Collection

The file contains evidence of an intent to read passwords stored in browser caches. Malware uses this to collect the passwords for exfiltration.

The file contains evidence of interaction with a credential provider, or the desire to appear as one. Malware does this because credential providers get access to many types of sensitive data, such as usernames and passwords, and by acting as one, they may be able to subvert the authentication integrity.

The file imports functions that are used to gather information about the currently logged-in user. Malware uses this to determine paths of action to escalate privileges and to better tailor attacks.

The file imports functions that are used to output debug strings. Typically, this is disabled in production software, but left on in malware that is being tested.

The file imports functions that can be used to gather details about volumes on the system. Malware uses this in conjunction with listing to determine facts about the volumes in preparation for a further attack.

The file imports functions that are used to list files. Malware uses this to look for sensitive data or to find further points of attack.

The file imports functions that can be used to list all of the DLLs that a running process uses. Malware uses this capability to locate and target specific libraries for loading into a process, and to map out a process it wishes to inject into.

The file demonstrates evidence of a capability to attempt to enumerate connected networks and network adapters. Malware does this to determine where a target system lies in relation to others, and to look for possible lateral paths.

The file imports functions that can be used to list all of the running processes on a system. Malware uses this capability to locate processes to inject into or those that it wishes to delete.

The file imports functions that can be used to list the volumes on the system. Malware uses this to find all the areas that it might need to search for data, or to spread an infection.

The file imports functions that are used to access Gina. Malware does this to attempt to breach the secure ctrl-alt-delete password entry system or other network login functions.

The file imports functions that are used to gather information about host names on the network and the hostname of the machine itself. Malware uses this capability to better target further attacks or to scan for new targets.

The file imports functions that can capture and log keystrokes from the keyboard. Malware uses this to capture and save keystrokes to find sensitive information such as passwords.

The file imports functions that are used to gather information about the current operating system. Malware uses this to determine how to better tailor further attacks and to report information back to a controller.

The file contains evidence of key-logger type activity. Malware uses key loggers to collect sensitive information from the keyboard.

The file has evidence of including common passwords, or a structure that would enable brute forcing common passwords. Malware uses this to attempt to penetrate a network further by accessing other resources via password.

The file imports functions that can be used to determine details about the processor. Malware uses this to tailor attacks and to exfiltrate this data to common command-and-control infrastructure.

The file shows evidence of interacting with the Remote Desktop Protocol (RDP). Malware frequently uses this to move laterally and to offer direct command-and-control functionality.

The file is possibly spying on the clipboard or user actions via accessibility API usage.

The file imports functions used to locate the system directory. Malware does this to find where many of the installed system binaries are located, as it frequently hides among them.

The file imports functions that are used to gather information about the environment of the current logged-in user. Malware uses this to determine details about the logged-in user and to look for other intelligence that can be gleaned from the environment variables.