vScraper.exe
This report is generated from a file or URL submitted to this webservice on December 22nd 2015 16:21:31 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.10 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Fingerprint
- Contains ability to lookup the windows account name
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 3/55 Antivirus vendors marked sample as malicious (5% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Suspicious Indicators 10
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00136046-00003960-76F261F8-320163
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- source
- API Call
- relevance
- 10/10
-
PE file has unusual entropy sections
- details
- .text with unusual entropies 7.95912784718
- source
- Static Parser
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Queries volume information
- details
- "<Input Sample>" queries volume information of "Z:\share\vScraper.exe" at 00136046-00003960-76F26268-138406
- source
- API Call
- relevance
- 2/10
-
Tries to sleep for a long time (more than two minutes)
- details
- "<Input Sample>" sleeping for "1566804069" milliseconds
- source
- API Call
- relevance
- 10/10
-
Queries volume information
-
General
-
Reads configuration files
- details
- "<Input Sample>" read file "%WINDIR%\win.ini"
- source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
- "<Input Sample>" created file "%WINDIR%\system32\rsaenh.dll"
- source
- API Call
- relevance
- 7/10
-
Creates/touches files in windows directory
-
Network Related
-
Found potential IP address in binary/memory
- details
- "1.0.1.0"
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
- "<Input Sample>" wrote bytes "AD43904E" to virtual address "0x6A4E2AFC" (part of module "CLR.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "EN")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "EN")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "AR")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "AR")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "AR-SA")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "AR-SA")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "BG")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "BG")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "BG-BG")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "BG-BG")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "CA")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "CA")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "CA-ES")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "CA-ES")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "ZH-HANS")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "ZH-HANS")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "ZH-CN")
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "ZH-CN") - source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
-
Informative 5
-
General
-
Loads modules at runtime
- details
-
"<Input Sample>" loaded module "API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL" at base 77040000
"<Input Sample>" loaded module "ADVAPI32.DLL" at base 76C60000
"<Input Sample>" loaded module "CRYPTSP.DLL" at base 74AB0000
"<Input Sample>" loaded module "%WINDIR%\SYSTEM32\RSAENH.DLL" at base 74850000
"<Input Sample>" loaded module "CRYPTBASE.DLL" at base 74F80000
"<Input Sample>" loaded module "RPCRTREMOTE.DLL" at base 75020000 - source
- API Call
- relevance
- 1/10
-
Loads rich edit control libraries
- details
- "<Input Sample>" loaded module "%WINDIR%\system32\RichEd20.DLL" at 6ACA0000
- source
- Loaded Module
-
Loads the .NET runtime environment
- details
- "<Input Sample>" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_32\mscorlib\51e2934144ba15628ba5a31be2dae7dc\mscorlib.ni.dll" at 69520000
- source
- Loaded Module
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
-
"LookupAccountNameLocalW@sechost.dll"
"LookupAccountSidW@ADVAPI32.dll"
"LookupAccountSidLocalW@sechost.dll"
"CryptAcquireContextW@CRYPTSP.dll"
"GdipDisposeImage@gdiplus.dll"
"EventUnregister@ADVAPI32.dll"
"CPAcquireContext@rsaenh.dll"
"CPReleaseContext@rsaenh.dll"
"CPGenKey@rsaenh.dll"
"CPDeriveKey@rsaenh.dll"
"CPDestroyKey@rsaenh.dll"
"CPSetKeyParam@rsaenh.dll"
"CPGetKeyParam@rsaenh.dll"
"CPExportKey@rsaenh.dll"
"CPImportKey@rsaenh.dll"
"CPEncrypt@rsaenh.dll"
"CPDecrypt@rsaenh.dll"
"CPCreateHash@rsaenh.dll"
"CPHashData@rsaenh.dll"
"CPHashSessionKey@rsaenh.dll" - source
- API Call
- relevance
- 1/10
-
Loads modules at runtime
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
- LookupAccountNameLocalW@SECHOST.DLL at 00136046-00003960-76F4228D-320098
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to lookup the windows account name
File Details
vScraper.exe
- Filename
- vScraper.exe
- Size
- 218KiB (222720 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Architecture
- WINDOWS
- SHA256
- a7543bdf95eca9811c0f361a4cd00606b145b0424892b7d731a691f67f5131d5
- MD5
- a0b3673bc0d506293b7bc02757bbf35c
- SHA1
- 5929d900ada679875814291fa7c5c19d48761623
- ssdeep
- 3072:qoivI6+Ig24YJd6wceXsWWRq6oHhocqoGY1R:rqdFJwwceXsWWRqBHGXY1
- imphash
- f34d5f2d4577ed6d9ceec516c1f5a744
- authentihash
- cda7f7aab34a4dd9a8017f2997e93b70ae2811ba9135907288fa307f0274c889
- PDB Pathway
Version Info
- Translation
- 0x0000 0x04b0
- LegalCopyright
- Copyright 2015
- Assembly Version
- 1.0.1.0
- InternalName
- vScraper.exe
- FileVersion
- 1.0.1.0
- CompanyName
- -
- LegalTrademarks
- -
- Comments
- -
- ProductName
- vScraper
- ProductVersion
- 1.0.1.0
- FileDescription
- vScraper
- OriginalFilename
- vScraper.exe
Classification (TrID)
- 82.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.)
- 7.4% (.DLL) Win32 Dynamic Link Library (generic)
- 5.1% (.EXE) Win32 Executable (generic)
- 2.2% (.EXE) Generic Win/DOS Executable
- 2.2% (.EXE) DOS Executable Generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- vScraper.exe (PID: 3960)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- Added comment to VirusTotal report
- Not all sources for signature ID "api-8" are available in the report
- Not all sources for signature ID "registry-25" are available in the report