Windows Analysis Report
Ou0ZT4968y.exe

Overview

General Information

Sample Name: Ou0ZT4968y.exe
Analysis ID: 753418
MD5: 27b75158dcfeba6b3419bdbb15397584
SHA1: 8a135c4fc3fa7e06bf29537f9cb0298cc2f1c1de
SHA256: a6ffd97ca5d47f2251a53ccd3ab891a9fec5b7d0f316b4c11e7d88f19765b1b4
Tags: 32exetrojan
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Allocates memory in foreign processes
Tries to harvest and steal browser information (history, passwords, etc)
Injects a PE file into a foreign processes
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection

barindex
Source: Ou0ZT4968y.exe Virustotal: Detection: 34% Perma Link
Source: Ou0ZT4968y.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Ou0ZT4968y.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \Downloads\Documents\3pqvu\outpu2.pdb source: Ou0ZT4968y.exe
Source: Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: Set-CookieCookie:www.youtube.comLOGIN_INFOstudio.youtube.com\u003d=%3DPAGE_CLINNERTUBE_API_KEYPAGE_BUILD_LABELINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXTINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_HLproductVersionVISITOR_DATAXSRF_TOKENCHANNEL_ID equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: tVSet-CookieCookie:www.youtube.comLOGIN_INFOstudio.youtube.com\u003d=%3DPAGE_CLINNERTUBE_API_KEYPAGE_BUILD_LABELINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXTINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_HLproductVersionVISITOR_DATAXSRF_TOKENCHANNEL_ID equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Ou0ZT4968y.exe, 00000000.00000000.263129062.0000000001473000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://studio.youtube.com
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://studio.youtube.com/reauth
Source: Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://studio.youtube.comSAPISIDHASH
Source: Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx
Source: Ou0ZT4968y.exe, 00000000.00000000.263396775.0000000000D0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: Ou0ZT4968y.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 144
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_011535CB 0_2_011535CB
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_0115510A 0_2_0115510A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01152414 0_2_01152414
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_0115510F 0_2_0115510F
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01151E2E 0_2_01151E2E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01152270 0_2_01152270
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_011533A5 0_2_011533A5
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_0115278E 0_2_0115278E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01155ECF 0_2_01155ECF
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01155F74 0_2_01155F74
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_011D1D69 0_2_011D1D69
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01151E1A 0_2_01151E1A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01151A73 0_2_01151A73
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01151154 0_2_01151154
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01151154 0_2_01151154
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01152DBA 0_2_01152DBA
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01153378 0_2_01153378
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01154C0F 0_2_01154C0F
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_011513AC 0_2_011513AC
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_011525A4 0_2_011525A4
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01154462 0_2_01154462
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01152EA0 0_2_01152EA0
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01152EA0 0_2_01152EA0
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01152838 0_2_01152838
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01152414 0_2_01152414
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: String function: 01154FC0 appears 58 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: String function: 011521BC appears 41 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: String function: 01152F36 appears 78 times
Source: Ou0ZT4968y.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0x100 address: 0x0
Source: Ou0ZT4968y.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE size: 0x100 address: 0x0
Source: Ou0ZT4968y.exe Virustotal: Detection: 34%
Source: Ou0ZT4968y.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Ou0ZT4968y.exe C:\Users\user\Desktop\Ou0ZT4968y.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 144
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\NaBhAaAa__eh_shmem3_gcc_tdm_
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\NaBhAaAa__shmem3_winpthreads_tdm_
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4204
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFF8.tmp Jump to behavior
Source: classification engine Classification label: mal64.spyw.evad.winEXE@5/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Ou0ZT4968y.exe Static file information: File size 3838464 > 1048576
Source: Ou0ZT4968y.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x2e8000
Source: Ou0ZT4968y.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Ou0ZT4968y.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \Downloads\Documents\3pqvu\outpu2.pdb source: Ou0ZT4968y.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01152158 push ecx; ret 0_2_011886D3
Source: Ou0ZT4968y.exe Static PE information: section name: .00cfg
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01160C7A LoadLibraryA,LoadLibraryA,GetProcAddress, 0_2_01160C7A
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe API coverage: 3.8 %
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_0115384B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0115384B
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01151A64 mov eax, dword ptr fs:[00000030h] 0_2_01151A64
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_0115302B mov eax, dword ptr fs:[00000030h] 0_2_0115302B
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01154827 mov eax, dword ptr fs:[00000030h] 0_2_01154827
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_011C2752 mov eax, dword ptr fs:[00000030h] 0_2_011C2752
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01160C7A LoadLibraryA,LoadLibraryA,GetProcAddress, 0_2_01160C7A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01155D94 GetProcessHeap, 0_2_01155D94
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_01160375 LdrInitializeThunk, 0_2_01160375
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_0115384B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0115384B
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_0115579A SetUnhandledExceptionFilter, 0_2_0115579A

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4F10000 Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4CF2008 Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4F10000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4F10000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: GetLocaleInfoW, 0_2_0115282E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: GetLocaleInfoW, 0_2_0115282E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: EnumSystemLocalesW, 0_2_011CB629
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_01153431
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_011D4A53 GetTimeZoneInformation, 0_2_011D4A53
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_011558DF GetSystemTimeAsFileTime, 0_2_011558DF

Stealing of Sensitive Information

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior