Windows Analysis Report
Ou0ZT4968y.exe

Overview

General Information

Sample Name: Ou0ZT4968y.exe
Analysis ID: 753418
MD5: 27b75158dcfeba6b3419bdbb15397584
SHA1: 8a135c4fc3fa7e06bf29537f9cb0298cc2f1c1de
SHA256: a6ffd97ca5d47f2251a53ccd3ab891a9fec5b7d0f316b4c11e7d88f19765b1b4
Tags: 32exetrojan
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Allocates memory in foreign processes
Tries to harvest and steal browser information (history, passwords, etc)
Injects a PE file into a foreign processes
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection

barindex
Source: Ou0ZT4968y.exe Virustotal: Detection: 34% Perma Link
Source: Ou0ZT4968y.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Ou0ZT4968y.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \Downloads\Documents\3pqvu\outpu2.pdb source: Ou0ZT4968y.exe
Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: Set-CookieCookie:www.youtube.comLOGIN_INFOstudio.youtube.com\u003d=%3DPAGE_CLINNERTUBE_API_KEYPAGE_BUILD_LABELINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXTINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_HLproductVersionVISITOR_DATAXSRF_TOKENCHANNEL_ID equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: tVSet-CookieCookie:www.youtube.comLOGIN_INFOstudio.youtube.com\u003d=%3DPAGE_CLINNERTUBE_API_KEYPAGE_BUILD_LABELINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXTINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_HLproductVersionVISITOR_DATAXSRF_TOKENCHANNEL_ID equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://studio.youtube.com
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://studio.youtube.com/reauth
Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://studio.youtube.comSAPISIDHASH
Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx
Source: Ou0ZT4968y.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B2414 0_2_009B2414
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B510A 0_2_009B510A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B35CB 0_2_009B35CB
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B510F 0_2_009B510F
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B1E2E 0_2_009B1E2E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B2270 0_2_009B2270
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B33A5 0_2_009B33A5
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B278E 0_2_009B278E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B5ECF 0_2_009B5ECF
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B5F74 0_2_009B5F74
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_00A31D69 0_2_00A31D69
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B1E1A 0_2_009B1E1A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B1A73 0_2_009B1A73
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B1154 0_2_009B1154
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B1154 0_2_009B1154
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B2DBA 0_2_009B2DBA
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B3378 0_2_009B3378
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B4C0F 0_2_009B4C0F
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B13AC 0_2_009B13AC
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B25A4 0_2_009B25A4
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B2EA0 0_2_009B2EA0
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B4462 0_2_009B4462
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B2EA0 0_2_009B2EA0
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B2414 0_2_009B2414
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B2838 0_2_009B2838
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: String function: 009B2F36 appears 93 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: String function: 009B21BC appears 45 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: String function: 009B4FC0 appears 70 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: String function: 00A2BD8D appears 31 times
Source: Ou0ZT4968y.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0x100 address: 0x0
Source: Ou0ZT4968y.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE size: 0x100 address: 0x0
Source: Ou0ZT4968y.exe Virustotal: Detection: 34%
Source: Ou0ZT4968y.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Ou0ZT4968y.exe C:\Users\user\Desktop\Ou0ZT4968y.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\DmAaAaAa__shmem3_winpthreads_tdm_
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\DmAaAaAa__eh_shmem3_gcc_tdm_
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1308
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBFE.tmp Jump to behavior
Source: classification engine Classification label: mal64.spyw.evad.winEXE@5/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Ou0ZT4968y.exe Static file information: File size 3838464 > 1048576
Source: Ou0ZT4968y.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x2e8000
Source: Ou0ZT4968y.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Ou0ZT4968y.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \Downloads\Documents\3pqvu\outpu2.pdb source: Ou0ZT4968y.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B2158 push ecx; ret 0_2_009E86D3
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009E71C7 push ecx; ret 0_2_009E71DA
Source: Ou0ZT4968y.exe Static PE information: section name: .00cfg
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009C0C7A LoadLibraryA,LoadLibraryA,GetProcAddress, 0_2_009C0C7A
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe API coverage: 3.6 %
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B384B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_009B384B
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B302B mov eax, dword ptr fs:[00000030h] 0_2_009B302B
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B4827 mov eax, dword ptr fs:[00000030h] 0_2_009B4827
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B1A64 mov eax, dword ptr fs:[00000030h] 0_2_009B1A64
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_00A22752 mov eax, dword ptr fs:[00000030h] 0_2_00A22752
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009C0C7A LoadLibraryA,LoadLibraryA,GetProcAddress, 0_2_009C0C7A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B5D94 GetProcessHeap, 0_2_009B5D94
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009C0375 LdrInitializeThunk, 0_2_009C0375
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B384B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_009B384B
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009B579A SetUnhandledExceptionFilter, 0_2_009B579A

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4A00000 Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4955008 Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4A00000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4A00000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: GetLocaleInfoW, 0_2_009B282E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: GetLocaleInfoW, 0_2_009B282E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: GetLocaleInfoEx, 0_2_009E6A66
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_009B3431
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: EnumSystemLocalesW, 0_2_00A2B629
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009E86D9 cpuid 0_2_009E86D9
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_00A34A53 GetTimeZoneInformation, 0_2_00A34A53
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe Code function: 0_2_009E8204 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_009E8204

Stealing of Sensitive Information

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior