Xcitium Cloud Verdict

Packer

The binary likely contains encrypted or compressed data. Show sources

packer_section

name: .text, entropy: 7.79, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00038400, virtual_size: 0x0003825c

Stealing of Sensitive Information

Collects information to fingerprint the system Show sources

registry_read

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId

Attempts to access Bitcoin/ALTCoin wallets Show sources

file_query

C:\Users\user\AppData\Roaming\Electrum\wallets\*

Steals private information from local Internet browsers Show sources

file_read	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
file_read	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
file_read	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
file_read	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\cookies.sqlite
file_read	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies

Harvests credentials from local FTP client softwares Show sources

file	C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Malware Analysis System Evasion

A process attempted to delay the analysis task. Show sources

api_process_name	fe3658635c66bb8b0981fe3f73cebf1b229ed661.exe tried to sleep 1025 seconds, actually delayed analysis time by 0 seconds
api_process_name	WmiPrvSE.exe tried to sleep 781 seconds, actually delayed analysis time by 0 seconds

Detects VirtualBox through the presence of a registry key Show sources

registry_query

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__

Checks the CPU name from registry, possibly for anti-virtualization Show sources

registry_read

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Checks the version of Bios, possibly for anti-virtualization Show sources

registry_read

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Attempts to repeatedly call a single API many times in order to delay analysis time Show sources

api_process_name

fe3658635c66bb8b0981fe3f73cebf1b229ed661.exe (2392) called API NtClose 7195725 times

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Lowering of HIPS/ PFW/ Operating System Security Settings

Attempts to block SafeBoot use by removing registry keys Show sources

registry_delete

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option

File Name: fe3658635c66bb8b0981fe3f73cebf1b229ed661

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA1: fe3658635c66bb8b0981fe3f73cebf1b229ed661

MD5: a48de889c19197426214da54922eb7ad