Edit tour

Windows Analysis Report
72QC-GMI2022.exe

Overview

General Information

Sample Name:	72QC-GMI2022.exe
Analysis ID:	601910
MD5:	de8a8f710f5bfdacbc1843b997741b86
SHA1:	3abf5d61febd54753055bb2707853ea2eace025a
SHA256:	f97f876b529e2569d80b1190a249088582117b29aef9af9d8a0e992c2df2db2d
Tags:	exehawkeye
Infos:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Multi AV Scanner detection for submitted file

Yara detected HawkEye Keylogger

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Detected HawkEye Rat

Sample uses process hollowing technique

Writes to foreign memory regions

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality to log keystrokes (.Net Source)

Changes the view of files in windows explorer (hidden files and folders)

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected WebBrowserPassView password recovery tool

.NET source code contains very large strings

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

May infect USB drives

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Sigma detected: Autorun Keys Modification

Classification

Process Tree

System is w10x64

72QC-GMI2022.exe (PID: 996 cmdline: "C:\Users\user\Desktop\72QC-GMI2022.exe" MD5: DE8A8F710F5BFDACBC1843B997741B86)

RegSvcs.exe (PID: 4792 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

RegSvcs.exe (PID: 4480 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

vbc.exe (PID: 472 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)

WerFault.exe (PID: 2948 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

vbc.exe (PID: 6028 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)

WerFault.exe (PID: 3700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6028 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 4528 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 2660 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WindowsUpdate.exe (PID: 6628 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WindowsUpdate.exe (PID: 5468 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000002.352893302.0000000007C50000.00000004.08000000.00040000.00000000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000006.00000000.328842205.0000000007C40000.00000004.08000000.00040000.00000000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000006.00000002.352866498.0000000007C40000.00000004.08000000.00040000.00000000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000006.00000000.326736437.0000000003C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000006.00000002.345972644.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000006.00000002.345972644.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x5304:$hawkstr1: HawkEye Keylogger 0x7138:$hawkstr1: HawkEye Keylogger 0x74b8:$hawkstr1: HawkEye Keylogger 0x1c3bfc:$hawkstr1: HawkEye Keylogger 0x4dbc:$hawkstr2: Dear HawkEye Customers! 0x7198:$hawkstr2: Dear HawkEye Customers! 0x7518:$hawkstr2: Dear HawkEye Customers! 0x4eea:$hawkstr3: HawkEye Logger Details:
00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6dc:$key: HawkEyeKeylogger 0x7d912:$salt: 099u787978786 0x7bce9:$string1: HawkEye_Keylogger 0x7cb3c:$string1: HawkEye_Keylogger 0x7d872:$string1: HawkEye_Keylogger 0x7c0d2:$string2: holdermail.txt 0x7c0f2:$string2: holdermail.txt 0x7c014:$string3: wallet.dat 0x7c02c:$string3: wallet.dat 0x7c042:$string3: wallet.dat 0x7d454:$string4: Keylog Records 0x7d76c:$string4: Keylog Records 0x7d96a:$string5: do not script --> 0x7b6c4:$string6: \pidloc.txt 0x7b71e:$string7: BSPLIT 0x7b72e:$string7: BSPLIT
00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd41:$hawkstr1: HawkEye Keylogger 0x7cb82:$hawkstr1: HawkEye Keylogger 0x7ceb1:$hawkstr1: HawkEye Keylogger 0x7d00c:$hawkstr1: HawkEye Keylogger 0x7d16f:$hawkstr1: HawkEye Keylogger 0x7d42c:$hawkstr1: HawkEye Keylogger 0x7b8cf:$hawkstr2: Dear HawkEye Customers! 0x7cf04:$hawkstr2: Dear HawkEye Customers! 0x7d05b:$hawkstr2: Dear HawkEye Customers! 0x7d1c2:$hawkstr2: Dear HawkEye Customers! 0x7b9f0:$hawkstr3: HawkEye Logger Details:
00000006.00000000.328851299.0000000007C50000.00000004.08000000.00040000.00000000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000006.00000002.350683111.0000000003C95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000000.320764798.0000000007C40000.00000004.08000000.00040000.00000000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6dc:$key: HawkEyeKeylogger 0x7d912:$salt: 099u787978786 0x7bce9:$string1: HawkEye_Keylogger 0x7cb3c:$string1: HawkEye_Keylogger 0x7d872:$string1: HawkEye_Keylogger 0x7c0d2:$string2: holdermail.txt 0x7c0f2:$string2: holdermail.txt 0x7c014:$string3: wallet.dat 0x7c02c:$string3: wallet.dat 0x7c042:$string3: wallet.dat 0x7d454:$string4: Keylog Records 0x7d76c:$string4: Keylog Records 0x7d96a:$string5: do not script --> 0x7b6c4:$string6: \pidloc.txt 0x7b71e:$string7: BSPLIT 0x7b72e:$string7: BSPLIT
00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd41:$hawkstr1: HawkEye Keylogger 0x7cb82:$hawkstr1: HawkEye Keylogger 0x7ceb1:$hawkstr1: HawkEye Keylogger 0x7d00c:$hawkstr1: HawkEye Keylogger 0x7d16f:$hawkstr1: HawkEye Keylogger 0x7d42c:$hawkstr1: HawkEye Keylogger 0x7b8cf:$hawkstr2: Dear HawkEye Customers! 0x7cf04:$hawkstr2: Dear HawkEye Customers! 0x7d05b:$hawkstr2: Dear HawkEye Customers! 0x7d1c2:$hawkstr2: Dear HawkEye Customers! 0x7b9f0:$hawkstr3: HawkEye Logger Details:
00000006.00000002.350595876.0000000003C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000006.00000000.317681951.0000000003C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6dc:$key: HawkEyeKeylogger 0x7d912:$salt: 099u787978786 0x7bce9:$string1: HawkEye_Keylogger 0x7cb3c:$string1: HawkEye_Keylogger 0x7d872:$string1: HawkEye_Keylogger 0x7c0d2:$string2: holdermail.txt 0x7c0f2:$string2: holdermail.txt 0x7c014:$string3: wallet.dat 0x7c02c:$string3: wallet.dat 0x7c042:$string3: wallet.dat 0x7d454:$string4: Keylog Records 0x7d76c:$string4: Keylog Records 0x7d96a:$string5: do not script --> 0x7b6c4:$string6: \pidloc.txt 0x7b71e:$string7: BSPLIT 0x7b72e:$string7: BSPLIT
00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd41:$hawkstr1: HawkEye Keylogger 0x7cb82:$hawkstr1: HawkEye Keylogger 0x7ceb1:$hawkstr1: HawkEye Keylogger 0x7d00c:$hawkstr1: HawkEye Keylogger 0x7d16f:$hawkstr1: HawkEye Keylogger 0x7d42c:$hawkstr1: HawkEye Keylogger 0x7b8cf:$hawkstr2: Dear HawkEye Customers! 0x7cf04:$hawkstr2: Dear HawkEye Customers! 0x7d05b:$hawkstr2: Dear HawkEye Customers! 0x7d1c2:$hawkstr2: Dear HawkEye Customers! 0x7b9f0:$hawkstr3: HawkEye Logger Details:
00000006.00000000.323404042.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000006.00000000.323404042.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x5304:$hawkstr1: HawkEye Keylogger 0x7138:$hawkstr1: HawkEye Keylogger 0x74b8:$hawkstr1: HawkEye Keylogger 0x1c3bfc:$hawkstr1: HawkEye Keylogger 0x4dbc:$hawkstr2: Dear HawkEye Customers! 0x7198:$hawkstr2: Dear HawkEye Customers! 0x7518:$hawkstr2: Dear HawkEye Customers! 0x4eea:$hawkstr3: HawkEye Logger Details:
00000006.00000000.320800565.0000000007C50000.00000004.08000000.00040000.00000000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6dc:$key: HawkEyeKeylogger 0x7d912:$salt: 099u787978786 0x7bce9:$string1: HawkEye_Keylogger 0x7cb3c:$string1: HawkEye_Keylogger 0x7d872:$string1: HawkEye_Keylogger 0x7c0d2:$string2: holdermail.txt 0x7c0f2:$string2: holdermail.txt 0x7c014:$string3: wallet.dat 0x7c02c:$string3: wallet.dat 0x7c042:$string3: wallet.dat 0x7d454:$string4: Keylog Records 0x7d76c:$string4: Keylog Records 0x7d96a:$string5: do not script --> 0x7b6c4:$string6: \pidloc.txt 0x7b71e:$string7: BSPLIT 0x7b72e:$string7: BSPLIT
00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd41:$hawkstr1: HawkEye Keylogger 0x7cb82:$hawkstr1: HawkEye Keylogger 0x7ceb1:$hawkstr1: HawkEye Keylogger 0x7d00c:$hawkstr1: HawkEye Keylogger 0x7d16f:$hawkstr1: HawkEye Keylogger 0x7d42c:$hawkstr1: HawkEye Keylogger 0x7b8cf:$hawkstr2: Dear HawkEye Customers! 0x7cf04:$hawkstr2: Dear HawkEye Customers! 0x7d05b:$hawkstr2: Dear HawkEye Customers! 0x7d1c2:$hawkstr2: Dear HawkEye Customers! 0x7b9f0:$hawkstr3: HawkEye Logger Details:
00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6dc:$key: HawkEyeKeylogger 0x7d912:$salt: 099u787978786 0x7bce9:$string1: HawkEye_Keylogger 0x7cb3c:$string1: HawkEye_Keylogger 0x7d872:$string1: HawkEye_Keylogger 0x7c0d2:$string2: holdermail.txt 0x7c0f2:$string2: holdermail.txt 0x7c014:$string3: wallet.dat 0x7c02c:$string3: wallet.dat 0x7c042:$string3: wallet.dat 0x7d454:$string4: Keylog Records 0x7d76c:$string4: Keylog Records 0x7d96a:$string5: do not script --> 0x7b6c4:$string6: \pidloc.txt 0x7b71e:$string7: BSPLIT 0x7b72e:$string7: BSPLIT
00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd41:$hawkstr1: HawkEye Keylogger 0x7cb82:$hawkstr1: HawkEye Keylogger 0x7ceb1:$hawkstr1: HawkEye Keylogger 0x7d00c:$hawkstr1: HawkEye Keylogger 0x7d16f:$hawkstr1: HawkEye Keylogger 0x7d42c:$hawkstr1: HawkEye Keylogger 0x7b8cf:$hawkstr2: Dear HawkEye Customers! 0x7cf04:$hawkstr2: Dear HawkEye Customers! 0x7d05b:$hawkstr2: Dear HawkEye Customers! 0x7d1c2:$hawkstr2: Dear HawkEye Customers! 0x7b9f0:$hawkstr3: HawkEye Logger Details:
00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0xfe3ec:$key: HawkEyeKeylogger 0x18040c:$key: HawkEyeKeylogger 0x100622:$salt: 099u787978786 0x182642:$salt: 099u787978786 0xfe9f9:$string1: HawkEye_Keylogger 0xff84c:$string1: HawkEye_Keylogger 0x100582:$string1: HawkEye_Keylogger 0x180a19:$string1: HawkEye_Keylogger 0x18186c:$string1: HawkEye_Keylogger 0x1825a2:$string1: HawkEye_Keylogger 0xfede2:$string2: holdermail.txt 0xfee02:$string2: holdermail.txt 0x180e02:$string2: holdermail.txt 0x180e22:$string2: holdermail.txt 0xfed24:$string3: wallet.dat 0xfed3c:$string3: wallet.dat 0xfed52:$string3: wallet.dat 0x180d44:$string3: wallet.dat 0x180d5c:$string3: wallet.dat 0x180d72:$string3: wallet.dat 0x100164:$string4: Keylog Records
00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0xfea51:$hawkstr1: HawkEye Keylogger 0xff892:$hawkstr1: HawkEye Keylogger 0xffbc1:$hawkstr1: HawkEye Keylogger 0xffd1c:$hawkstr1: HawkEye Keylogger 0xffe7f:$hawkstr1: HawkEye Keylogger 0x10013c:$hawkstr1: HawkEye Keylogger 0x180a71:$hawkstr1: HawkEye Keylogger 0x1818b2:$hawkstr1: HawkEye Keylogger 0x181be1:$hawkstr1: HawkEye Keylogger 0x181d3c:$hawkstr1: HawkEye Keylogger 0x181e9f:$hawkstr1: HawkEye Keylogger 0x18215c:$hawkstr1: HawkEye Keylogger 0xfe5df:$hawkstr2: Dear HawkEye Customers! 0xffc14:$hawkstr2: Dear HawkEye Customers! 0xffd6b:$hawkstr2: Dear HawkEye Customers! 0xffed2:$hawkstr2: Dear HawkEye Customers! 0x1805ff:$hawkstr2: Dear HawkEye Customers! 0x181c34:$hawkstr2: Dear HawkEye Customers! 0x181d8b:$hawkstr2: Dear HawkEye Customers! 0x181ef2:$hawkstr2: Dear HawkEye Customers! 0xfe700:$hawkstr3: HawkEye Logger Details:
00000006.00000000.326866300.0000000003C95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6dc:$key: HawkEyeKeylogger 0x7d912:$salt: 099u787978786 0x7bce9:$string1: HawkEye_Keylogger 0x7cb3c:$string1: HawkEye_Keylogger 0x7d872:$string1: HawkEye_Keylogger 0x7c0d2:$string2: holdermail.txt 0x7c0f2:$string2: holdermail.txt 0x7c014:$string3: wallet.dat 0x7c02c:$string3: wallet.dat 0x7c042:$string3: wallet.dat 0x7d454:$string4: Keylog Records 0x7d76c:$string4: Keylog Records 0x7d96a:$string5: do not script --> 0x7b6c4:$string6: \pidloc.txt 0x7b71e:$string7: BSPLIT 0x7b72e:$string7: BSPLIT
00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd41:$hawkstr1: HawkEye Keylogger 0x7cb82:$hawkstr1: HawkEye Keylogger 0x7ceb1:$hawkstr1: HawkEye Keylogger 0x7d00c:$hawkstr1: HawkEye Keylogger 0x7d16f:$hawkstr1: HawkEye Keylogger 0x7d42c:$hawkstr1: HawkEye Keylogger 0x7b8cf:$hawkstr2: Dear HawkEye Customers! 0x7cf04:$hawkstr2: Dear HawkEye Customers! 0x7d05b:$hawkstr2: Dear HawkEye Customers! 0x7d1c2:$hawkstr2: Dear HawkEye Customers! 0x7b9f0:$hawkstr3: HawkEye Logger Details:
00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6dc:$key: HawkEyeKeylogger 0x7d912:$salt: 099u787978786 0x7bce9:$string1: HawkEye_Keylogger 0x7cb3c:$string1: HawkEye_Keylogger 0x7d872:$string1: HawkEye_Keylogger 0x7c0d2:$string2: holdermail.txt 0x7c0f2:$string2: holdermail.txt 0x7c014:$string3: wallet.dat 0x7c02c:$string3: wallet.dat 0x7c042:$string3: wallet.dat 0x7d454:$string4: Keylog Records 0x7d76c:$string4: Keylog Records 0x7d96a:$string5: do not script --> 0x7b6c4:$string6: \pidloc.txt 0x7b71e:$string7: BSPLIT 0x7b72e:$string7: BSPLIT
00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd41:$hawkstr1: HawkEye Keylogger 0x7cb82:$hawkstr1: HawkEye Keylogger 0x7ceb1:$hawkstr1: HawkEye Keylogger 0x7d00c:$hawkstr1: HawkEye Keylogger 0x7d16f:$hawkstr1: HawkEye Keylogger 0x7d42c:$hawkstr1: HawkEye Keylogger 0x7b8cf:$hawkstr2: Dear HawkEye Customers! 0x7cf04:$hawkstr2: Dear HawkEye Customers! 0x7d05b:$hawkstr2: Dear HawkEye Customers! 0x7d1c2:$hawkstr2: Dear HawkEye Customers! 0x7b9f0:$hawkstr3: HawkEye Logger Details:
00000006.00000000.315151249.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000006.00000000.315151249.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x5304:$hawkstr1: HawkEye Keylogger 0x7138:$hawkstr1: HawkEye Keylogger 0x74b8:$hawkstr1: HawkEye Keylogger 0x1c3bfc:$hawkstr1: HawkEye Keylogger 0x4dbc:$hawkstr2: Dear HawkEye Customers! 0x7198:$hawkstr2: Dear HawkEye Customers! 0x7518:$hawkstr2: Dear HawkEye Customers! 0x4eea:$hawkstr3: HawkEye Logger Details:
Process Memory Space: 72QC-GMI2022.exe PID: 996	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 72QC-GMI2022.exe PID: 996	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: 72QC-GMI2022.exe PID: 996	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: 72QC-GMI2022.exe PID: 996	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: RegSvcs.exe PID: 4480	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: RegSvcs.exe PID: 4480	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 4480	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 60 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.0.RegSvcs.exe.2c4b32c.21.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
6.0.RegSvcs.exe.2e50e94.33.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
6.2.RegSvcs.exe.2e50e94.6.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
6.0.RegSvcs.exe.45fa72.29.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.2.RegSvcs.exe.3c29930.7.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.0.RegSvcs.exe.3c29930.24.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.0.RegSvcs.exe.45fa72.14.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.0.RegSvcs.exe.7c40000.37.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
6.0.RegSvcs.exe.409c0d.31.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.0.RegSvcs.exe.45fa72.10.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.0.RegSvcs.exe.3c29930.35.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.0.RegSvcs.exe.3c29930.35.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.0.RegSvcs.exe.409c0d.12.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.0.RegSvcs.exe.400000.28.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8dc:$key: HawkEyeKeylogger 0x7db12:$salt: 099u787978786 0x7bee9:$string1: HawkEye_Keylogger 0x7cd3c:$string1: HawkEye_Keylogger 0x7da72:$string1: HawkEye_Keylogger 0x7c2d2:$string2: holdermail.txt 0x7c2f2:$string2: holdermail.txt 0x7c214:$string3: wallet.dat 0x7c22c:$string3: wallet.dat 0x7c242:$string3: wallet.dat 0x7d654:$string4: Keylog Records 0x7d96c:$string4: Keylog Records 0x7db6a:$string5: do not script --> 0x7b8c4:$string6: \pidloc.txt 0x7b91e:$string7: BSPLIT 0x7b92e:$string7: BSPLIT
6.0.RegSvcs.exe.400000.28.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
6.0.RegSvcs.exe.400000.28.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.0.RegSvcs.exe.400000.28.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
6.0.RegSvcs.exe.400000.28.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.0.RegSvcs.exe.400000.28.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf41:$hawkstr1: Ha

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
72QC-GMI2022.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 72QC-GMI2022.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Windows Analysis Report
72QC-GMI2022.exe