crim[.]rar | Triage

Sharing

Copy URL Twitter E-mail

General

Target

crim.rar
Size

2.0MB
MD5

8e50009912d819c940044de4f46b2349
SHA1

b7ae0faa640161192fc1c1de7f208fdc213e27f5
SHA256

7b1ce97e49cd1763e484032aaffd293604a0db465ab29206f104aaa4f42553fd
SHA512

aa06f9cb4a69689d8344dd32e2d2974e2118e8b86111cbbbeaeb638fa0c3712ccf24e28887b8dbd410a291694dac9b9e4cc8e03be38f4f3439cd86cb0837f579
SSDEEP

49152:qITESANyxfD/v0XKYHaCDoPg+PqN/Do5PvW6NFPkQj+Y6:qITEv8T2JVoPTqJ6GcFPki6

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/crim.dll
unpack001/crim.exe

Files

crim.rar
.rar
crim.dll
.dll windows:6 windows x64 arch:x64

73d3057586c1eff9d5e0cc373b478411

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Users\Mark\Projects\C++\sugma-clicker\sugma-cheat\bin\x64\Release\sugma-cheat.pdb

Imports

winmm

PlaySoundW
PlaySoundA

kernel32

LockResource
CreateThread
LoadResource
GetCurrentProcessId
LoadLibraryA
QueryPerformanceFrequency
GetProcAddress
FreeLibrary
QueryPerformanceCounter
MultiByteToWideChar
GlobalAlloc
GlobalFree
GlobalLock
WideCharToMultiByte
GlobalUnlock
LoadLibraryW
FlushInstructionCache
VirtualProtect
HeapCreate
HeapDestroy
HeapAlloc
HeapReAlloc
HeapFree
GetCurrentProcess
GetCurrentThreadId
OpenThread
GetThreadContext
SetThreadContext
SuspendThread
ResumeThread
CloseHandle
GetModuleHandleW
CreateToolhelp32Snapshot
Thread32First
Thread32Next
DisableThreadLibraryCalls
VirtualFree
VirtualQuery
GetSystemInfo
HeapSize
CreateFileW
GetStringTypeW
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
GetFileSizeEx
GetConsoleOutputCP
WriteFile
FlushFileBuffers
ReadConsoleW
GetConsoleMode
SetFilePointerEx
GetFileType
GetStdHandle
LCMapStringW
Sleep
GetModuleHandleA
FindResourceA
SizeofResource
WriteConsoleW
SetEndOfFile
VirtualAlloc
WaitForSingleObjectEx
InitializeCriticalSectionEx
GetSystemTimeAsFileTime
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
CreateEventW
IsDebuggerPresent
RaiseException
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
InitializeSListHead
GetLastError
GetProcessHeap
RtlUnwindEx
RtlPcToFileHeader
InterlockedFlushSList
GetModuleFileNameW
LoadLibraryExW
SetLastError
EncodePointer
RtlUnwind
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
ReadFile
GetModuleHandleExW
ExitProcess

user32

EnumWindows
GetCursorPos
GetForegroundWindow
OpenClipboard
CloseClipboard
EmptyClipboard
GetClipboardData
SetClipboardData
GetKeyState
ScreenToClient
ClientToScreen
IsChild
LoadCursorW
SetCursor
GetClientRect
MessageBoxA
GetWindowThreadProcessId
CallWindowProcW
GetWindow
IsWindowVisible
SetWindowLongPtrW
SendMessageW
GetKeyNameTextA
GetAsyncKeyState
SetCursorPos

imm32

ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext

Sections

.text
Size: 678KB - Virtual size: 677KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 252KB - Virtual size: 252KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 37KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 3.4MB - Virtual size: 3.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
crim.exe
.exe windows:6 windows x64 arch:x64

4e62a24f8e280284a25d06ae594e279c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Mark\Projects\C++\sugma-clicker\sugma-launcher\bin\x64\Release\sugma-launcher.pdb

Imports

ntdll

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext
NtWriteVirtualMemory
NtAllocateVirtualMemory

kernel32

GetCurrentProcess
WaitForSingleObject
GetModuleHandleA
OpenProcess
CloseHandle
GetProcAddress
GetModuleFileNameA
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleW
UnhandledExceptionFilter
InitializeSListHead
IsDebuggerPresent
CreateRemoteThread
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
TerminateProcess

user32

GetWindowTextA
GetWindowThreadProcessId
EnumWindows

advapi32

AdjustTokenPrivileges
OpenProcessToken
LookupPrivilegeValueW

msvcp140

?_Xlength_error@std@@YAXPEBD@Z
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memset
__current_exception_context
memchr
__current_exception
memmove
_CxxThrowException
__C_specific_handler
__std_exception_destroy
memcmp
memcpy
__std_exception_copy

api-ms-win-crt-stdio-l1-1-0

__p__commode
__stdio_common_vfprintf
_set_fmode
__acrt_iob_func

api-ms-win-crt-runtime-l1-1-0

__p___argc
_configure_narrow_argv
_initialize_narrow_environment
_register_thread_local_exe_atexit_callback
_register_onexit_function
_crt_atexit
terminate
_c_exit
_set_app_type
_cexit
_exit
__p___argv
_seh_filter_exe
exit
_invalid_parameter_noinfo_noreturn
_initterm_e
_initterm
_initialize_onexit_table
_get_initial_narrow_environment

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
free
_set_new_mode

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 672B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 80B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

73d3057586c1eff9d5e0cc373b478411

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

winmm

kernel32

user32

imm32

Sections

.text Size: 678KB - Virtual size: 677KB

.rdata Size: 252KB - Virtual size: 252KB

.data Size: 4KB - Virtual size: 11KB

.pdata Size: 37KB - Virtual size: 37KB

_RDATA Size: 512B - Virtual size: 244B

.rsrc Size: 3.4MB - Virtual size: 3.4MB

.reloc Size: 4KB - Virtual size: 3KB

4e62a24f8e280284a25d06ae594e279c

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

kernel32

user32

advapi32

msvcp140

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 8KB - Virtual size: 7KB

.rdata Size: 7KB - Virtual size: 6KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 1024B - Virtual size: 672B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 512B - Virtual size: 80B

.text
Size: 678KB - Virtual size: 677KB

.rdata
Size: 252KB - Virtual size: 252KB

.data
Size: 4KB - Virtual size: 11KB

.pdata
Size: 37KB - Virtual size: 37KB

_RDATA
Size: 512B - Virtual size: 244B

.rsrc
Size: 3.4MB - Virtual size: 3.4MB

.reloc
Size: 4KB - Virtual size: 3KB

.text
Size: 8KB - Virtual size: 7KB

.rdata
Size: 7KB - Virtual size: 6KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 1024B - Virtual size: 672B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 512B - Virtual size: 80B