Loading... Additional Content is being loaded
Windows
Analysis Report
creal.exe
Overview
General Information
| Sample name: | creal.exe |
| Analysis ID: | 1592536 |
| MD5: | da1695dba8bd25d00e05e7769d6d7e8e |
| SHA1: | 884c5b84185bfcc06b2f82474642e23af842cf26 |
| SHA256: | 7166d6cc2435061f32cf982dba8f6ec27fc23a46c9705aa52fb2ba08eb7011aa |
| Tags: | exemalwaretrojanuser-Joker |
| Infos: |   |
 |
|
Detection
Python Stealer, Creal Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected Creal Stealer
AI detected suspicious sample
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal communication platform credentials (via file / registry access)
Yara detected Generic Python Stealer
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
AV Detection |
  |
|---|
| Source: |
Avira: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
ReversingLabs: |
|||
| Source: |
Integrated Neural Analysis Model: |
||
Location Tracking |
|
|---|
| Source: |
DNS query: |
||
| Source: |
Code function: |
2_2_00007FF8E7176244 | |
| Source: |
Code function: |
2_2_00007FF8E71718E0 | |
| Source: |
Code function: |
2_2_00007FF8E7218E50 | |
| Source: |
Code function: |
2_2_00007FF8E721E870 | |
| Source: |
Code function: |
2_2_00007FF8E71F0880 | |
| Source: |
Code function: |
2_2_00007FF8E7212890 | |
| Source: |
Code function: |
2_2_00007FF8E7214880 | |
| Source: |
Code function: |
2_2_00007FF8E71D23EC | |
| Source: |
Code function: |
2_2_00007FF8E721E8D0 | |
| Source: |
Code function: |
2_2_00007FF8E71D1B54 | |
| Source: |
Code function: |
2_2_00007FF8E721E731 | |
| Source: |
Code function: |
2_2_00007FF8E71EE72A | |
| Source: |
Code function: |
2_2_00007FF8E71EE72C | |
| Source: |
Code function: |
2_2_00007FF8E71D1AB4 | |
| Source: |
Code function: |
2_2_00007FF8E7228700 | |
| Source: |
Code function: |
2_2_00007FF8E71D1893 | |
| Source: |
Code function: |
2_2_00007FF8E71D26F8 | |
| Source: |
Code function: |
2_2_00007FF8E71D198D | |
| Source: |
Code function: |
2_2_00007FF8E71D24DC | |
| Source: |
Code function: |
2_2_00007FF8E71E27B0 | |
| Source: |
Code function: |
2_2_00007FF8E7234780 | |
| Source: |
Code function: |
2_2_00007FF8E71D223E | |
| Source: |
Code function: |
2_2_00007FF8E71D103C | |
| Source: |
Code function: |
2_2_00007FF8E71D1217 | |
| Source: |
Code function: |
2_2_00007FF8E721E6B0 | |
| Source: |
Code function: |
2_2_00007FF8E72046B0 | |
| Source: |
Code function: |
2_2_00007FF8E71F26C0 | |
| Source: |
Code function: |
2_2_00007FF8E71D16A4 | |
| Source: |
Code function: |
2_2_00007FF8E71D2036 | |
| Source: |
Code function: |
2_2_00007FF8E71D24FA | |
| Source: |
Code function: |
2_2_00007FF8E71D1488 | |
| Source: |
Code function: |
2_2_00007FF8E71DE592 | |
| Source: |
Code function: |
2_2_00007FF8E71D2059 | |
| Source: |
Code function: |
2_2_00007FF8E71D1AC3 | |
| Source: |
Code function: |
2_2_00007FF8E71D1D98 | |
| Source: |
Code function: |
2_2_00007FF8E71D1EE7 | |
| Source: |
Code function: |
2_2_00007FF8E71D15E1 | |
| Source: |
Code function: |
2_2_00007FF8E71D6460 | |
| Source: |
Code function: |
2_2_00007FF8E71D1627 | |
| Source: |
Code function: |
2_2_00007FF8E7248450 | |
| Source: |
Code function: |
2_2_00007FF8E71D18B6 | |
| Source: |
Code function: |
2_2_00007FF8E71DE4A0 | |
| Source: |
Code function: |
2_2_00007FF8E71FE4F0 | |
| Source: |
Code function: |
2_2_00007FF8E71D19DD | |
| Source: |
Code function: |
2_2_00007FF8E7228330 | |
| Source: |
Code function: |
2_2_00007FF8E71D4330 | |
| Source: |
Code function: |
2_2_00007FF8E71F2360 | |
| Source: |
Code function: |
2_2_00007FF8E723C370 | |
| Source: |
Code function: |
2_2_00007FF8E71D1F41 | |
| Source: |
Code function: |
2_2_00007FF8E71EC3A0 | |
| Source: |
Code function: |
2_2_00007FF8E72343A0 | |
| Source: |
Code function: |
2_2_00007FF8E724A3A0 | |
| Source: |
Code function: |
2_2_00007FF8E71D1F5A | |
| Source: |
Code function: |
2_2_00007FF8E71D6233 | |
| Source: |
Code function: |
2_2_00007FF8E71D138E | |
| Source: |
Code function: |
2_2_00007FF8E71D23FB | |
| Source: |
Code function: |
2_2_00007FF8E71F6290 | |
| Source: |
Code function: |
2_2_00007FF8E71E62F0 | |
| Source: |
Code function: |
2_2_00007FF8E71D1366 | |
| Source: |
Code function: |
2_2_00007FF8E71D4130 | |
| Source: |
Code function: |
2_2_00007FF8E71D2694 | |
| Source: |
Code function: |
2_2_00007FF8E71D13D9 | |
| Source: |
Code function: |
2_2_00007FF8E71D150A | |
| Source: |
Code function: |
2_2_00007FF8E71D1C58 | |
| Source: |
Code function: |
2_2_00007FF8E721E160 | |
| Source: |
Code function: |
2_2_00007FF8E7246190 | |
| Source: |
Code function: |
2_2_00007FF8E7236180 | |
| Source: |
Code function: |
2_2_00007FF8E71D1CF3 | |
| Source: |
Code function: |
2_2_00007FF8E721E1D0 | |
| Source: |
Code function: |
2_2_00007FF8E71D1186 | |
| Source: |
Code function: |
2_2_00007FF8E71ED040 | |
| Source: |
Code function: |
28_2_00007FF8F8406244 | |
| Source: |
Code function: |
28_2_00007FF8F84018E0 | |
| Source: |
Code function: |
28_2_00007FF8F84D8E50 | |
| Source: |
Code function: |
28_2_00007FF8F84E1950 | |
| Source: |
Code function: |
28_2_00007FF8F84DD960 | |
| Source: |
Code function: |
28_2_00007FF8F84FD9E0 | |
| Source: |
Code function: |
28_2_00007FF8F8491023 | |
| Source: |
Code function: |
28_2_00007FF8F84911C2 | |
| Source: |
Code function: |
28_2_00007FF8F84D99A0 | |
| Source: |
Code function: |
28_2_00007FF8F849193D | |
| Source: |
Code function: |
28_2_00007FF8F84912D0 | |
| Source: |
Code function: |
28_2_00007FF8F84F3A90 | |
| Source: |
Code function: |
28_2_00007FF8F84A1AA0 | |
| Source: |
Code function: |
28_2_00007FF8F84C3B10 | |
| Source: |
Code function: |
28_2_00007FF8F849FB00 | |
| Source: |
Code function: |
28_2_00007FF8F84DFB00 | |
| Source: |
Code function: |
28_2_00007FF8F8491087 | |
| Source: |
Code function: |
28_2_00007FF8F84D3C30 | |
| Source: |
Code function: |
28_2_00007FF8F84EFCC0 | |
| Source: |
Code function: |
28_2_00007FF8F8492536 | |
| Source: |
Code function: |
28_2_00007FF8F84A7CB0 | |
| Source: |
Code function: |
28_2_00007FF8F84A9D50 | |
| Source: |
Code function: |
28_2_00007FF8F849176C | |
| Source: |
Code function: |
28_2_00007FF8F84BDDC0 | |
| Source: |
Code function: |
28_2_00007FF8F849157D | |
| Source: |
Code function: |
28_2_00007FF8F84911E0 | |
| Source: |
Code function: |
28_2_00007FF8F84B5DE0 | |
| Source: |
Code function: |
28_2_00007FF8F849108C | |
| Source: |
Code function: |
28_2_00007FF8F84E7DE0 | |
| Source: |
Code function: |
28_2_00007FF8F84925EF | |
| Source: |
Code function: |
28_2_00007FF8F849FDB0 | |
| Source: |
Code function: |
28_2_00007FF8F8495E4A | |
| Source: |
Code function: |
28_2_00007FF8F84919E7 | |
| Source: |
Code function: |
28_2_00007FF8F8493EE0 | |
| Source: |
Code function: |
28_2_00007FF8F84F9E90 | |
| Source: |
Code function: |
28_2_00007FF8F8491B31 | |
| Source: |
Code function: |
28_2_00007FF8F84EFF50 | |
| Source: |
Code function: |
28_2_00007FF8F8491ACD | |
| Source: |
Code function: |
28_2_00007FF8F84925A4 | |
| Source: |
Code function: |
28_2_00007FF8F84F3F10 | |
| Source: |
Code function: |
28_2_00007FF8F84A7F00 | |
| Source: |
Code function: |
28_2_00007FF8F8491B18 | |
| Source: |
Code function: |
28_2_00007FF8F84A5FD0 | |
| Source: |
Code function: |
28_2_00007FF8F8492400 | |
| Source: |
Code function: |
28_2_00007FF8F84B5F90 | |
| Source: |
Code function: |
28_2_00007FF8F849144C | |
| Source: |
Code function: |
28_2_00007FF8F8491D8E | |
| Source: |
Code function: |
28_2_00007FF8F849107D | |
| Source: |
Code function: |
28_2_00007FF8F84A40F0 | |
| Source: |
Code function: |
28_2_00007FF8F8492734 | |
| Source: |
Code function: |
28_2_00007FF8F84B6080 | |
| Source: |
Code function: |
28_2_00007FF8F84A60B0 | |
| Source: |
Code function: |
28_2_00007FF8F84E80B0 | |
| Source: |
Code function: |
28_2_00007FF8F8491113 | |
| Source: |
Code function: |
28_2_00007FF8F8503160 | |
| Source: |
Code function: |
28_2_00007FF8F84920EF | |
| Source: |
Code function: |
28_2_00007FF8F84AF100 | |
| Source: |
Code function: |
28_2_00007FF8F84FB100 | |
| Source: |
Code function: |
28_2_00007FF8F849214E | |
| Source: |
Code function: |
28_2_00007FF8F84BF1F0 | |
| Source: |
Code function: |
28_2_00007FF8F84B9270 | |
| Source: |
Code function: |
28_2_00007FF8F84D3270 | |
| Source: |
Code function: |
28_2_00007FF8F8492121 | |
| Source: |
Code function: |
28_2_00007FF8F8492478 | |
| Source: |
Code function: |
28_2_00007FF8F8491F91 | |
| Source: |
Code function: |
28_2_00007FF8F84913A2 | |
| Source: |
Code function: |
28_2_00007FF8F8491A0F | |
| Source: |
Code function: |
28_2_00007FF8F8494B40 | |
| Source: |
Code function: |
28_2_00007FF8F8492383 | |
| Source: |
Code function: |
28_2_00007FF8F850AB20 | |
| Source: |
Code function: |
28_2_00007FF8F8492432 | |
| Source: |
Code function: |
28_2_00007FF8F8491492 | |
| Source: |
Code function: |
28_2_00007FF8F84926C6 | |
| Source: |
Code function: |
28_2_00007FF8F8502BC0 | |
| Source: |
Code function: |
28_2_00007FF8F8491212 | |
| Source: |
Code function: |
28_2_00007FF8F84AABB0 | |
| Source: |
Code function: |
28_2_00007FF8F84DEBB0 | |
| Source: |
Code function: |
28_2_00007FF8F84F4BB0 | |
| Source: |
Code function: |
28_2_00007FF8F84D8C60 | |
| Source: |
Code function: |
28_2_00007FF8F84DEC10 | |
| Source: |
Code function: |
28_2_00007FF8F8494C00 | |
| Source: |
Code function: |
28_2_00007FF8F84D2C30 | |
| Source: |
Code function: |
28_2_00007FF8F84917DF | |
| Source: |
Code function: |
28_2_00007FF8F8491CA8 | |
| Source: |
Code function: |
28_2_00007FF8F84BEC90 | |
| Source: |
Code function: |
28_2_00007FF8F8491154 | |
| Source: |
Code function: |
28_2_00007FF8F84A4D50 | |
| Source: |
Code function: |
28_2_00007FF8F84F0D60 | |
| Source: |
Code function: |
28_2_00007FF8F84D8D10 | |
| Source: |
Code function: |
28_2_00007FF8F84914CE | |
| Source: |
Code function: |
28_2_00007FF8F84917E9 | |
| Source: |
Code function: |
28_2_00007FF8F8491771 | |
| Source: |
Code function: |
28_2_00007FF8F84F6D90 | |
| Source: |
Code function: |
28_2_00007FF8F84A4DB0 | |
| Source: |
Code function: |
28_2_00007FF8F84AEE43 | |
| Source: |
Code function: |
28_2_00007FF8F84922E8 | |
| Source: |
Code function: |
28_2_00007FF8F8491A05 | |
| Source: |
Code function: |
28_2_00007FF8F849258B | |
| Source: |
Code function: |
28_2_00007FF8F850AED0 | |
| Source: |
Code function: |
28_2_00007FF8F8491370 | |
| Source: |
Code function: |
28_2_00007FF8F8491460 | |
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
Static PE information: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: | ||