crab_rave_easier[.]7z

Sharing

Copy URL

Twitter E-mail

General

Target

crab_rave_easier.7z
Size

2.6MB
MD5

971a83e80090c6b06f07d19a5af6a3d7
SHA1

8fc15fb8935d95eda1879fb536d26ba9ec95a3f3
SHA256

805041a1d7e2aeddbfc55cd3567219685172c5f67a3082b0f70f7c7b9d93d14b
SHA512

cd1b0f5365070522c3baf9535bae2d8d0c199bab24612ae9bea4dcc841d4067bde4e7a6f9d1c10dcac0ba5125fa3cbf2021ebbf1a125d01073a5bf1f745a655b
SSDEEP

49152:ji0ACEUDOnvVhQQaT4BsR//G+YK1rFOSdo9+Sa39zaVBYt7bt5KgvHjEU+7dCb:GQGb7BaXbZ/u+Sq90M5bP7+7Mb

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/crab_rave_easier/ntcheckos.dll

Files

crab_rave_easier.7z
.7z

Password: infected
crab_rave_easier/company_financial_report_SAFE_NO_VIRUSES.csv.lnk
.lnk
crab_rave_easier/ntcheckos.dll
.dll windows:4 windows x64

38daeb13f9b302bdc0895b25145b954f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

advapi32

ConvertSidToStringSidW
ConvertStringSidToSidW
CopySid
CryptAcquireContextW
CryptDestroyKey
CryptImportKey
CryptReleaseContext
GetLengthSid
GetTokenInformation
GetUserNameW
IsValidSid
LookupAccountSidW
OpenProcessToken
RegCloseKey
RegEnumKeyExW
RegEnumValueW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExW

bcrypt

BCryptCloseAlgorithmProvider
BCryptGenRandom
BCryptOpenAlgorithmProvider

crypt32

CertAddCertificateContextToStore
CertAddEncodedCTLToStore
CertAddEncodedCertificateToStore
CertCloseStore
CertCreateCertificateContext
CertDeleteCertificateFromStore
CertDuplicateCertificateChain
CertDuplicateCertificateContext
CertDuplicateStore
CertEnumCertificatesInStore
CertFreeCertificateChain
CertFreeCertificateContext
CertGetCertificateChain
CertGetCertificateContextProperty
CertGetEnhancedKeyUsage
CertOpenStore
CertSetCertificateContextProperty
CertVerifyCertificateChainPolicy
CertVerifyTimeValidity
CryptAcquireCertificatePrivateKey
CryptBinaryToStringA
CryptDecodeObjectEx
CryptEncodeObjectEx
CryptHashCertificate
CryptStringToBinaryA
PFXExportCertStore
PFXImportCertStore

iphlpapi

FreeMibTable
GetAdaptersAddresses
GetIfEntry2
GetIfTable2

kernel32

AcquireSRWLockExclusive
AcquireSRWLockShared
AddVectoredExceptionHandler
CancelIo
CancelIoEx
CloseHandle
CompareStringOrdinal
ConnectNamedPipe
CopyFileExW
CreateDirectoryW
CreateEventA
CreateEventW
CreateFileMappingA
CreateFileW
CreateHardLinkW
CreateIoCompletionPort
CreateMutexA
CreateNamedPipeW
CreateProcessW
CreateRemoteThread
CreateSymbolicLinkW
CreateThread
CreateToolhelp32Snapshot
DeleteFileW
DeviceIoControl
DisconnectNamedPipe
DuplicateHandle
ExitProcess
FindClose
FindFirstFileW
FindNextFileW
FlushFileBuffers
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
GetCommandLineW
GetComputerNameExW
GetConsoleMode
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetDiskFreeSpaceExW
GetDriveTypeW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetExitCodeProcess
GetFileAttributesW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFileType
GetFinalPathNameByHandleW
GetFullPathNameW
GetLastError
GetLogicalDrives
GetLogicalProcessorInformation
GetLogicalProcessorInformationEx
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetNamedPipeInfo
GetNativeSystemInfo
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetProcessId
GetProcessIoCounters
GetProcessTimes
GetQueuedCompletionStatusEx
GetStdHandle
GetSystemDirectoryW
GetSystemInfo
GetSystemTimeAsFileTime
GetSystemTimes
GetTempPathW
GetTickCount64
GetVolumeInformationW
GetWindowsDirectoryW
GlobalMemoryStatusEx
HeapAlloc
HeapFree
HeapReAlloc
InitOnceBeginInitialize
InitOnceComplete
LoadLibraryA
LoadLibraryExA
LoadLibraryExW
LocalAlloc
LocalFree
MapViewOfFile
Module32FirstW
Module32NextW
MoveFileExW
OpenProcess
PostQueuedCompletionStatus
ProcessIdToSessionId
QueryPerformanceCounter
QueryPerformanceFrequency
ReadConsoleW
ReadFile
ReadFileEx
ReadProcessMemory
RegisterWaitForSingleObject
ReleaseMutex
ReleaseSRWLockExclusive
ReleaseSRWLockShared
RemoveDirectoryW
RtlCaptureContext
RtlLookupFunctionEntry
SetCurrentDirectoryW
SetEnvironmentVariableW
SetEvent
SetFileAttributesW
SetFileCompletionNotificationModes
SetFileInformationByHandle
SetFilePointerEx
SetFileTime
SetHandleInformation
SetLastError
SetThreadStackGuarantee
Sleep
SleepConditionVariableSRW
SleepEx
SwitchToThread
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryAcquireSRWLockExclusive
TryAcquireSRWLockShared
UnmapViewOfFile
VirtualAllocEx
VirtualProtectEx
VirtualQueryEx
WaitForMultipleObjects
WaitForSingleObject
WaitForSingleObjectEx
WakeAllConditionVariable
WakeConditionVariable
WriteConsoleW
WriteFile
WriteFileEx
WriteProcessMemory
DeleteCriticalSection
EnterCriticalSection
GetCurrentThreadId
GetTickCount
InitializeCriticalSection
LeaveCriticalSection
RaiseException
RtlAddFunctionTable
RtlUnwindEx
RtlVirtualUnwind
SetUnhandledExceptionFilter
UnhandledExceptionFilter
VirtualProtect
VirtualQuery

ncrypt

NCryptFreeObject

netapi32

NetApiBufferFree
NetUserEnum
NetUserGetInfo
NetUserGetLocalGroups

ntdll

NtCancelIoFileEx
NtCreateFile
NtDeviceIoControlFile
NtQueryInformationProcess
NtQuerySystemInformation
RtlGetVersion
RtlNtStatusToDosError

ole32

CoCreateGuid
CoCreateInstance
CoInitializeEx
CoInitializeSecurity
CoSetProxyBlanket
CoUninitialize

oleaut32

GetErrorInfo
SetErrorInfo
SysAllocString
SysAllocStringLen
SysFreeString
SysStringLen
VariantClear

pdh

PdhAddEnglishCounterA
PdhAddEnglishCounterW
PdhCloseQuery
PdhCollectQueryData
PdhCollectQueryDataEx
PdhGetFormattedCounterValue
PdhOpenQueryA
PdhRemoveCounter

powrprof

CallNtPowerInformation

psapi

GetModuleFileNameExW
GetPerformanceInfo
GetProcessMemoryInfo

secur32

AcceptSecurityContext
AcquireCredentialsHandleA
ApplyControlToken
DecryptMessage
DeleteSecurityContext
EncryptMessage
FreeContextBuffer
FreeCredentialsHandle
InitializeSecurityContextW
LsaEnumerateLogonSessions
LsaFreeReturnBuffer
LsaGetLogonSessionData
QueryContextAttributesW

shell32

CommandLineToArgvW

userenv

GetUserProfileDirectoryW

ws2_32

WSACleanup
WSADuplicateSocketW
WSAGetLastError
WSAIoctl
WSAPoll
WSARecv
WSARecvFrom
WSASend
WSASendMsg
WSASendTo
WSASocketW
WSAStartup
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
getpeername
getsockname
getsockopt
ioctlsocket
listen
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket

msvcrt

__iob_func
__setusermatherr
_amsg_exit
_errno
_initterm
_lock
_unlock
abort
calloc
free
fwrite
memcmp
memcpy
memmove
memset
pow
realloc
signal
strlen
strncmp
vfprintf
wcslen

Exports

Exports

DLLMain
NtCheckOSArchitecture

Sections

.text
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 145KB - Virtual size: 144KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 343KB - Virtual size: 343KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/4
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/19
Size: 512KB - Virtual size: 511KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/35
Size: 512B - Virtual size: 216B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/51
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/63
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/77
Size: 383KB - Virtual size: 383KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/89
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/102
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/113
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/124
Size: 511KB - Virtual size: 511KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

38daeb13f9b302bdc0895b25145b954f

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

bcrypt

crypt32

iphlpapi

kernel32

ncrypt

netapi32

ntdll

ole32

oleaut32

pdh

powrprof

psapi

secur32

shell32

userenv

ws2_32

msvcrt

Exports

Exports

Sections

.text Size: 3.8MB - Virtual size: 3.8MB

.data Size: 19KB - Virtual size: 18KB

.rdata Size: 1.0MB - Virtual size: 1.0MB

.pdata Size: 145KB - Virtual size: 144KB

.xdata Size: 343KB - Virtual size: 343KB

.bss Size: - Virtual size: 2KB

.edata Size: 512B - Virtual size: 104B

.idata Size: 13KB - Virtual size: 13KB

.CRT Size: 512B - Virtual size: 104B

.tls Size: 512B - Virtual size: 16B

.reloc Size: 33KB - Virtual size: 33KB

/4 Size: 2KB - Virtual size: 1KB

/19 Size: 512KB - Virtual size: 511KB

/35 Size: 512B - Virtual size: 216B

/51 Size: 1.1MB - Virtual size: 1.1MB

/63 Size: 14KB - Virtual size: 14KB

/77 Size: 383KB - Virtual size: 383KB

/89 Size: 3KB - Virtual size: 2KB

/102 Size: 1.2MB - Virtual size: 1.2MB

/113 Size: 19KB - Virtual size: 18KB

/124 Size: 511KB - Virtual size: 511KB

.text
Size: 3.8MB - Virtual size: 3.8MB

.data
Size: 19KB - Virtual size: 18KB

.rdata
Size: 1.0MB - Virtual size: 1.0MB

.pdata
Size: 145KB - Virtual size: 144KB

.xdata
Size: 343KB - Virtual size: 343KB

.bss
Size: - Virtual size: 2KB

.edata
Size: 512B - Virtual size: 104B

.idata
Size: 13KB - Virtual size: 13KB

.CRT
Size: 512B - Virtual size: 104B

.tls
Size: 512B - Virtual size: 16B

.reloc
Size: 33KB - Virtual size: 33KB

/4
Size: 2KB - Virtual size: 1KB

/19
Size: 512KB - Virtual size: 511KB

/35
Size: 512B - Virtual size: 216B

/51
Size: 1.1MB - Virtual size: 1.1MB

/63
Size: 14KB - Virtual size: 14KB

/77
Size: 383KB - Virtual size: 383KB

/89
Size: 3KB - Virtual size: 2KB

/102
Size: 1.2MB - Virtual size: 1.2MB

/113
Size: 19KB - Virtual size: 18KB

/124
Size: 511KB - Virtual size: 511KB