Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
72QC-GMI2022.exe

Overview

General Information

Sample Name:72QC-GMI2022.exe
Analysis ID:601910
MD5:de8a8f710f5bfdacbc1843b997741b86
SHA1:3abf5d61febd54753055bb2707853ea2eace025a
SHA256:f97f876b529e2569d80b1190a249088582117b29aef9af9d8a0e992c2df2db2d
Tags:exehawkeye
Infos:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Detected HawkEye Rat
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
.NET source code contains very large strings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification

Classification

  • System is w10x64
  • 72QC-GMI2022.exe (PID: 996 cmdline: "C:\Users\user\Desktop\72QC-GMI2022.exe" MD5: DE8A8F710F5BFDACBC1843B997741B86)
    • RegSvcs.exe (PID: 4792 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 4480 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
      • vbc.exe (PID: 472 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 2948 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 6028 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 3700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6028 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 4528 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 2660 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 6628 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • WindowsUpdate.exe (PID: 5468 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000006.00000002.352893302.0000000007C50000.00000004.08000000.00040000.00000000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
    00000006.00000000.328842205.0000000007C40000.00000004.08000000.00040000.00000000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
    00000006.00000002.352866498.0000000007C40000.00000004.08000000.00040000.00000000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
    00000006.00000000.326736437.0000000003C21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      Click to see the 60 entries
      SourceRuleDescriptionAuthorStrings
      6.0.RegSvcs.exe.2c4b32c.21.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      6.0.RegSvcs.exe.2e50e94.33.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      6.2.RegSvcs.exe.2e50e94.6.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      6.0.RegSvcs.exe.45fa72.29.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        6.2.RegSvcs.exe.3c29930.7.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security