Play interactive tourEdit tour
Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.24453.7436
Overview
General Information
Sample Name: | SecuriteInfo.com.W32.AIDetect.malware1.24453.7436 (renamed file extension from 7436 to exe) |
Analysis ID: | 385467 |
MD5: | 5e3189812e802c0fd68ce592cb1e1999 |
SHA1: | 38552111d3001f4998ab85408601873897653360 |
SHA256: | f42553b4409992bbddc1df8b716596727762a191055cd2eebb3ced648cf5384f |
Tags: | CryptBot |
Infos: | |
Most interesting Screenshot: |
Detection
Cryptbot Glupteba
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Cryptbot
Yara detected Glupteba
Contains functionality to register a low level keyboard hook
Delayed program exit found
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
| |
Click to see the 3 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 5 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_00401270 | |
Source: | Code function: | 0_2_0040410E | |
Source: | Code function: | 0_2_0040426D | |
Source: | Code function: | 0_2_00401470 | |
Source: | Code function: | 0_2_00404400 | |
Source: | Code function: | 0_2_0040365A | |
Source: | Code function: | 0_2_00403600 |
Compliance: |
---|
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Code function: | 0_2_0040F1D0 | |
Source: | Code function: | 0_2_00414650 | |
Source: | Code function: | 0_2_0041469B | |
Source: | Code function: | 0_2_00416AC0 | |
Source: | Code function: | 0_2_00416C3A | |
Source: | Code function: | 0_2_0040F259 | |
Source: | Code function: | 13_2_00406301 | |
Source: | Code function: | 13_2_00406CC7 | |
Source: | Code function: | 16_2_0040F64C | |
Source: | Code function: | 16_2_03F5F89C | |
Source: | Code function: | 18_2_00403117 | |
Source: | Code function: | 18_2_00408FA7 | |
Source: | Code function: | 18_2_00402A0B | |
Source: | Code function: | 18_2_00402B28 | |
Source: | Code function: | 22_2_0040F64C | |
Source: | Code function: | 22_2_05A0F89C | |
Source: | Code function: | 25_2_0040F64C | |
Source: | Code function: | 25_2_059DF89C |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | HTTP traffic detected: |