Loading ...

Play interactive tourEdit tour

Analysis Report dbeaver.exe

Overview

General Information

Sample Name:dbeaver.exe
Analysis ID:347768
MD5:b56bf7c40d3e84ca5557e6f9f9786cb3
SHA1:eadaa2cdd7c8dd0f2978a8ea0b2fe45ae9d4dd26
SHA256:82d314c6d7c17dbbd8ba26241b82402f246da22aaaafc3418d04b6fc30872a10

Most interesting Screenshot:

Detection

Score:24
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Potential time zone aware malware
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

Analysis Advice

Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")



Startup

  • System is w10x64
  • dbeaver.exe (PID: 1064 cmdline: 'C:\Users\user\Desktop\dbeaver.exe' MD5: B56BF7C40D3E84CA5557E6F9F9786CB3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Compliance:

barindex
PE / OLE file has a valid certificateShow sources
Source: dbeaver.exeStatic PE information: certificate valid
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: dbeaver.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F35E94 __doserrno,_errno,_errno,__doserrno,FindFirstFileW,_errno,_errno,_errno,_errno,_errno,GetDriveTypeW,free,free,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,0_2_00007FF6C6F35E94
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F32A20 free,malloc,FindFirstFileW,FindNextFileW,free,FindClose,malloc,free,free,0_2_00007FF6C6F32A20
Source: dbeaver.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: dbeaver.exeString found in binary or memory: http://ocsp.thawte.com0
Source: dbeaver.exeString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: dbeaver.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: dbeaver.exeString found in binary or memory: http://sv.symcd.com0&
Source: dbeaver.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: dbeaver.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: dbeaver.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: dbeaver.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: dbeaver.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F41BD00_2_00007FF6C6F41BD0
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F366800_2_00007FF6C6F36680
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F34E900_2_00007FF6C6F34E90
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F3D6A80_2_00007FF6C6F3D6A8
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F441580_2_00007FF6C6F44158
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F449580_2_00007FF6C6F44958
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F438700_2_00007FF6C6F43870
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F420700_2_00007FF6C6F42070
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F3DC940_2_00007FF6C6F3DC94
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F415180_2_00007FF6C6F41518
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F4364C0_2_00007FF6C6F4364C
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F38EE40_2_00007FF6C6F38EE4
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F463000_2_00007FF6C6F46300
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F36F300_2_00007FF6C6F36F30
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F3654C0_2_00007FF6C6F3654C
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F4094C0_2_00007FF6C6F4094C
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F44D8C0_2_00007FF6C6F44D8C
Source: dbeaver.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dbeaver.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dbeaver.exe, 00000000.00000002.219120303.0000000000740000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs dbeaver.exe
Source: classification engineClassification label: sus24.evad.winEXE@1/0@0/0
Source: dbeaver.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dbeaver.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: dbeaver.exeString found in binary or memory: --launcher.library
Source: dbeaver.exeString found in binary or memory: --launcher.suppressErrors
Source: dbeaver.exeString found in binary or memory: --launcher.ini
Source: dbeaver.exeString found in binary or memory: .exe.exe-vmargs-name.--launcher.library--launcher.suppressErrors-protectroot--launcher.inieclipseorg.eclipse.equinox.launcherorg.eclipse.equinox.launcherpluginseclipse.inirt%[^
Source: dbeaver.exeStatic PE information: certificate valid
Source: dbeaver.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: dbeaver.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F3FC90 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00007FF6C6F3FC90

Malware Analysis System Evasion:

barindex
Potential time zone aware malwareShow sources
Source: C:\Users\user\Desktop\dbeaver.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: C:\Users\user\Desktop\dbeaver.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-9228
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F35E94 __doserrno,_errno,_errno,__doserrno,FindFirstFileW,_errno,_errno,_errno,_errno,_errno,GetDriveTypeW,free,free,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,0_2_00007FF6C6F35E94
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F32A20 free,malloc,FindFirstFileW,FindNextFileW,free,FindClose,malloc,free,free,0_2_00007FF6C6F32A20
Source: C:\Users\user\Desktop\dbeaver.exeAPI call chain: ExitProcess graph end nodegraph_0-9230
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F383BC RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6C6F383BC
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F3FC90 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00007FF6C6F3FC90
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F46474 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,0_2_00007FF6C6F46474
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F383BC RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6C6F383BC
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F36F18 SetUnhandledExceptionFilter,0_2_00007FF6C6F36F18
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F3FF30 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6C6F3FF30
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F36A00 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6C6F36A00
Source: C:\Users\user\Desktop\dbeaver.exeCode function: _getptd,EnumSystemLocalesA,GetUserDefaultLangID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,0_2_00007FF6C6F3C7EC
Source: C:\Users\user\Desktop\dbeaver.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,0_2_00007FF6C6F3C0A8
Source: C:\Users\user\Desktop\dbeaver.exeCode function: GetLocaleInfoW,0_2_00007FF6C6F400D8
Source: C:\Users\user\Desktop\dbeaver.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,0_2_00007FF6C6F40134
Source: C:\Users\user\Desktop\dbeaver.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,0_2_00007FF6C6F3C348
Source: C:\Users\user\Desktop\dbeaver.exeCode function: EnumSystemLocalesA,0_2_00007FF6C6F3C780
Source: C:\Users\user\Desktop\dbeaver.exeCode function: GetLocaleInfoA,0_2_00007FF6C6F3C294
Source: C:\Users\user\Desktop\dbeaver.exeCode function: GetLocaleInfoA,0_2_00007FF6C6F42AA0
Source: C:\Users\user\Desktop\dbeaver.exeCode function: EnumSystemLocalesA,0_2_00007FF6C6F3C6EC
Source: C:\Users\user\Desktop\dbeaver.exeCode function: _getptd,GetLocaleInfoA,0_2_00007FF6C6F3C1AC
Source: C:\Users\user\Desktop\dbeaver.exeCode function: _getptd,GetLocaleInfoA,0_2_00007FF6C6F3C5DC
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F38070 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00007FF6C6F38070
Source: C:\Users\user\Desktop\dbeaver.exeCode function: 0_2_00007FF6C6F41BD0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00007FF6C6F41BD0

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Path InterceptionPath InterceptionVirtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery12Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySecurity Software Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.