79a27e4a398b5567f6fe6ea11c9736304b00064825801bc0dec160de4423ecb9

Sharing

Copy URL Twitter E-mail

General

Target

79a27e4a398b5567f6fe6ea11c9736304b00064825801bc0dec160de4423ecb9
Size

3.5MB
MD5

1f6c51836d4915ab26062792c3461f8e
SHA1

9f4c079c82923b05f03e983ebc4d2d7249277fe4
SHA256

79a27e4a398b5567f6fe6ea11c9736304b00064825801bc0dec160de4423ecb9
SHA512

0fb93bcb8cd60801e49be3f1cd9a154ec14af0b0ed9b1c627530acc70413bde16c9b00aea8ec174655dc05f2b9ba8d0f1dc11a554a167ca57059f05120ba754d
SSDEEP

49152:OhIQUPJ1WMVWxszjEflNnnv3HASULbE2eFhoY9pkRNVsJ5YV8WMn0JWlrGmQ6UI:1ax3lNnmE2mv9pkRNIlr

Score

9^/10

cryptone packer

Malware Config

Signatures

CryptOne packer 1 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

resource	yara_rule
sample	cryptone

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
79a27e4a398b5567f6fe6ea11c9736304b00064825801bc0dec160de4423ecb9

Files

79a27e4a398b5567f6fe6ea11c9736304b00064825801bc0dec160de4423ecb9
.exe windows:5 windows x86

c1c0149142054dac4085f1d3744c537f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

runikanticheat

ult_094x2429C
ult_041x7130C
ult_P5x94PYT
ult_C16x29BF2
ult_0x0459y7x
ult_0xAL0X2FB
ult_U93H29RY1

kernel32

GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
GetLogicalProcessorInformation
GetThreadPriority
SwitchToThread
SignalObjectAndWait
WaitForSingleObjectEx
CreateTimerQueue
GetExitCodeThread
DuplicateHandle
GlobalAlloc
QueryDepthSList
UnregisterWaitEx
LoadLibraryW
GlobalFree
GetModuleFileNameA
DeleteFileA
GetPrivateProfileStringA
lstrlenA
GetCurrentDirectoryA
MoveFileA
LoadLibraryA
GetModuleHandleA
GetProcAddress
TerminateProcess
GetFileAttributesA
FindClose
FindNextFileA
FindFirstFileA
SetFileAttributesA
SetThreadPriority
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
WaitForSingleObject
SetEvent
GetThreadTimes
WaitNamedPipeW
GetProcessAffinityMask
SetEnvironmentVariableA
CreateProcessA
RegisterWaitForSingleObject
WriteConsoleW
OutputDebugStringW
HeapReAlloc
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetTimeZoneInformation
GetFileAttributesExW
Sleep
CreateDirectoryW
ReadConsoleW
SetFilePointerEx
GetConsoleMode
GetConsoleCP
GetOEMCP
GetACP
IsValidCodePage
HeapSize
GetModuleFileNameW
GetStdHandle
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
CreateSemaphoreW
GetModuleHandleW
GetStartupInfoW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
CreateEventW
InitializeCriticalSectionAndSpinCount
SetLastError
UnhandledExceptionFilter
PeekNamedPipe
GetFileType
GetCPInfo
LoadLibraryExW
GetCurrentThreadId
SetEndOfFile
SetThreadAffinityMask
RtlUnwind
RaiseException
GetCommandLineA
GetSystemTimeAsFileTime
UnregisterWait
FreeLibraryAndExitThread
GetVersionExW
VirtualAlloc
VirtualFree
VirtualProtect
InitializeSListHead
InterlockedPopEntrySList
InterlockedPushEntrySList
GetExitCodeProcess
InterlockedFlushSList
GetSystemInfo
GetLastError
ReadProcessMemory
GetCurrentProcess
Module32Next
CloseHandle
Module32First
GetCurrentProcessId
CreateToolhelp32Snapshot
GetTickCount
GetCurrentDirectoryW
MultiByteToWideChar
ExitThread
IsDebuggerPresent
AreFileApisANSI
GetModuleHandleExW
HeapFree
HeapAlloc
DecodePointer
EncodePointer
GetStringTypeW
CreateFileW
IsProcessorFeaturePresent
GetProcessHeap
HeapValidate
QueryPerformanceCounter
GetFullPathNameA
CreateThread
ExitProcess
ReleaseSemaphore
GetLocaleInfoA
CompareStringA
WideCharToMultiByte
GetVersionExA
GetSystemDirectoryA
lstrlenW
GlobalUnlock
GlobalLock
FreeLibrary
ReadFile
WriteFile
OutputDebugStringA
WinExec
GetCurrentThread
SetUnhandledExceptionFilter
CreateFileA
CreateFileMappingA
UnmapViewOfFile
MapViewOfFile
GetFileSize
CreateDirectoryA
FlushFileBuffers

user32

RegisterClassA
GetMenu
SetWindowTextA
MessageBoxA
LoadStringA
wvsprintfA
GetSystemMetrics
GetCapture
ChangeDisplaySettingsA
ReleaseCapture
SetCapture
SetCursorPos
SetCursor
ShowCursor
DestroyCursor
LoadImageA
GetKeyState
FlashWindowEx
SystemParametersInfoA
SetWindowPos
LoadIconA
FindWindowA
ScreenToClient
GetCursorPos
PostQuitMessage
GetAsyncKeyState
SetRect
OffsetRect
ClientToScreen
PeekMessageA
ReleaseDC
FillRect
GetDC
InvalidateRect
UnregisterClassA
DestroyWindow
IsWindow
MoveWindow
SetFocus
UpdateWindow
ShowWindow
GetClientRect
CreateWindowExA
RegisterClassExA
DefWindowProcA
AdjustWindowRectEx
GetWindowLongA
SetWindowLongA
LoadCursorA
GetMessageA
TranslateMessage
DispatchMessageA
GetKeyboardLayoutNameA
GetKeyboardLayout
OpenClipboard
CloseClipboard
GetClipboardData
CharNextW
CharNextExA
CharPrevExA

gdi32

SetBkMode
DeleteDC
TextOutA
CreateCompatibleDC
TextOutW
SetTextColor
StretchBlt
DeleteObject
CreateSolidBrush
SelectObject
GetTextExtentPoint32W
GetCharABCWidthsFloatW
CreateFontIndirectA
EnumFontFamiliesExA
GetStockObject
GetTextExtentPoint32A
CreateDIBSection
SetBkColor

ole32

CoInitializeEx
CoInitialize
CoUninitialize
CoCreateInstance

winmm

timeBeginPeriod
timeGetTime
timeEndPeriod
timeGetDevCaps

d3d8

Direct3DCreate8

python27

PyInt_FromLong
PyDict_Size
PyDict_Next
PyLong_AsLong
PyString_InternFromString
PyObject_GetAttrString
PyObject_GetAttr
PyCallable_Check
PyLong_AsLongLong
PyFloat_AsDouble
PyString_AsString
PyErr_BadArgument
PyErr_Print
PyObject_CallObject
PyNumber_Check
_Py_NoneStruct
PyModule_GetDict
PyErr_Fetch
Py_SetProgramName
Py_Initialize
Py_Finalize
PyRun_StringFlags
PyImport_AddModule
PyImport_ImportModule
PyArg_ParseTuple
PyDict_GetItemString
PyTuple_Size
PyModule_AddIntConstant
PyList_Append
PyString_FromString
PyList_New
PyInt_AsLong
PyTuple_GetItem
PyExc_RuntimeError
PyErr_SetString
Py_InitModule4
Py_BuildValue
PyTuple_SetItem
PyDict_SetItemString
PyDict_New
PyTuple_New
PyList_SetItem
PyErr_Clear

iphlpapi

GetAdaptersInfo

libcef

cef_string_multimap_free
cef_string_multimap_alloc
cef_string_multimap_append
cef_string_multimap_value
cef_string_multimap_key
cef_string_multimap_size
cef_string_map_append
cef_string_map_value
cef_string_map_key
cef_string_map_size
cef_string_list_append
cef_string_list_value
cef_string_list_size
cef_browser_host_create_browser
cef_command_line_get_global
cef_string_map_free
cef_string_map_alloc
cef_string_utf8_to_utf16
cef_string_utf16_clear
cef_string_utf8_clear
cef_string_utf16_to_utf8
cef_string_utf16_cmp
cef_v8context_get_current_context
cef_log
cef_api_hash
cef_string_utf16_set
cef_string_userfree_utf16_free
cef_string_list_alloc
cef_string_list_free
cef_register_extension
cef_execute_process
cef_initialize
cef_shutdown
cef_run_message_loop

imm32

ImmGetOpenStatus
ImmSetConversionStatus
ImmGetConversionStatus
ImmGetCandidateListW
ImmSetCompositionStringW
ImmGetCompositionStringW
ImmAssociateContext
ImmReleaseContext
ImmGetContext
ImmIsIME
ImmGetIMEFileNameA
ImmNotifyIME

devil

ilEnable
ilBindImage
ilGenImages
ilInit
ilSetPixels
ilTexImage
ilSave
ilShutDown
ilDeleteImages
ilCopyPixels
ilOriginFunc
ilConvertImage
ilGetInteger
ilLoad

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

imagehlp

GetTimestampForLoadedLibrary
StackWalk
EnumerateLoadedModules

granny2

_GrannyMeshIsRigid@4
_GrannyGetMeshVertexCount@4
_GrannyGetTotalTypeSize@4
_GrannyGetWorldPoseComposite4x4@8
_GrannyGetWorldPose4x4@8
_GrannyFreeWorldPose@4
_GrannyNewWorldPose@4
_GrannyFindBoneByName@12
_GrannyGetMeshBindingToBoneIndices@4
_GrannyFreeMeshBinding@4
_GrannyNewMeshBinding@12
_GrannyFreeModelInstance@4
_GrannyInstantiateModel@4
_GrannyGetWorldPoseComposite4x4Array@4
_GrannyFreeLocalPose@4
_GrannyNewLocalPose@4
_GrannyFreeControlOnceUnused@4
_GrannySampleModelAnimationsAccelerated@20
_GrannyFreeCompletedModelControls@4
_GrannySetModelClock@8
_GrannyGetSourceSkeleton@4
_GrannyGetFileInfo@4
_GrannyFreeFile@4
_GrannyFreeFileSection@8
_GrannyReadEntireFileFromMemory@8
_GrannyConvertSingleObject@20
_GrannyGetMeshIndexCount@4
_GrannyGetMaterialTextureByType@8
_GrannyCompleteControlAt@8
_GrannyControlIsComplete@4
_GrannyFreeControlIfComplete@4
_GrannyGetControlLoopCount@4
_GrannySetControlLoopCount@8
_GrannyGetControlSpeed@4
_GrannySetControlSpeed@8
_GrannyGetControlLocalDuration@4
_GrannySetControlEaseIn@8
_GrannySetControlEaseInCurve@28
_GrannySetControlEaseOut@8
_GrannySetControlEaseOutCurve@28
_GrannyGetControlRawLocalClock@4
_GrannySetControlRawLocalClock@8
_GrannyPlayControlledAnimation@12
_GrannyGetMeshTriangleGroupCount@4
_GrannyGetMeshTriangleGroups@4
_GrannyGetMeshVertexType@4
_GrannyCopyMeshVertices@12
_GrannyGetMeshVertices@4
_GrannyCopyMeshIndices@12
_GrannyDeformVertices@24
GrannyPNT332VertexType
_GrannyNewMeshDeformer@16
_GrannyFindMatchingMember@16
_GrannyFreeControl@4
_GrannyUpdateModelMatrix@20
_GrannyFreeMeshDeformer@4

mss32

_AIL_mem_free_lock@4
_AIL_start_sample@4
_AIL_stop_sample@4
_AIL_resume_sample@4
_AIL_set_file_callbacks@16
_AIL_end_sample@4
_AIL_set_sample_volume_pan@12
_AIL_set_sample_loop_count@8
_AIL_sample_status@4
_AIL_sample_volume_pan@12
_AIL_allocate_3D_sample_handle@4
_AIL_release_3D_sample_handle@4
_AIL_start_3D_sample@4
_AIL_stop_3D_sample@4
_AIL_resume_3D_sample@4
_AIL_end_3D_sample@4
_AIL_WAV_info@8
_AIL_decompress_ASI@24
_AIL_decompress_ADPCM@12
_AIL_file_type@8
_AIL_set_3D_sample_file@8
_AIL_set_3D_sample_volume@8
_AIL_set_3D_sample_loop_count@8
_AIL_3D_sample_status@4
_AIL_3D_sample_volume@4
_AIL_auto_update_3D_position@8
_AIL_open_digital_driver@16
_AIL_open_stream@12
_AIL_close_digital_driver@4
_AIL_enumerate_3D_providers@12
_AIL_open_3D_provider@4
_AIL_close_3D_provider@4
_AIL_open_3D_listener@4
_AIL_close_3D_listener@4
_AIL_set_3D_position@16
_AIL_set_3D_velocity@20
_AIL_set_3D_orientation@28
_AIL_startup@0
_AIL_shutdown@0
_AIL_set_redist_directory@4
_AIL_close_stream@4
_AIL_start_stream@4
_AIL_pause_stream@8
_AIL_set_stream_volume_levels@12
_AIL_stream_volume_levels@12
_AIL_set_stream_loop_count@8
_AIL_stream_status@4
_AIL_last_error@0
_AIL_allocate_sample_handle@4
_AIL_release_sample_handle@4
_AIL_init_sample@4
_AIL_set_sample_file@12
_AIL_file_read@8

speedtreert

?GetCollisionObject@CSpeedTreeRT@@QAEXIAAW4ECollisionObjectType@1@PAM1@Z
?GetCollisionObjectCount@CSpeedTreeRT@@QAEIXZ
?GetBoundingBox@CSpeedTreeRT@@QBEXPAM@Z
?GetCurrentError@CSpeedTreeRT@@SAPBDXZ
?SetTextureFlip@CSpeedTreeRT@@SAX_N@Z
?GetTextures@CSpeedTreeRT@@QBEXAAUSTextures@1@@Z
?GetGeometry@CSpeedTreeRT@@QAEXAAUSGeometry@1@KFFF@Z
?GetNumFrondLodLevels@CSpeedTreeRT@@QBEGXZ
?GetNumLeafLodLevels@CSpeedTreeRT@@QBEGXZ
?GetNumBranchLodLevels@CSpeedTreeRT@@QBEGXZ
?SetDropToBillboard@CSpeedTreeRT@@SAX_N@Z
?SetLodLevel@CSpeedTreeRT@@QAEXM@Z
?ComputeLodLevel@CSpeedTreeRT@@QAEXXZ
?SetLocalMatrices@CSpeedTreeRT@@QAEXII@Z
?SetFrondWindMethod@CSpeedTreeRT@@QAEXW4EWindMethod@1@@Z
?SetBranchWindMethod@CSpeedTreeRT@@QAEXW4EWindMethod@1@@Z
?SetLeafWindMethod@CSpeedTreeRT@@QAEXW4EWindMethod@1@@Z
?SetNumLeafRockingGroups@CSpeedTreeRT@@QAEXI@Z
?GetFrondMaterial@CSpeedTreeRT@@QBEPBMXZ
?GetLeafMaterial@CSpeedTreeRT@@QBEPBMXZ
?GetBranchMaterial@CSpeedTreeRT@@QBEPBMXZ
?SetFrondLightingMethod@CSpeedTreeRT@@QAEXW4ELightingMethod@1@@Z
?SetLeafLightingMethod@CSpeedTreeRT@@QAEXW4ELightingMethod@1@@Z
?SetBranchLightingMethod@CSpeedTreeRT@@QAEXW4ELightingMethod@1@@Z
?SetTreePosition@CSpeedTreeRT@@QAEXMMM@Z
?GetTreePosition@CSpeedTreeRT@@QBEPBMXZ
?SetTreeSize@CSpeedTreeRT@@QAEXMM@Z
?LoadTree@CSpeedTreeRT@@QAE_NPBEI@Z
?LoadTree@CSpeedTreeRT@@QAE_NPBD@Z
?MakeInstance@CSpeedTreeRT@@QAEPAV1@XZ
?Compute@CSpeedTreeRT@@QAE_NPBMI_N@Z
??3CSpeedTreeRT@@SAXPAX@Z
??2CSpeedTreeRT@@SAPAXI@Z
??1CSpeedTreeRT@@QAE@XZ
?SetLeafRockingState@CSpeedTreeRT@@QAEX_N@Z
?SetLodLimits@CSpeedTreeRT@@QAEXMM@Z
??0CSpeedTreeRT@@QAE@XZ
??1STextures@CSpeedTreeRT@@QAE@XZ
??0STextures@CSpeedTreeRT@@QAE@XZ
??1SGeometry@CSpeedTreeRT@@QAE@XZ
??0SGeometry@CSpeedTreeRT@@QAE@XZ
?SetCamera@CSpeedTreeRT@@SAXPBM0@Z
?SetLightAttributes@CSpeedTreeRT@@SAXIPBM@Z
?SetLightState@CSpeedTreeRT@@SAXI_N@Z
?SetNumWindMatrices@CSpeedTreeRT@@SAXI@Z
?SetWindStrength@CSpeedTreeRT@@QAEMMMM@Z
?SetTime@CSpeedTreeRT@@SAXM@Z

dinput8

DirectInput8Create

ws2_32

__WSAFDIsSet
closesocket
connect
ioctlsocket
recv
select
send
socket
WSAGetLastError
WSAStartup
WSACleanup
htons
inet_addr
gethostbyname
sendto

ddraw

DirectDrawCreate

advapi32

RegOpenKeyExA
RegQueryValueExA
RegOpenKeyA
CryptGenRandom
CryptReleaseContext
CryptAcquireContextA
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
RegCreateKeyExW
RegCloseKey

shell32

SHGetSpecialFolderPathA

oleaut32

VariantClear
SysFreeString

Sections

.text
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 540KB - Virtual size: 539KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 189KB - Virtual size: 694KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data1
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 45KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 140KB - Virtual size: 140KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c1c0149142054dac4085f1d3744c537f

Headers

DLL Characteristics

File Characteristics

Imports

runikanticheat

kernel32

user32

gdi32

ole32

winmm

d3d8

python27

iphlpapi

libcef

imm32

devil

version

imagehlp

granny2

mss32

speedtreert

dinput8

ws2_32

ddraw

advapi32

shell32

oleaut32

Sections

.text Size: 2.6MB - Virtual size: 2.6MB

.rdata Size: 540KB - Virtual size: 539KB

.data Size: 189KB - Virtual size: 694KB

.data1 Size: 2KB - Virtual size: 2KB

.rsrc Size: 45KB - Virtual size: 44KB

.reloc Size: 140KB - Virtual size: 140KB

.text
Size: 2.6MB - Virtual size: 2.6MB

.rdata
Size: 540KB - Virtual size: 539KB

.data
Size: 189KB - Virtual size: 694KB

.data1
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 45KB - Virtual size: 44KB

.reloc
Size: 140KB - Virtual size: 140KB