Windows Analysis Report
sublime.text.v4152-patch.exe

Overview

General Information

Sample Name: sublime.text.v4152-patch.exe
Analysis ID: 1290344
MD5: 15f0f046c5a23f898a4162724a16be09
SHA1: 106888897e37c6b5fbb26fb7ed1ad2d264aa2e9e
SHA256: 5ee68867759bd9dd852bd874db2716721d9d6671586533c8b62f820b18e690c5
Infos:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Generic Patcher
Found stalling execution ending in API Sleep call
PE file has nameless sections
PE file has a writeable .text section
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains functionality to modify clipboard data
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Yara signature match
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Sleep loop found (likely to delay execution)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found evaded block containing many API calls
Dropped file seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: sublime.text.v4152-patch.exe ReversingLabs: Detection: 56%
Source: sublime.text.v4152-patch.exe Virustotal: Detection: 61% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\dup2patcher.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: sublime.text.v4152-patch.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: sublime.text.v4152-patch.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: sublime.text.v4152-patch.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_6C666CE0 FindFirstFileA,FindClose, 0_2_6C666CE0
Source: sublime.text.v4152-patch.exe, 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886505239.0000000000867000.00000004.00001000.00020000.00000000.sdmp, dup2patcher.dll.0.dr String found in binary or memory: http://diablo2oo2.cjb.netP76y
Source: sublime.text.v4152-patch.exe, 00000000.00000002.886492885.00000000006FC000.00000004.00000010.00020000.00000000.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886505239.0000000000867000.00000004.00001000.00020000.00000000.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886647795.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, dup2patcher.dll.0.dr String found in binary or memory: https://www.sublimetext.com/
Source: sublime.text.v4152-patch.exe, 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886505239.0000000000867000.00000004.00001000.00020000.00000000.sdmp, dup2patcher.dll.0.dr String found in binary or memory: https://www.sublimetext.com/AholicknightAugust
Source: sublime.text.v4152-patch.exe, 00000000.00000002.886492885.00000000006FC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://www.sublimetext.com/_n
Source: sublime.text.v4152-patch.exe, 00000000.00000002.886492885.00000000006FC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://www.sublimetext.com/ttps://www.sublimetext.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_6C6671E0 lstrlenA,OpenClipboard,GlobalAlloc,GlobalLock,lstrcpyA,EmptyClipboard,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_6C6671E0
Creates a DirectInput object (often for capturing keystrokes)
Source: sublime.text.v4152-patch.exe, 00000000.00000002.886647795.000000000099A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_6C6671E0 lstrlenA,OpenClipboard,GlobalAlloc,GlobalLock,lstrcpyA,EmptyClipboard,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_6C6671E0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: sublime.text.v4152-patch.exe, type: SAMPLE Matched rule: Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe Author: Florian Roth
PE file has nameless sections
Source: bassmod.dll.0.dr Static PE information: section name:
Source: bassmod.dll.0.dr Static PE information: section name:
PE file has a writeable .text section
Source: dup2patcher.dll.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Uses 32bit PE files
Source: sublime.text.v4152-patch.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: sublime.text.v4152-patch.exe, type: SAMPLE Matched rule: CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_Edition_KeyGen date = 2015-06-23, author = Florian Roth, description = Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe, score = e32f5de730e324fb386f97b6da9ba500cf3a4f8d, reference = Disclosed CN Honker Pentest Toolset, license = https://creativecommons.org/licenses/by-nc/4.0/
Detected potential crypto function
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_100028F0 0_2_100028F0
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_10001B00 0_2_10001B00
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_10010534 0_2_10010534
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_10009B49 0_2_10009B49
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_10001790 0_2_10001790
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_1000ADA0 0_2_1000ADA0
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_100031D8 0_2_100031D8
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_6C669762 0_2_6C669762
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_6C669FA0 0_2_6C669FA0
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_6C6677A9 0_2_6C6677A9
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\bassmod.dll 8AD9E47693E292F381DA42DDC13724A3063040E51C26F4CA8E1F8E2F1DDD547F
Source: sublime.text.v4152-patch.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bassmod.dll.0.dr Static PE information: Section: ZLIB complexity 1.0005039687539372
Source: sublime.text.v4152-patch.exe ReversingLabs: Detection: 56%
Source: sublime.text.v4152-patch.exe Virustotal: Detection: 61%
Source: sublime.text.v4152-patch.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_001A1037 GetModuleHandleA,FindResourceA,SizeofResource,LoadResource,VirtualAlloc,RtlMoveMemory,GetTempPathA,lstrcatA,LoadLibraryA,GetProcAddress,FreeLibrary,DeleteFileA, 0_2_001A1037
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe File created: C:\Users\user\AppData\Local\Temp\dup2patcher.dll Jump to behavior
Source: classification engine Classification label: mal88.spyw.evad.winEXE@1/2@0/0
Source: sublime.text.v4152-patch.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains an invalid checksum
Source: bassmod.dll.0.dr Static PE information: real checksum: 0x0 should be: 0xc8f0
Source: dup2patcher.dll.0.dr Static PE information: real checksum: 0x19917 should be: 0xd1cb2
Source: sublime.text.v4152-patch.exe Static PE information: real checksum: 0xecdd should be: 0xd5919
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_1000E989 push FF3F95A1h; ret 0_2_1000E9B9
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_1000CBA0 push eax; ret 0_2_1000CBCE
PE file contains sections with non-standard names
Source: bassmod.dll.0.dr Static PE information: section name:
Source: bassmod.dll.0.dr Static PE information: section name:
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_001A1037 GetModuleHandleA,FindResourceA,SizeofResource,LoadResource,VirtualAlloc,RtlMoveMemory,GetTempPathA,lstrcatA,LoadLibraryA,GetProcAddress,FreeLibrary,DeleteFileA, 0_2_001A1037
Source: initial sample Static PE information: section name: entropy: 7.982708398519935
Drops PE files
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe File created: C:\Users\user\AppData\Local\Temp\bassmod.dll Jump to dropped file
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe File created: C:\Users\user\AppData\Local\Temp\dup2patcher.dll Jump to dropped file

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Stalling execution: Execution stalls by calling Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Window / User API: threadDelayed 2468 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe TID: 6636 Thread sleep time: -74040s >= -30000s Jump to behavior
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Thread sleep count: Count: 2468 delay: -30 Jump to behavior
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Evaded block: after key decision
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_6C6668D3 rdtsc 0_2_6C6668D3
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_6C664616 GetSystemInfo,CreateFileA,GetFileSize,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle, 0_2_6C664616
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_6C666CE0 FindFirstFileA,FindClose, 0_2_6C666CE0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_6C6667F8 push dword ptr fs:[00000030h] 0_2_6C6667F8
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_6C6667DE push dword ptr fs:[00000030h] 0_2_6C6667DE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_001A1037 GetModuleHandleA,FindResourceA,SizeofResource,LoadResource,VirtualAlloc,RtlMoveMemory,GetTempPathA,lstrcatA,LoadLibraryA,GetProcAddress,FreeLibrary,DeleteFileA, 0_2_001A1037
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_6C6668D3 rdtsc 0_2_6C6668D3

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Generic Patcher
Source: Yara match File source: 0.2.sublime.text.v4152-patch.exe.830000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sublime.text.v4152-patch.exe.830000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sublime.text.v4152-patch.exe.6c660000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.886505239.0000000000830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sublime.text.v4152-patch.exe PID: 5480, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\dup2patcher.dll, type: DROPPED
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_10001000 cpuid 0_2_10001000
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe Code function: 0_2_1000CB31 BASSMOD_GetVersion, 0_2_1000CB31
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1290344 Sample: sublime.text.v4152-patch.exe Startdate: 12/08/2023 Architecture: WINDOWS Score: 88 13 Malicious sample detected (through community Yara rule) 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Yara detected Generic Patcher 2->17 19 4 other signatures 2->19 5 sublime.text.v4152-patch.exe 3 2->5         started        process3 file4 9 C:\Users\user\AppData\...\dup2patcher.dll, PE32 5->9 dropped 11 C:\Users\user\AppData\Local\...\bassmod.dll, PE32 5->11 dropped 21 Found stalling execution ending in API Sleep call 5->21 23 Contains functionality to modify clipboard data 5->23 signatures5
No contacted IP infos