Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7.exe

Overview

General Information

Sample Name:7.exe
Analysis ID:597511
MD5:ed666bf7f4a0766fcec0e9c8074b089b
SHA1:1b90f1a4cb6059d573fff115b3598604825d76e6
SHA256:d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264
Tags:exe
Infos:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: CurrentVersion Autorun Keys Modification
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Uses FTP
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Autorun Keys Modification

Classification

  • System is w10x64
  • 7.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\7.exe" MD5: ED666BF7F4A0766FCEC0E9C8074B089B)
    • vbc.exe (PID: 7048 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • vbc.exe (PID: 7064 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • WindowsUpdate.exe (PID: 5692 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: ED666BF7F4A0766FCEC0E9C8074B089B)
  • WindowsUpdate.exe (PID: 2372 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: ED666BF7F4A0766FCEC0E9C8074B089B)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
7.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b8d9:$key: HawkEyeKeylogger
  • 0x7db15:$salt: 099u787978786
  • 0x7bf12:$string1: HawkEye_Keylogger
  • 0x7cd65:$string1: HawkEye_Keylogger
  • 0x7da75:$string1: HawkEye_Keylogger
  • 0x7c2fb:$string2: holdermail.txt
  • 0x7c31b:$string2: holdermail.txt
  • 0x7c23d:$string3: wallet.dat
  • 0x7c255:$string3: wallet.dat
  • 0x7c26b:$string3: wallet.dat
  • 0x7d657:$string4: Keylog Records
  • 0x7d96f:$string4: Keylog Records
  • 0x7db6d:$string5: do not script -->
  • 0x7b8c1:$string6: \pidloc.txt
  • 0x7b927:$string7: BSPLIT
  • 0x7b937:$string7: BSPLIT
7.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    7.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      7.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        Click to see the 1 entries
        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8d9:$key: HawkEyeKeylogger
        • 0x7db15:$salt: 099u787978786
        • 0x7bf12:$string1: HawkEye_Keylogger
        • 0x7cd65:$string1: HawkEye_Keylogger
        • 0x7da75:$string1: HawkEye_Keylogger
        • 0x7c2fb:$string2: holdermail.txt
        • 0x7c31b:$string2: holdermail.txt
        • 0x7c23d:$string3: wallet.dat
        • 0x7c255:$string3: wallet.dat
        • 0x7c26b:$string3: wallet.dat
        • 0x7d657:$string4: Keylog Records
        • 0x7d96f:$string4: Keylog Records
        • 0x7db6d:$string5: do not script -->
        • 0x7b8c1:$string6: \pidloc.txt
        • 0x7b927:$string7: BSPLIT
        • 0x7b937:$string7: BSPLIT
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 1 entries
              SourceRuleDescriptionAuthorStrings
              00000007.00000000.295698908.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                00000006.00000000.294953383.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  00000007.00000002.336555805.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    00000006.00000000.294308364.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                      0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                      • 0x7b6d9:$key: HawkEyeKeylogger
                      • 0x7d915:$salt: 099u787978786
                      • 0x7bd12:$string1: HawkEye_Keylogger
                      • 0x7cb65:$string1: HawkEye_Keylogger
                      • 0x7d875:$string1: HawkEye_Keylogger
                      • 0x7c0fb:$string2: holdermail.txt
                      • 0x7c11b:$string2: holdermail.txt
                      • 0x7c03d:$string3: wallet.dat
                      • 0x7c055:$string3: wallet.dat
                      • 0x7c06b:$string3: wallet.dat
                      • 0x7d457:$string4: Keylog Records
                      • 0x7d76f:$string4: Keylog Records
                      • 0x7d96d:$string5: do not script -->
                      • 0x7b6c1:$string6: \pidloc.txt
                      • 0x7b727:$string7: BSPLIT
                      • 0x7b737:$string7: BSPLIT
                      Click to see the 50 entries
                      SourceRuleDescriptionAuthorStrings
                      13.2.WindowsUpdate.exe.c99c0d.2.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                        13.2.WindowsUpdate.exe.cefa72.3.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                        • 0x1dc67:$key: HawkEyeKeylogger
                        • 0x1fea3:$salt: 099u787978786
                        • 0x1e2a0:$string1: HawkEye_Keylogger
                        • 0x1f0f3:$string1: HawkEye_Keylogger
                        • 0x1fe03:$string1: HawkEye_Keylogger
                        • 0x1e689:$string2: holdermail.txt
                        • 0x1e6a9:$string2: holdermail.txt
                        • 0x1e5cb:$string3: wallet.dat
                        • 0x1e5e3:$string3: wallet.dat
                        • 0x1e5f9:$string3: wallet.dat
                        • 0x1f9e5:$string4: Keylog Records
                        • 0x1fcfd:$string4: Keylog Records
                        • 0x1fefb:$string5: do not script -->
                        • 0x1dc4f:$string6: \pidloc.txt
                        • 0x1dcb5:$string7: BSPLIT
                        • 0x1dcc5:$string7: BSPLIT
                        13.2.WindowsUpdate.exe.cefa72.3.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                          13.2.WindowsUpdate.exe.cefa72.3.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                            13.2.WindowsUpdate.exe.cefa72.3.raw.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
                            • 0x1e2f8:$hawkstr1: HawkEye Keylogger
                            • 0x1f139:$hawkstr1: HawkEye Keylogger
                            • 0x1f468:$hawkstr1: HawkEye Keylogger
                            • 0x1f5c3:$hawkstr1: HawkEye Keylogger
                            • 0x1f726:$hawkstr1: HawkEye Keylogger
                            • 0x1f9bd:$hawkstr1: HawkEye Keylogger
                            • 0x1de86:$hawkstr2: Dear HawkEye Customers!
                            • 0x1f4bb:$hawkstr2: Dear HawkEye Customers!
                            • 0x1f612:$hawkstr2: Dear HawkEye Customers!
                            • 0x1f779:$hawkstr2: Dear HawkEye Customers!
                            • 0x1dfa7:$hawkstr3: HawkEye Logger Details: