Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hiYc6Vnppc.exe

Overview

General Information

Sample Name:hiYc6Vnppc.exe
Analysis ID:582342
MD5:0c84297632dffe68994d744487849fd5
SHA1:e91fc4c3a570950f7cebb691b75ba57990f0ee74
SHA256:6ccf16f1d1a495de9f5e7c1b60dd09da612ba2355887ebeb56cc1cacb5d64a5e
Tags:exe
Infos:

Detection

Allcome clipbanker
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Allcome clipbanker
PE file has nameless sections
Machine Learning detection for sample
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Sample file is different than original file name gathered from version info
One or more processes crash
PE file contains an invalid checksum
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to communicate with device drivers
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • hiYc6Vnppc.exe (PID: 2328 cmdline: "C:\Users\user\Desktop\hiYc6Vnppc.exe" MD5: 0C84297632DFFE68994D744487849FD5)
    • WerFault.exe (PID: 5504 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 412 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
{"C2 url": "http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/Clipper/configure.php?cf6zrlhn=QWERTY", "Wallet": ["DPUnu15wbXcvTwEuQssdD48Q9iZUModBEG", "rh2nM92mFC5XfDXu9AcAUvzivX4ZQerLx4", "0xAC63c256f3F5F03d63F4F206F8E030232461e8d5", "Xaume5k7mVQqgDfJyTtysF721e6gvTkY7M", "TMSpq8DHdUeJ8KzVj8bnNuQKB6fEWYhR5i", "t1P9vxqf7nYQ4tHpo7TUfsXMpiQq14RMpC5", "GAGATITC6CREAQAVLZNORIHVBB4P6SXHTXPF7FYBR3VOSSUDVBT5TIV3", "qpm92rqxzejjn0ur9tl53gk87u7nlzw2zs6qz8djkn", "bc1q6sjafgxlmrxwdhh0v5zu58f48pvaqc04hvedl0", "0xAC63c256f3F5F03d63F4F206F8E030232461e8d5", "ltc1qn66m2mfk4txmgvz9lhm6q8ffetklqf2rak4qqc"]}
SourceRuleDescriptionAuthorStrings
00000000.00000000.328776321.0000000000430000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
    00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
      00000000.00000000.332292030.0000000000430000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
        Process Memory Space: hiYc6Vnppc.exe PID: 2328JoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
          SourceRuleDescriptionAuthorStrings
          0.0.hiYc6Vnppc.exe.43056c.2.raw.unpackJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
            0.0.hiYc6Vnppc.exe.43056c.2.unpackJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
              0.0.hiYc6Vnppc.exe.43056c.4.raw.unpackJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
                0.2.hiYc6Vnppc.exe.43056c.1.unpackJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
                  0.2.hiYc6Vnppc.exe.43056c.1.raw.unpackJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
                    Click to see the 1 entries
                    No Sigma rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: hiYc6Vnppc.exeAvira: detected
                    Source: 0.2.hiYc6Vnppc.exe.43056c.1.raw.unpackMalware Configuration Extractor: Allcome clipbanker {"C2 url": "http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/Clipper/configure.php?cf6zrlhn=QWERTY", "Wallet": ["DPUnu15wbXcvTwEuQssdD48Q9iZUModBEG", "rh2nM92mFC5XfDXu9AcAUvzivX4ZQerLx4", "0xAC63c256f3F5F03d63F4F206F8E030232461e8d5", "Xaume5k7mVQqgDfJyTtysF721e6gvTkY7M", "TMSpq8DHdUeJ8KzVj8bnNuQKB6fEWYhR5i", "t1P9vxqf7nYQ4tHpo7TUfsXMpiQq14RMpC5", "GAGATITC6CREAQAVLZNORIHVBB4P6SXHTXPF7FYBR3VOSSUDVBT5TIV3", "qpm92rqxzejjn0ur9tl53gk87u7nlzw2zs6qz8djkn", "bc1q6sjafgxlmrxwdhh0v5zu58f48pvaqc04hvedl0", "0xAC63c256f3F5F03d63F4F206F8E030232461e8d5", "ltc1qn66m2mfk4txmgvz9lhm6q8ffetklqf2rak4qqc"]}
                    Source: hiYc6Vnppc.exeVirustotal: Detection: 65%Perma Link
                    Source: hiYc6Vnppc.exeMetadefender: Detection: 23%Perma Link
                    Source: hiYc6Vnppc.exeReversingLabs: Detection: 79%
                    Source: hiYc6Vnppc.exeJoe Sandbox ML: detected
                    Source: hiYc6Vnppc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                    Source: Binary string: C:\Users\youar\Desktop\Allcome\Source code\Build\Release\Build.pdb source: hiYc6Vnppc.exe, 00000000.00000000.328776321.0000000000430000.00000040.00000001.01000000.00000003.sdmp
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0040AF20 FindFirstFileExW,0_2_0040AF20
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0040AFFB FindFirstFileExW,_free,0_2_0040AFFB
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021975C8 FindFirstFileA,0_2_021975C8
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021976A4 FindFirstFileA,GetLastError,0_2_021976A4
                    Source: hiYc6Vnppc.exe, 00000000.00000000.328776321.0000000000430000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://steamcommunity.com/tradeoffer

                    System Summary

                    barindex
                    Source: hiYc6Vnppc.exeStatic PE information: section name:
                    Source: hiYc6Vnppc.exeStatic PE information: section name:
                    Source: hiYc6Vnppc.exeStatic PE information: section name:
                    Source: hiYc6Vnppc.exeStatic PE information: section name:
                    Source: hiYc6Vnppc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                    Source: hiYc6Vnppc.exeBinary or memory string: OriginalFilename vs hiYc6Vnppc.exe
                    Source: hiYc6Vnppc.exe, 00000000.00000000.333294097.0000000002191000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs hiYc6Vnppc.exe
                    Source: hiYc6Vnppc.exe, 00000000.00000000.333294097.0000000002191000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSV vs hiYc6Vnppc.exe
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 412
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0040E8900_2_0040E890
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_00411D7C0_2_00411D7C
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0040ED280_2_0040ED28
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_004066440_2_00406644
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_004136820_2_00413682
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_00411E9C0_2_00411E9C
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021B62D80_2_021B62D8
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021AC9800_2_021AC980
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021AB1D80_2_021AB1D8
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: String function: 00403290 appears 34 times
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021BDB00 SetFocus,SendMessageA,DestroyWindow,DestroyWindow,DestroyWindow,DestroyWindow,NtdllDefWindowProc_A,0_2_021BDB00
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021B02C0: CreateFileA,DeviceIoControl,CloseHandle,0_2_021B02C0
                    Source: hiYc6Vnppc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                    Source: hiYc6Vnppc.exeStatic PE information: Section: ZLIB complexity 1.00047692587
                    Source: hiYc6Vnppc.exeStatic PE information: Section: ZLIB complexity 1.00079571759
                    Source: hiYc6Vnppc.exeStatic PE information: Section: ZLIB complexity 1.004296875
                    Source: hiYc6Vnppc.exeStatic PE information: Section: .rsrc ZLIB complexity 0.998780708092
                    Source: hiYc6Vnppc.exeVirustotal: Detection: 65%
                    Source: hiYc6Vnppc.exeMetadefender: Detection: 23%
                    Source: hiYc6Vnppc.exeReversingLabs: Detection: 79%
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\hiYc6Vnppc.exe "C:\Users\user\Desktop\hiYc6Vnppc.exe"
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 412
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2328
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_00401B30 CreateThread,Sleep,GetSystemInfo,FindResourceA,LoadResource,SizeofResource,ExitProcess,ExitProcess,LockResource,VirtualProtect,LdrInitializeThunk,0_2_00401B30
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBF4.tmpJump to behavior
                    Source: classification engineClassification label: mal84.troj.evad.winEXE@2/4@0/0
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_02197878 GetDiskFreeSpaceA,0_2_02197878
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: hiYc6Vnppc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: C:\Users\youar\Desktop\Allcome\Source code\Build\Release\Build.pdb source: hiYc6Vnppc.exe, 00000000.00000000.328776321.0000000000430000.00000040.00000001.01000000.00000003.sdmp
                    Source: hiYc6Vnppc.exeStatic PE information: real checksum: 0x53bcc should be: 0x805ec
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0045145C push 021EE000h; ret 0_2_00451627
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D846 push ds; ret 0_2_0041D847