Edit tour
Windows
Analysis Report
b123.exe
Overview
General Information
Detection
CryptOne Vidar
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected CryptOne packer
Yara detected Vidar stealer
Detected CryptOne packer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after checking mutex)
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Self deletion via cmd delete
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found evasive API chain (may stop execution after checking locale)
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Del in CommandLine
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Contains functionality to read the PEB
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- b123.exe (PID: 2140 cmdline:
"C:\Users\ user\Deskt op\b123.ex e" MD5: 2E89A7AAE558E9BE86042E2BD7E65803) - cmd.exe (PID: 5844 cmdline:
"C:\Window s\System32 \cmd.exe" /c timeout /t 5 & de l /f /q "C :\Users\us er\Desktop \b123.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - timeout.exe (PID: 6500 cmdline:
timeout /t 5 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
- cleanup
{"C2 url": "http://sughicent.com/blaka.php"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Crypt | Yara detected CryptOne packer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security |
There are no malicious signatures, click here to show all signatures.
Source: | Author: frack113: |
Source: | Author: frack113: |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Avira URL Cloud: |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Networking |
---|
Source: | URLs: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | HTTP traffic detected: |