Overview
overview
7Static
static
7EA Crypto ...T4.rar
windows10-2004-x64
7EA Crypto ...r .ex4
windows10-2004-x64
3EA Crypto ...eX.jpg
windows10-2004-x64
3EA Crypto ...eX.txt
windows10-2004-x64
1EA Crypto ...or.jpg
windows10-2004-x64
3EA Crypto ...32.zip
windows10-2004-x64
1msimg32.dll
windows10-2004-x64
7EA Crypto ...32.dll
windows10-2004-x64
7Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2024 01:50
Behavioral task
behavioral1
Sample
EA Crypto Hunter v4.0 MT4.rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
EA Crypto Hunter v4.0 MT4/Experts/EA Crypto Hunter .ex4
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
EA Crypto Hunter v4.0 MT4/GNR-ForeX.jpg
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
EA Crypto Hunter v4.0 MT4/GNR-ForeX.txt
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
EA Crypto Hunter v4.0 MT4/Gendor.jpg
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
EA Crypto Hunter v4.0 MT4/msimg32.dll - Build 1335-1350/msimg32.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
msimg32.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
EA Crypto Hunter v4.0 MT4/msimg32.dll - Build 1335-1350/msimg32/msimg32.dll
Resource
win10v2004-20240226-en
General
-
Target
msimg32.dll
-
Size
5.4MB
-
MD5
229cbe613f201f8dcbc83ee7624bcd46
-
SHA1
e80dbd2e0b8da3fb298c2b18090a83d113747c55
-
SHA256
0a43970711f968e2e733994a78052481ce7f9a6d0036d97b337a298352f5d089
-
SHA512
2faad3273da3cedcf682dce0306f3e01b6ad72a0efb5ecf7bd5c22d492022f5a53a29a661c096613c603227d8e817237412e97dd9faa740f47a7b24944217474
-
SSDEEP
98304:UXNseb8ajq86XShgsYb4dWgS8KOesO0KC/dYrLXYZ00fk6ouIbOC+:U3zOJYS4c4OdadYrUZ09eE
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral7/memory/4748-0-0x0000000074680000-0x0000000074F38000-memory.dmp vmprotect behavioral7/memory/4748-2-0x0000000074680000-0x0000000074F38000-memory.dmp vmprotect behavioral7/memory/4748-4-0x0000000074680000-0x0000000074F38000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 4748 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4748 rundll32.exe 4748 rundll32.exe 4748 rundll32.exe 4748 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3156 wrote to memory of 4748 3156 rundll32.exe rundll32.exe PID 3156 wrote to memory of 4748 3156 rundll32.exe rundll32.exe PID 3156 wrote to memory of 4748 3156 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msimg32.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msimg32.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4748