Windows Analysis Report sb.exe

Overview

General Information

Sample Name: sb.exe
Analysis ID: 492126
MD5: e310cb3185d95e3dda42f0230b569d84
SHA1: c20c8aa953f7df7e9b117258a0d31530e23ffc55
SHA256: 82867648313483db4a6115e0cc2b34c06719ffdb6667e50e625e2dc130adfbca
Tags: arostetelemaccaexe
Infos:

Most interesting Screenshot:

Detection

AveMaria
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AveMaria stealer
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Installs a raw input device (often for capturing keystrokes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Potential key logger detected (key state polling based)
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.sb.exe.27e053f.1.raw.unpack Malware Configuration Extractor: AveMaria {"C2 url": "cachepallioniwarznpa.icu", "port": 5200}
Multi AV Scanner detection for submitted file
Source: sb.exe Virustotal: Detection: 38% Perma Link
Source: sb.exe ReversingLabs: Detection: 42%
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.sb.exe.31e0000.3.unpack Avira: Label: TR/Downloader.Gen
Source: 0.2.sb.exe.27e053f.1.unpack Avira: Label: TR/Patched.Ren.Gen3

Compliance:

barindex
Uses 32bit PE files
Source: sb.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\sb.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: sb.exe Static PE information: certificate valid
Source: sb.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: sb.exe, 00000000.00000002.374832358.00000000031FB000.00000004.00000001.sdmp
Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: sb.exe, 00000000.00000002.374832358.00000000031FB000.00000004.00000001.sdmp
Source: Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\General\DispSink\DispClient\Free real estate.pdb source: sb.exe

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: cachepallioniwarznpa.icu
Source: sb.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: sb.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: sb.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sb.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: sb.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: sb.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: sb.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: sb.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: sb.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: sb.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sb.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: sb.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: sb.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: sb.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: sb.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: sb.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: sb.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: sb.exe, 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: sb.exe String found in binary or memory: https://sectigo.com/CPS0
Source: sb.exe String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: sb.exe, 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp Binary or memory string: GetRawInputData
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CB8A55 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_00CB8A55

E-Banking Fraud:

barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Uses 32bit PE files
Source: sb.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Detected potential crypto function
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CC0074 0_2_00CC0074
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CD401C 0_2_00CD401C
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CFAD78 0_2_00CFAD78
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CF16A0 0_2_00CF16A0
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CF26B6 0_2_00CF26B6
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CF9230 0_2_00CF9230
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CF9354 0_2_00CF9354
Source: sb.exe Virustotal: Detection: 38%
Source: sb.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\sb.exe File read: C:\Users\user\Desktop\sb.exe Jump to behavior
Source: sb.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\sb.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\sb.exe 'C:\Users\user\Desktop\sb.exe'
Source: C:\Users\user\Desktop\sb.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CB2C5D __EH_prolog3_catch_GS,LoadLibraryExA,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,FreeLibrary, 0_2_00CB2C5D
Source: C:\Users\user\Desktop\sb.exe File created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: classification engine Classification label: mal60.troj.winEXE@2/0@0/0
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CB249C CoCreateInstance, 0_2_00CB249C
Source: sb.exe Static file information: File size 1627136 > 1048576
Source: C:\Users\user\Desktop\sb.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: sb.exe Static PE information: certificate valid
Source: sb.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x12a200
Source: sb.exe Static PE information: More than 200 imports for KERNEL32.dll
Source: sb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: sb.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: sb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: sb.exe, 00000000.00000002.374832358.00000000031FB000.00000004.00000001.sdmp
Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: sb.exe, 00000000.00000002.374832358.00000000031FB000.00000004.00000001.sdmp
Source: Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\General\DispSink\DispClient\Free real estate.pdb source: sb.exe
Source: sb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: sb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: sb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: sb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: sb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CFBEC3 push ecx; ret 0_2_00CFBED6
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CBEE06 push ecx; ret 0_2_00CBEE19

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to hide user accounts
Source: sb.exe, 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: sb.exe, 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread|"

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\sb.exe TID: 2224 Thread sleep count: 70 > 30 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CDBC81 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00CDBC81
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CDD54C mov eax, dword ptr fs:[00000030h] 0_2_00CDD54C
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CBCAC7 mov esi, dword ptr fs:[00000030h] 0_2_00CBCAC7
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CE73DD mov eax, dword ptr fs:[00000030h] 0_2_00CE73DD
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CBC9B1 GetProcessHeap,HeapAlloc,InterlockedPopEntrySList,VirtualAlloc,RaiseException,InterlockedPopEntrySList,VirtualFree,InterlockedPushEntrySList, 0_2_00CBC9B1
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CDBC81 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00CDBC81
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CBDF6A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00CBDF6A
Source: C:\Users\user\Desktop\sb.exe Code function: 0_2_00CBEFC2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00CBEFC2

Stealing of Sensitive Information:

barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sb.exe PID: 6404, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492126 Sample: sb.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 60 10 Found malware configuration 2->10 12 Malicious sample detected (through community Yara rule) 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 3 other signatures 2->16 6 sb.exe 1 2 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
cachepallioniwarznpa.icu true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown