ScreenShot
| Created | 2025.03.19 11:24 | Machine | s1_win7_x6401 |
| Filename | Crypt%20C.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 40 detected (AIDetectMalware, Danabot, Malicious, score, Jaik, Unsafe, confidence, Attribute, HighConfidence, Windows, Threat, GenKryptik, HHJB, AgentTesla, cntg, CLOUD, YXFCRZ, Static AI, Malicious PE, Redcap, hafkx, ABRisk, MVDG, Artemis, PossibleThreat, A9OKG) | ||
| md5 | 8d252f7a6ff4f929d86cf7feb95a5b08 | ||
| sha256 | 46a1eec81e8b0d889b6fde07a85405874d4b21da998b34e8b91fd852d1ddb458 | ||
| ssdeep | 98304:DW0704A7pKmwDNRdBYaAGmOGio38um37R6BJZO4A5cfebV/FkZQ:DW044gnwPnbAGmO83OR6BJZ9ATF | ||
| imphash | 93b46cf2d15d8642e4c951c33e99ef12 | ||
| impfuzzy | 3:siBJJ67d4vA1MO/QHAp4HAXKtyHXQjEI9WWrh:tC4oZ/QHAyHAXKUHXQj5l | ||
Network IP location
Signature (41cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to create or modify system certificates |
| watch | Attempts to disable browser security warnings |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Expresses interest in specific running processes |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Modifies the Firefox configuration file |
| watch | One or more non-whitelisted processes were created |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Starts servers listening |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (21cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
kernel32.dll
0x986068 VirtualAlloc
0x98606c RtlMoveMemory
0x986070 ExitProcess
user32.dll
0x9860b8 GetMessageA
0x9860bc TranslateMessage
0x9860c0 DispatchMessageA
EAT(Export Address Table) Library
0x98500c start
kernel32.dll
0x986068 VirtualAlloc
0x98606c RtlMoveMemory
0x986070 ExitProcess
user32.dll
0x9860b8 GetMessageA
0x9860bc TranslateMessage
0x9860c0 DispatchMessageA
EAT(Export Address Table) Library
0x98500c start