Twitter Checker.exe
This report is generated from a file or URL submitted to this webservice on December 5th 2015 00:37:21 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v2.61 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Fingerprint
- Contains ability to lookup the windows account name
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/55 Antivirus vendors marked sample as malicious (3% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Suspicious Indicators 7
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00116578-00002528-779D61F8-302611
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Queries volume information
- details
- "<Input Sample>" queries volume information of "\192.168.56.1\VM10\Twitter_Checker.exe" at 00116578-00002528-779D6268-120562
- source
- API Call
- relevance
- 2/10
-
Tries to sleep for a long time (more than two minutes)
- details
- "<Input Sample>" sleeping for "1566804069" milliseconds
- source
- API Call
- relevance
- 10/10
-
Queries volume information
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
- "<Input Sample>" created file "%WINDIR%\system32\rsaenh.dll"
- source
- API Call
- relevance
- 7/10
-
Creates/touches files in windows directory
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
- "<Input Sample>" wrote bytes "07944C83" to virtual address "0x6B402AFC" (part of module "CLR.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
-
Informative 5
-
General
-
Loads modules at runtime
- details
-
"<Input Sample>" loaded module "API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL" at base 77B10000
"<Input Sample>" loaded module "ADVAPI32.DLL" at base 77080000
"<Input Sample>" loaded module "CRYPTSP.DLL" at base 75560000 - source
- API Call
- relevance
- 1/10
-
Loads the .NET runtime environment
- details
- "<Input Sample>" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_32\mscorlib\51e2934144ba15628ba5a31be2dae7dc\mscorlib.ni.dll" at 6A360000
- source
- Loaded Module
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
-
"EventRegister@ADVAPI32.dll"
"LookupAccountNameLocalW@sechost.dll"
"EventUnregister@ADVAPI32.dll"
"GdipDeleteBrush@gdiplus.dll"
"LookupAccountSidW@ADVAPI32.dll"
"LookupAccountSidLocalW@sechost.dll"
"CryptAcquireContextW@CRYPTSP.dll" - source
- API Call
- relevance
- 1/10
-
Loads modules at runtime
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
- LookupAccountNameLocalW@SECHOST.DLL at 00116578-00002528-779F228D-302250
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to lookup the windows account name
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"Twitter Checker.exe" (Indicator: "twitter")
"Twitter Checker" (Indicator: "twitter") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
File Details
Twitter Checker.exe
- Filename
- Twitter Checker.exe
- Size
- 21KiB (20992 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 94239a736d099ce3343b814bf768dcf928936f70933b7bec33770826090fc889
- MD5
- 9664e3f3fc40c3dc1e4b3eacf9658b05
- SHA1
- 3d0790e8ebbd990c4843400aa914f20d0e7220a2
- ssdeep
- 384:x2sUtT9QNxWwgr1L1z5AtWLqIAyjsW737NvWmdfCTF8y8DQkN8I:xASJU/AtWL5weQkN8I
- imphash
- f34d5f2d4577ed6d9ceec516c1f5a744
- PDB Pathway
Version Info
- Translation
- 0x0000 0x04b0
- LegalCopyright
- Copyright 2015
- Assembly Version
- 1.0.0.0
- InternalName
- Twitter Checker.exe
- FileVersion
- 1.0.0.0
- CompanyName
- Trixie @ Codernation
- LegalTrademarks
- -
- Comments
- -
- ProductName
- Twitter Checker
- ProductVersion
- 1.0.0.0
- FileDescription
- Twitter Checker
- OriginalFilename
- Twitter Checker.exe
Classification (TrID)
- 82.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.)
- 7.4% (.DLL) Win32 Dynamic Link Library (generic)
- 5.1% (.EXE) Win32 Executable (generic)
- 2.2% (.EXE) Generic Win/DOS Executable
- 2.2% (.EXE) DOS Executable Generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- Twitter_Checker.exe (PID: 2528)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.