Source: 0.2.sb.exe.27e053f.1.raw.unpack |
Malware Configuration Extractor: AveMaria {"C2 url": "cachepallioniwarznpa.icu", "port": 5200} |
Source: sb.exe |
Virustotal: Detection: 38% |
Perma Link |
Source: sb.exe |
ReversingLabs: Detection: 42% |
Source: Yara match |
File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY |
Source: 0.2.sb.exe.31e0000.3.unpack |
Avira: Label: TR/Downloader.Gen |
Source: 0.2.sb.exe.27e053f.1.unpack |
Avira: Label: TR/Patched.Ren.Gen3 |
Source: sb.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: C:\Users\user\Desktop\sb.exe |
Directory created: C:\Program Files\Microsoft DN1 |
Jump to behavior |
Source: sb.exe |
Static PE information: certificate valid |
Source: sb.exe |
Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: sb.exe, 00000000.00000002.374832358.00000000031FB000.00000004.00000001.sdmp |
Source: |
Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: sb.exe, 00000000.00000002.374832358.00000000031FB000.00000004.00000001.sdmp |
Source: |
Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\General\DispSink\DispClient\Free real estate.pdb source: sb.exe |
Source: Malware configuration extractor |
URLs: cachepallioniwarznpa.icu |
Source: sb.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: sb.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: sb.exe |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: sb.exe |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: sb.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y |
Source: sb.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0 |
Source: sb.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: sb.exe |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: sb.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: sb.exe |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: sb.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0# |
Source: sb.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0# |
Source: sb.exe |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: sb.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: sb.exe |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: sb.exe |
String found in binary or memory: http://ocsp.sectigo.com0 |
Source: sb.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: sb.exe, 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp |
String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC: |
Source: sb.exe |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: sb.exe |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: sb.exe, 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp |
Binary or memory string: GetRawInputData |
|
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CB8A55 GetKeyState,GetKeyState,GetKeyState,GetKeyState, |
0_2_00CB8A55 |
Source: Yara match |
File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY |
Source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: sb.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CC0074 |
0_2_00CC0074 |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CD401C |
0_2_00CD401C |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CFAD78 |
0_2_00CFAD78 |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CF16A0 |
0_2_00CF16A0 |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CF26B6 |
0_2_00CF26B6 |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CF9230 |
0_2_00CF9230 |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CF9354 |
0_2_00CF9354 |
Source: sb.exe |
Virustotal: Detection: 38% |
Source: sb.exe |
ReversingLabs: Detection: 42% |
Source: C:\Users\user\Desktop\sb.exe |
File read: C:\Users\user\Desktop\sb.exe |
Jump to behavior |
Source: sb.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\sb.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\sb.exe 'C:\Users\user\Desktop\sb.exe' |
Source: C:\Users\user\Desktop\sb.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\sb.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01 |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CB2C5D __EH_prolog3_catch_GS,LoadLibraryExA,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,FreeLibrary, |
0_2_00CB2C5D |
Source: C:\Users\user\Desktop\sb.exe |
File created: C:\Program Files\Microsoft DN1 |
Jump to behavior |
Source: classification engine |
Classification label: mal60.troj.winEXE@2/0@0/0 |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CB249C CoCreateInstance, |
0_2_00CB249C |
Source: sb.exe |
Static file information: File size 1627136 > 1048576 |
Source: C:\Users\user\Desktop\sb.exe |
Directory created: C:\Program Files\Microsoft DN1 |
Jump to behavior |
Source: sb.exe |
Static PE information: certificate valid |
Source: sb.exe |
Static PE information: Raw size of .data is bigger than: 0x100000 < 0x12a200 |
Source: sb.exe |
Static PE information: More than 200 imports for KERNEL32.dll |
Source: sb.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: sb.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: sb.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: sb.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: sb.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: sb.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: sb.exe |
Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: sb.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: sb.exe, 00000000.00000002.374832358.00000000031FB000.00000004.00000001.sdmp |
Source: |
Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: sb.exe, 00000000.00000002.374832358.00000000031FB000.00000004.00000001.sdmp |
Source: |
Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\General\DispSink\DispClient\Free real estate.pdb source: sb.exe |
Source: sb.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: sb.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: sb.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: sb.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: sb.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CFBEC3 push ecx; ret |
0_2_00CFBED6 |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CBEE06 push ecx; ret |
0_2_00CBEE19 |
Source: sb.exe, 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp |
String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList |
Source: sb.exe, 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp |
String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread|" |
Source: C:\Users\user\Desktop\sb.exe TID: 2224 |
Thread sleep count: 70 > 30 |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CDBC81 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00CDBC81 |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CDD54C mov eax, dword ptr fs:[00000030h] |
0_2_00CDD54C |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CBCAC7 mov esi, dword ptr fs:[00000030h] |
0_2_00CBCAC7 |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CE73DD mov eax, dword ptr fs:[00000030h] |
0_2_00CE73DD |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CBC9B1 GetProcessHeap,HeapAlloc,InterlockedPopEntrySList,VirtualAlloc,RaiseException,InterlockedPopEntrySList,VirtualFree,InterlockedPushEntrySList, |
0_2_00CBC9B1 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CDBC81 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00CDBC81 |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CBDF6A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00CBDF6A |
Source: C:\Users\user\Desktop\sb.exe |
Code function: 0_2_00CBEFC2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_00CBEFC2 |
Source: Yara match |
File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: sb.exe PID: 6404, type: MEMORYSTR |
Source: Yara match |
File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY |