|
dw7h7aQwVZ.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
| Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.053515766000424
|
| Filename: |
dw7h7aQwVZ.exe
|
| Filesize: |
106496
|
| MD5: |
3fb350f4356f42b51a523b6fa8cbccf3
|
| SHA1: |
5f24115b8e734d11deea653df8b32c506c31f4b1
|
| SHA256: |
6f01d6bd7b69d6e61d55898a1a9f1c228bf644ddb03c7506670dd2e6d9bfc967
|
| SHA512: |
2cfa64f27aa30c8681d7d28ad8a330cb1c830ca6492aa916a4d3177127ee701556c80f234512802dd5c5cc1374c0f47c87ada6587a456c651e3ec3451c0e16af
|
| SSDEEP: |
1536:czvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/EqfIzmd:nSHIG6mQwGmfOQd8YhY0/EqUG
|
| Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x.....................K.K.............=2......................................=2......=2......Rich............PE..L.....lW...
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Malicious sample detected (through community Yara rule) |
System Summary |
|
| Multi AV Scanner detection for submitted file |
AV Detection |
|
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) |
Stealing of Sensitive Information |
|
| Tries to harvest and steal browser information (history, passwords, etc) |
Stealing of Sensitive Information |
|
| Tries to harvest and steal ftp login credentials |
Stealing of Sensitive Information |
|
| Tries to steal Mail credentials (via file / registry access) |
Stealing of Sensitive Information |
|
| Enables debug privileges |
Anti Debugging |
|
| May sleep (evasive loops) to hinder dynamic analysis |
Malware Analysis System Evasion |
|
| PE file contains sections with non-standard names |
Data Obfuscation |
|
| Uses 32bit PE files |
Compliance, System Summary |
|
| Yara signature match |
System Summary |
|
| Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Creates files inside the user directory |
System Summary |
|
| Creates mutexes |
System Summary |
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
| PE file has an executable .text section and no other executable section |
System Summary |
|
| Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
| Reads software policies |
System Summary |
|
| Sample is known by Antivirus |
System Summary |
|
| Tries to load missing DLLs |
System Summary |
|
| Checks if Microsoft Office is installed |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\188E93\31437F.lck
|
very short file (no magic)
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\188E93\31437F.lck
|
| Category: |
dropped
|
| Dump: |
31437F.lck.0.dr
|
| ID: |
dr_0
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\dw7h7aQwVZ.exe
|
| Type: |
very short file (no magic)
|
| Entropy: |
0.0
|
| Encrypted: |
false
|
| Size: |
1
|
| Whitelisted: |
false
|
|
