" MD5: 30747BB37997B54D37BAE65AE590B7E8)
    • Windows Update.exe (PID: 7000 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 30747BB37997B54D37BAE65AE590B7E8)
      • dw20.exe (PID: 5912 cmdline: dw20.exe -x -s 2708 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • WindowsUpdate.exe (PID: 6424 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 30747BB37997B54D37BAE65AE590B7E8)
    • Windows Update.exe (PID: 5876 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 30747BB37997B54D37BAE65AE590B7E8)
      • dw20.exe (PID: 5528 cmdline: dw20.exe -x -s 2676 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
steg.exeSecurityXploded_Producer_StringDetects hacktools by SecurityXplodedFlorian Roth
  • 0x78b0f:$x1: http://securityxploded.com
  • 0xfee48:$x1: http://securityxploded.com
steg.exeJoeSecurity_EmailPasswordDump_ToolYara detected EmailPasswordDump Tool by SecurityXplodedJoe Security
    steg.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      steg.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        steg.exeJoeSecurity_BrowserPasswordDump_ToolYara detected BrowserPasswordDump Tool by SecurityXplodedJoe Security
          SourceRuleDescriptionAuthorStrings
          C:\Users\user\AppData\Roaming\WindowsUpdate.exeSecurityXploded_Producer_StringDetects hacktools by SecurityXplodedFlorian Roth
          • 0x78b0f:$x1: http://securityxploded.com
          • 0xfee48:$x1: http://securityxploded.com
          C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_EmailPasswordDump_ToolYara detected EmailPasswordDump Tool by SecurityXplodedJoe Security
            C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_BrowserPasswordDump_ToolYara detected BrowserPasswordDump Tool by SecurityXplodedJoe Security
                  Click to see the 5 entries
                  SourceRuleDescriptionAuthorStrings
                  0000000E.00000002.359909884.0000000003801000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                    0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_EmailPasswordDump_ToolYara detected EmailPasswordDump Tool by SecurityXplodedJoe Security
                      0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                        0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                          0000000C.00000002.333085217.00000000002C2000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_BrowserPasswordDump_ToolYara detected BrowserPasswordDump Tool by SecurityXplodedJoe Security
                            Click to see the 79 entries
                            SourceRuleDescriptionAuthorStrings
                            4.2.Windows Update.exe.9d97c.1.unpackSecurityXploded_Producer_StringDetects hacktools by SecurityXplodedFlorian Roth
                            • 0x726cc:$x1: http://securityxploded.com
                            4.2.Windows Update.exe.9d97c.1.unpackJoeSecurity_EmailPasswordDump_ToolYara detected EmailPasswordDump Tool by SecurityXplodedJoe Security
                              12.2.WindowsUpdate.exe.2cb377.2.unpackSecurityXploded_Producer_StringDetects hacktools by SecurityXplodedFlorian Roth
                              • 0x6e998:$x1: http://securityxploded.com
                              12.2.WindowsUpdate.exe.2cb377.2.unpackJoeSecurity_BrowserPasswordDump_ToolYara detected BrowserPasswordDump Tool by SecurityXplodedJoe Security
                                4.0.Windows Update.exe.1b377.2.unpackSecurityXploded_Producer_StringDetects hacktools by SecurityXplodedFlorian Roth
                                • 0x6e998:$x1: http://securityxploded.com