Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
WirelessKeyView.exe

Overview

General Information

Sample Name:WirelessKeyView.exe
Analysis ID:1299655
MD5:f577df72c3104df7158c898b64ca53db
SHA1:108266bda26eaa3c1b7aa06ef9dde376dde88bb5
SHA256:e8c208fb8f488971975c0023256c5a955578a1b5299a45d627a4e2d7f8fb850e
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara signature match
PE file contains an invalid checksum
Enables debug privileges

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • WirelessKeyView.exe (PID: 5740 cmdline: C:\Users\user\Desktop\WirelessKeyView.exe MD5: F577DF72C3104DF7158C898B64CA53DB)
    • WirelessKeyView.exe (PID: 3288 cmdline: "C:\Users\user\Desktop\WirelessKeyView.exe" /GetKeys WirelessKeyView004AA08D MD5: F577DF72C3104DF7158C898B64CA53DB)
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
WirelessKeyView.exeChromePassDetects a tool used by APT groups - file ChromePass.exeFlorian Roth
  • 0x3ed98:$x2: Windows Protect folder for getting the encryption keys

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: WirelessKeyView.exeReversingLabs: Detection: 35%

System Summary

barindex
Source: WirelessKeyView.exe, type: SAMPLEMatched rule: Detects a tool used by APT groups - file ChromePass.exe Author: Florian Roth
Source: WirelessKeyView.exe, type: SAMPLEMatched rule: ChromePass date = 2016-09-08, hash1 = 5ff43049ae18d03dcc74f2be4a870c7056f6cfb5eb636734cca225140029de9a, author = Florian Roth, description = Detects a tool used by APT groups - file ChromePass.exe, reference = http://goo.gl/igxLyF, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: WirelessKeyView.exeReversingLabs: Detection: 35%
Source: WirelessKeyView.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\WirelessKeyView.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: classification engineClassification label: mal56.winEXE@2/0@0/0
Source: unknownProcess created: C:\Users\user\Desktop\WirelessKeyView.exe C:\Users\user\Desktop\WirelessKeyView.exe
Source: C:\Users\user\Desktop\WirelessKeyView.exeProcess created: C:\Users\user\Desktop\WirelessKeyView.exe "C:\Users\user\Desktop\WirelessKeyView.exe" /GetKeys WirelessKeyView004AA08D
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: WirelessKeyView.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: WirelessKeyView.exeStatic PE information: section name: RT_CURSOR
Source: WirelessKeyView.exeStatic PE information: section name: RT_BITMAP
Source: WirelessKeyView.exeStatic PE information: section name: RT_ICON
Source: WirelessKeyView.exeStatic PE information: section name: RT_MENU
Source: WirelessKeyView.exeStatic PE information: section name: RT_DIALOG
Source: WirelessKeyView.exeStatic PE information: section name: RT_STRING
Source: WirelessKeyView.exeStatic PE information: section name: RT_ACCELERATOR
Source: WirelessKeyView.exeStatic PE information: section name: RT_GROUP_ICON
Source: WirelessKeyView.exeStatic PE information: real checksum: 0x4e440 should be: 0x4359d
Source: C:\Users\user\Desktop\WirelessKeyView.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WirelessKeyView.exeProcess token adjusted: Debug

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection		1
Process Injection		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WirelessKeyView.exe35%ReversingLabsWin64.Hacktool.NirSoftPT

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:38.0.0 Beryl
Analysis ID:1299655
Start date and time:2023-08-29 17:59:44 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample file name:WirelessKeyView.exe
Detection:MAL
Classification:mal56.winEXE@2/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): svchost.exe
  • Excluded domains from analysis (whitelisted): login.live.com
  • VT rate limit hit for: WirelessKeyView.exe

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):6.23529507034848
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:WirelessKeyView.exe
File size:262'656 bytes
MD5:f577df72c3104df7158c898b64ca53db
SHA1:108266bda26eaa3c1b7aa06ef9dde376dde88bb5
SHA256:e8c208fb8f488971975c0023256c5a955578a1b5299a45d627a4e2d7f8fb850e
SHA512:5a89ea4d6b7fe05e1ea2cc8b51a25e68fb4dbda48a805a77c01e049ebab70412664fce5d611e3f35e64587e269105dc15afdfe0eed4d7719205ac96d1ec52428
SSDEEP:6144:w1w0T70GyPvckzKUOrk/+YW6mhrZOYzYHajVJ:w1w0T71yPTMgGh/hrX3jL
TLSH:19445B46A3A84CE5E8ABD279CC938626D6B17C450339D7DB1760CE574F333E0A93A712
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........HF.I)(RI)(RI)(Rn.URB)(R..VRH)(Rn.FRz)(Rn.ER:)(R?.SRX)(RI))R`((Rn.ZRn)(Rn.TRH)(Rn.PRH)(RRichI)(R................PE..d...X.``...

File Icon

Icon Hash:694d6d2c4ee4c538

Static PE Info

General

Entrypoint:0x14001fba0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x6060A658 [Sun Mar 28 15:52:56 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:001d0612d840fc62d527725b32aa5804
Instruction
dec eax
sub esp, 28h
call 00007F2B68E512ACh
dec eax
add esp, 28h
jmp 00007F2B68E4A7D3h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+20h], ebx
mov dword ptr [esp+08h], ecx
push edi
dec eax
sub esp, 20h
dec eax
mov ecx, edx
dec eax
mov ebx, edx
call 00007F2B68E521DCh
mov ecx, dword ptr [ebx+18h]
test cl, FFFFFF82h
dec eax
arpl ax, di
jne 00007F2B68E4AADFh
call 00007F2B68E4BFCCh
mov dword ptr [eax], 00000009h
or dword ptr [ebx+18h], 20h
or eax, FFFFFFFFh
dec eax
mov ebx, dword ptr [esp+48h]
dec eax
add esp, 20h
pop edi
ret
test cl, 00000040h
je 00007F2B68E4AADFh
call 00007F2B68E4BFAAh
mov dword ptr [eax], 00000022h
or dword ptr [ebx+18h], 20h
or eax, FFFFFFFFh
dec eax
mov ebx, dword ptr [esp+48h]
dec eax
add esp, 20h
pop edi
ret
dec eax
mov dword ptr [esp+40h], esi
xor esi, esi
test cl, 00000001h
je 00007F2B68E4AADBh
test cl, 00000010h
mov dword ptr [ebx+08h], esi
je 00007F2B68E4AB63h
dec eax
mov eax, dword ptr [ebx+10h]
and ecx, FFFFFFFEh
dec eax
mov dword ptr [ebx], eax
mov dword ptr [ebx+18h], ecx
mov eax, dword ptr [ebx+18h]
mov dword ptr [ebx+08h], esi
and eax, FFFFFFEFh
or eax, 02h
test eax, 0000010Ch
mov dword ptr [ebx+18h], eax
jne 00007F2B68E4AAF1h
call 00007F2B68E51EF2h
dec eax
add eax, 30h
Programming Language:
  • [ASM] VS2005 build 50727
  • [C++] VS2005 build 50727
  • [ C ] VS2005 build 50727
  • [RES] VS2005 build 50727
  • [LNK] VS2005 build 50727
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x351fc0xb4.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x400000x5ed0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3e0000x1e90.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x2f0000x7e0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2db8a0x2dc00False0.5380432462431693zlib compressed data6.361926281929707IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x2f0000x7b9a0x7c00False0.42165448588709675data5.589028486157532IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x370000x64180x2600False0.29461348684210525data3.0769714251114997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x3e0000x1e900x2000False0.487548828125data5.331184093754899IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x400000x5ed00x6000False0.3230794270833333data4.769163358507502IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_CURSOR0x407000x134dataEnglishUnited States0.40584415584415584
RT_CURSOR0x408340x134AmigaOS bitmap font "(", fc_YSize 4294967288, 3840 elements, 2nd "\377\360\037\377\377\370?\377\377\374\177\377\377\376\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdEnglishUnited States0.3344155844155844
RT_BITMAP0x409680x1b28Device independent bitmap graphic, 144 x 16 x 24, image size 6912HebrewIsrael0.37255466052934405
RT_BITMAP0x424900xd8Device independent bitmap graphic, 14 x 14 x 4, image size 112, resolution 3780 x 3780 px/mEnglishUnited States0.4305555555555556
RT_BITMAP0x425680xd8Device independent bitmap graphic, 14 x 14 x 4, image size 112, resolution 3780 x 3780 px/mEnglishUnited States0.42592592592592593
RT_ICON0x426400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0HebrewIsrael0.42915162454873645
RT_ICON0x42ee80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0HebrewIsrael0.5166184971098265
RT_ICON0x434500x568Device independent bitmap graphic, 16 x 32 x 8, image size 320HebrewIsrael0.49421965317919075
RT_MENU0x439b80x666dataEnglishUnited States0.36996336996337
RT_MENU0x440200x2e0dataEnglishUnited States0.4171195652173913
RT_DIALOG0x443000xa2dataHebrewIsrael0.7592592592592593
RT_DIALOG0x443a40x296dataHebrewIsrael0.48942598187311176
RT_DIALOG0x4463c0x874dataHebrewIsrael0.3553604436229205
RT_DIALOG0x44eb00xfadataHebrewIsrael0.62
RT_DIALOG0x44fac0x336dataEnglishUnited States0.49635036496350365
RT_STRING0x452e40x1eadataEnglishUnited States0.4387755102040816
RT_STRING0x454d00x118dataEnglishUnited States0.4714285714285714
RT_STRING0x455e80x64Matlab v4 mat-file (little endian) W, numeric, rows 0, columns 0EnglishUnited States0.61
RT_STRING0x4564c0xc8dataEnglishUnited States0.61
RT_STRING0x457140xcaMatlab v4 mat-file (little endian) N, numeric, rows 0, columns 0EnglishUnited States0.6089108910891089
RT_STRING0x457e00x7cdataEnglishUnited States0.6774193548387096
RT_STRING0x4585c0x44dataEnglishUnited States0.5588235294117647
RT_STRING0x458a00x30dataEnglishUnited States0.5416666666666666
RT_ACCELERATOR0x458d00x90dataHebrewIsrael0.7013888888888888
RT_GROUP_CURSOR0x459600x14dataEnglishUnited States1.3
RT_GROUP_CURSOR0x459740x14dataEnglishUnited States1.3
RT_GROUP_ICON0x459880x22dataHebrewIsrael0.9705882352941176
RT_GROUP_ICON0x459ac0x14dataHebrewIsrael1.25
RT_VERSION0x459c00x2e8dataHebrewIsrael0.4946236559139785
RT_MANIFEST0x45ca80x222ASCII text, with very long lines (406), with CRLF line terminatorsEnglishUnited States0.5567765567765568
None0x45ecc0x4dataEnglishUnited States3.0
DLLImport
COMCTL32.dllImageList_SetImageCount, ImageList_Create, ImageList_AddMasked, CreateToolbarEx, ImageList_ReplaceIcon
KERNEL32.dllFindResourceA, GlobalLock, LoadLibraryExA, GlobalAlloc, GetTimeFormatA, SetFilePointer, GlobalUnlock, SizeofResource, GetLocaleInfoA, FindFirstFileA, LockResource, GetFileAttributesA, GetVersionExA, LoadResource, FormatMessageA, SystemTimeToTzSpecificLocalTime, FileTimeToLocalFileTime, GetPrivateProfileIntA, GetPrivateProfileStringA, WritePrivateProfileStringA, EnumResourceNamesA, GetStdHandle, SetErrorMode, CreateProcessA, ExitProcess, ReadProcessMemory, GetCurrentProcessId, CreateToolhelp32Snapshot, TerminateProcess, Process32First, Process32Next, LocalAlloc, EnumResourceTypesA, FlushFileBuffers, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetModuleHandleA, RtlLookupFunctionEntry, RtlVirtualUnwind, GetStringTypeW, GetStringTypeA, InitializeCriticalSection, HeapReAlloc, LeaveCriticalSection, EnterCriticalSection, GetConsoleMode, GetConsoleCP, GetSystemTimeAsFileTime, QueryPerformanceCounter, DeleteCriticalSection, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, LCMapStringW, LCMapStringA, HeapCreate, HeapSetInformation, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, RtlPcToFileHeader, RaiseException, RtlUnwindEx, HeapSize, FlsAlloc, GetCurrentThreadId, SetLastError, FlsFree, TlsFree, FlsSetValue, FlsGetValue, RtlCaptureContext, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStartupInfoA, GetProcessHeap, HeapAlloc, HeapFree, GetFileSize, FindClose, GetCurrentProcess, CreateFileA, GetTempFileNameA, GetCommandLineA, ReadFile, WriteFile, FindNextFileA, GetDateFormatA, GetModuleFileNameA, GetWindowsDirectoryA, CloseHandle, GetLastError, UnmapViewOfFile, MapViewOfFile, WideCharToMultiByte, OpenProcess, MultiByteToWideChar, GetSystemDirectoryA, GetTickCount, CreateFileMappingA, DeleteFileA, LocalFree, OpenFileMappingA, GetTempPathA, CopyFileA, Sleep, FileTimeToSystemTime, SystemTimeToFileTime, LoadLibraryA, CompareFileTime, FreeLibrary, GetProcAddress, SetStdHandle
USER32.dllDispatchMessageA, GetFocus, DeferWindowPos, BeginDeferWindowPos, EndDeferWindowPos, GetMessageA, PostQuitMessage, RegisterWindowMessageA, TrackPopupMenu, DrawTextExA, IsDialogMessageA, GetSysColorBrush, ShowWindow, ReleaseCapture, SetCursor, LoadCursorA, TranslateMessage, GetKeyState, DestroyWindow, CreateDialogParamA, DestroyMenu, GetDlgCtrlID, DialogBoxParamA, ModifyMenuA, LoadStringA, LoadMenuA, SetCapture, ChildWindowFromPoint, SetDlgItemTextA, GetDlgItemTextA, SendDlgItemMessageA, GetWindowTextA, GetMenuItemInfoA, FillRect, EndPaint, BeginPaint, GetClientRect, GetCursorPos, GetClassNameA, GetSubMenu, MapWindowPoints, GetMenuStringA, EnableWindow, ScreenToClient, GetParent, GetMenuItemCount, EnableMenuItem, GetMenu, CheckMenuItem, GetSysColor, MoveWindow, EmptyClipboard, CloseClipboard, OpenClipboard, SetClipboardData, SetFocus, InvalidateRect, SetWindowLongA, GetWindowLongA, GetDC, LoadIconA, LoadImageA, ReleaseDC, SendMessageA, GetWindowPlacement, MessageBoxA, TranslateAcceleratorA, DefWindowProcA, SetWindowPos, LoadAcceleratorsA, SetMenu, PostMessageA, GetSystemMetrics, GetWindowRect, UpdateWindow, RegisterClassA, SetDlgItemInt, CreateWindowExA, GetDlgItem, EndDialog, GetDlgItemInt, SetWindowTextA, EnumChildWindows
GDI32.dllGetDeviceCaps, GetPixel, PatBlt, StretchBlt, SetPixel, GetStockObject, GetTextExtentPoint32A, SetBkColor, CreateSolidBrush, GetObjectA, SelectObject, DeleteObject, SetBkMode, CreateFontIndirectA, SetTextColor, SetDIBits, CreateCompatibleBitmap, DeleteDC, SetStretchBltMode, CreateCompatibleDC
comdlg32.dllGetSaveFileNameA, FindTextA, GetOpenFileNameA
ADVAPI32.dllRegDeleteValueA, RegEnumValueA, RegQueryValueExA, RegEnumKeyExA, RegOpenKeyExA, RegCloseKey
SHELL32.dllSHGetMalloc, SHBrowseForFolderA, ShellExecuteA, SHGetPathFromIDListA
ole32.dllCoInitialize, CoUninitialize

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States
HebrewIsrael