Yara detected MailPassView
Yara detected HawkEye Keylogger
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Binary is likely a compiled AutoIt script file
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Yara detected WebBrowserPassView password recovery tool
AutoIt script contains suspicious strings
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Creates a start menu entry (Start Menu\Programs\Startup)
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains capabilities to detect virtual machines
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)