crab_rave_harder[.]7z

Resubmissions

29/10/2023, 04:07

231029-epqyssef31 7

29/10/2023, 04:02

231029-el5msaef3w 7

29/10/2023, 03:51

231029-eemhmaef21 7

Sharing

Copy URL Twitter E-mail

General

Target

crab_rave_harder.7z
Size

1.4MB
MD5

5f22acc368b5de5707a7fd59540bd89e
SHA1

6553f64a56c618edb69ba75947b5ab9c9554fb42
SHA256

202bfdcc80cdd9a43ea6f188dc9c0b06856d277002804099ca24427c861a2cd9
SHA512

8ace040f3d791e05ce680fb1261841fc44830ea95ddb3560f870104c2faacc05b745d130c649f9d0e676dc624b8e0bdd5bccd8903859054d2a652257748620fb
SSDEEP

24576:XWWNLQ1+2gZTLRP2ErVvTizXqmOG4w4ZQSkNnfCR4FxaR6xA0lGhilTWZCs8SUjj:XWg52gZ/t2s9a6jG4w4ZQS2DFIbecilZ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/crab_rave_harder/ntcheckos.dll

Files

crab_rave_harder.7z
.7z

Password: infected
crab_rave_harder/company_financial_report_SAFE_NO_VIRUSES.csv.lnk
.lnk
crab_rave_harder/ntcheckos.dll
.dll windows:4 windows x64

Password: infected

38daeb13f9b302bdc0895b25145b954f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

ConvertSidToStringSidW
ConvertStringSidToSidW
CopySid
CryptAcquireContextW
CryptDestroyKey
CryptImportKey
CryptReleaseContext
GetLengthSid
GetTokenInformation
GetUserNameW
IsValidSid
LookupAccountSidW
OpenProcessToken
RegCloseKey
RegEnumKeyExW
RegEnumValueW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExW

bcrypt

BCryptCloseAlgorithmProvider
BCryptGenRandom
BCryptOpenAlgorithmProvider

crypt32

CertAddCertificateContextToStore
CertAddEncodedCTLToStore
CertAddEncodedCertificateToStore
CertCloseStore
CertCreateCertificateContext
CertDeleteCertificateFromStore
CertDuplicateCertificateChain
CertDuplicateCertificateContext
CertDuplicateStore
CertEnumCertificatesInStore
CertFreeCertificateChain
CertFreeCertificateContext
CertGetCertificateChain
CertGetCertificateContextProperty
CertGetEnhancedKeyUsage
CertOpenStore
CertSetCertificateContextProperty
CertVerifyCertificateChainPolicy
CertVerifyTimeValidity
CryptAcquireCertificatePrivateKey
CryptBinaryToStringA
CryptDecodeObjectEx
CryptEncodeObjectEx
CryptHashCertificate
CryptStringToBinaryA
PFXExportCertStore
PFXImportCertStore

iphlpapi

FreeMibTable
GetAdaptersAddresses
GetIfEntry2
GetIfTable2

kernel32

AcquireSRWLockExclusive
AcquireSRWLockShared
AddVectoredExceptionHandler
CancelIo
CancelIoEx
CloseHandle
CompareStringOrdinal
ConnectNamedPipe
CopyFileExW
CreateDirectoryW
CreateEventA
CreateEventW
CreateFileMappingA
CreateFileW
CreateHardLinkW
CreateIoCompletionPort
CreateMutexA
CreateNamedPipeW
CreateProcessW
CreateRemoteThread
CreateSymbolicLinkW
CreateThread
CreateToolhelp32Snapshot
DeleteFileW
DeviceIoControl
DisconnectNamedPipe
DuplicateHandle
ExitProcess
FindClose
FindFirstFileW
FindNextFileW
FlushFileBuffers
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
GetCommandLineW
GetComputerNameExW
GetConsoleMode
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetDiskFreeSpaceExW
GetDriveTypeW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetExitCodeProcess
GetFileAttributesW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFileType
GetFinalPathNameByHandleW
GetFullPathNameW
GetLastError
GetLogicalDrives
GetLogicalProcessorInformation
GetLogicalProcessorInformationEx
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetNamedPipeInfo
GetNativeSystemInfo
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetProcessId
GetProcessIoCounters
GetProcessTimes
GetQueuedCompletionStatusEx
GetStdHandle
GetSystemDirectoryW
GetSystemInfo
GetSystemTimeAsFileTime
GetSystemTimes
GetTempPathW
GetTickCount64
GetVolumeInformationW
GetWindowsDirectoryW
GlobalMemoryStatusEx
HeapAlloc
HeapFree
HeapReAlloc
InitOnceBeginInitialize
InitOnceComplete
LoadLibraryA
LoadLibraryExA
LoadLibraryExW
LocalAlloc
LocalFree
MapViewOfFile
Module32FirstW
Module32NextW
MoveFileExW
OpenProcess
PostQueuedCompletionStatus
ProcessIdToSessionId
QueryPerformanceCounter
QueryPerformanceFrequency
ReadConsoleW
ReadFile
ReadFileEx
ReadProcessMemory
RegisterWaitForSingleObject
ReleaseMutex
ReleaseSRWLockExclusive
ReleaseSRWLockShared
RemoveDirectoryW
RtlCaptureContext
RtlLookupFunctionEntry
SetCurrentDirectoryW
SetEnvironmentVariableW
SetEvent
SetFileAttributesW
SetFileCompletionNotificationModes
SetFileInformationByHandle
SetFilePointerEx
SetFileTime
SetHandleInformation
SetLastError
SetThreadStackGuarantee
Sleep
SleepConditionVariableSRW
SleepEx
SwitchToThread
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryAcquireSRWLockExclusive
TryAcquireSRWLockShared
UnmapViewOfFile
VirtualAllocEx
VirtualProtectEx
VirtualQueryEx
WaitForMultipleObjects
WaitForSingleObject
WaitForSingleObjectEx
WakeAllConditionVariable
WakeConditionVariable
WriteConsoleW
WriteFile
WriteFileEx
WriteProcessMemory
DeleteCriticalSection
EnterCriticalSection
GetCurrentThreadId
GetTickCount
InitializeCriticalSection
LeaveCriticalSection
RaiseException
RtlAddFunctionTable
RtlUnwindEx
RtlVirtualUnwind
SetUnhandledExceptionFilter
UnhandledExceptionFilter
VirtualProtect
VirtualQuery

ncrypt

NCryptFreeObject

netapi32

NetApiBufferFree
NetUserEnum
NetUserGetInfo
NetUserGetLocalGroups

ntdll

NtCancelIoFileEx
NtCreateFile
NtDeviceIoControlFile
NtQueryInformationProcess
NtQuerySystemInformation
RtlGetVersion
RtlNtStatusToDosError

ole32

CoCreateGuid
CoCreateInstance
CoInitializeEx
CoInitializeSecurity
CoSetProxyBlanket
CoUninitialize

oleaut32

GetErrorInfo
SetErrorInfo
SysAllocString
SysAllocStringLen
SysFreeString
SysStringLen
VariantClear

pdh

PdhAddEnglishCounterA
PdhAddEnglishCounterW
PdhCloseQuery
PdhCollectQueryData
PdhCollectQueryDataEx
PdhGetFormattedCounterValue
PdhOpenQueryA
PdhRemoveCounter

powrprof

CallNtPowerInformation

psapi

GetModuleFileNameExW
GetPerformanceInfo
GetProcessMemoryInfo

secur32

AcceptSecurityContext
AcquireCredentialsHandleA
ApplyControlToken
DecryptMessage
DeleteSecurityContext
EncryptMessage
FreeContextBuffer
FreeCredentialsHandle
InitializeSecurityContextW
LsaEnumerateLogonSessions
LsaFreeReturnBuffer
LsaGetLogonSessionData
QueryContextAttributesW

shell32

CommandLineToArgvW

userenv

GetUserProfileDirectoryW

ws2_32

WSACleanup
WSADuplicateSocketW
WSAGetLastError
WSAIoctl
WSAPoll
WSARecv
WSARecvFrom
WSASend
WSASendMsg
WSASendTo
WSASocketW
WSAStartup
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
getpeername
getsockname
getsockopt
ioctlsocket
listen
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket

msvcrt

__iob_func
__setusermatherr
_amsg_exit
_errno
_initterm
_lock
_unlock
abort
calloc
free
fwrite
memcmp
memcpy
memmove
memset
pow
realloc
signal
strlen
strncmp
vfprintf
wcslen

Exports

Exports

DLLMain
NtCheckOSArchitecture

Sections

.text
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 145KB - Virtual size: 144KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 343KB - Virtual size: 343KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

38daeb13f9b302bdc0895b25145b954f

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

bcrypt

crypt32

iphlpapi

kernel32

ncrypt

netapi32

ntdll

ole32

oleaut32

pdh

powrprof

psapi

secur32

shell32

userenv

ws2_32

msvcrt

Exports

Exports

Sections

.text Size: 3.8MB - Virtual size: 3.8MB

.data Size: 19KB - Virtual size: 18KB

.rdata Size: 1.0MB - Virtual size: 1.0MB

.pdata Size: 145KB - Virtual size: 144KB

.xdata Size: 343KB - Virtual size: 343KB

.bss Size: - Virtual size: 2KB

.edata Size: 512B - Virtual size: 104B

.idata Size: 13KB - Virtual size: 13KB

.CRT Size: 512B - Virtual size: 104B

.tls Size: 512B - Virtual size: 16B

.reloc Size: 33KB - Virtual size: 33KB

.text
Size: 3.8MB - Virtual size: 3.8MB

.data
Size: 19KB - Virtual size: 18KB

.rdata
Size: 1.0MB - Virtual size: 1.0MB

.pdata
Size: 145KB - Virtual size: 144KB

.xdata
Size: 343KB - Virtual size: 343KB

.bss
Size: - Virtual size: 2KB

.edata
Size: 512B - Virtual size: 104B

.idata
Size: 13KB - Virtual size: 13KB

.CRT
Size: 512B - Virtual size: 104B

.tls
Size: 512B - Virtual size: 16B

.reloc
Size: 33KB - Virtual size: 33KB