Static task
static1
Behavioral task
behavioral1
Sample
Sapphire Changer.rar
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Sapphire Changer.rar
Resource
win10v2004-20240426-en
General
-
Target
Sapphire Changer.rar
-
Size
845KB
-
MD5
4e4ca1f409c21096b911aa3d8e6e3b70
-
SHA1
488093b24c7f196b0f7fa98bbb2f8e674831d226
-
SHA256
978efa63ca32998b5a889d60604a653590715f301bb304bb4ee4b228083fe8d9
-
SHA512
1ea319c5208a633a772a9282e56b0753e6e9311e033f6bc969b332bdd7aaae265ab7c48d0846cf49654e3574c92404fc0c6304b6b8a584a476bce241f79f83c8
-
SSDEEP
12288:ymuTmZUzYeJxPl4m4J9deL7BN76Ye8N+LiKuZyZDc2HX+M8UmknlI7D2bWSfsGmi:vHWzYeJxPgJ3e/T29Dggq23d9y7itsni
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/Skinchanger.exe
Files
-
Sapphire Changer.rar.rar
Password: SAPPHIRE_PASS
-
Skinchanger.exe.exe windows:6 windows x86 arch:x86
Password: SAPPHIRE_PASS
5b4e426f99228d0f9c53af64ea2a843a
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
kernel32
GetEnvironmentVariableA
GetStdHandle
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
GetCurrentProcessId
SleepEx
CreateFileA
GetFileSizeEx
OutputDebugStringW
LocalFree
EnterCriticalSection
SetEvent
ResetEvent
CreateEventW
GetModuleHandleW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
MoveFileExA
LeaveCriticalSection
Sleep
GetSystemDirectoryA
GetTickCount
FormatMessageW
SetLastError
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
CreateThread
TerminateThread
QueryPerformanceCounter
VerifyVersionInfoW
FreeLibrary
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GlobalUnlock
WideCharToMultiByte
GlobalLock
IsDebuggerPresent
GlobalFree
GlobalAlloc
MultiByteToWideChar
CreateProcessA
CloseHandle
GetModuleHandleA
DeleteCriticalSection
GetLastError
GetTempPathA
WaitForSingleObjectEx
InitializeCriticalSectionEx
InitializeCriticalSectionAndSpinCount
ExpandEnvironmentStringsA
user32
AdjustWindowRectEx
GetWindowLongW
GetDesktopWindow
SetWindowTextW
GetKeyState
LoadCursorA
GetWindowRect
GetDC
MessageBoxA
UpdateWindow
RegisterClassExA
PostQuitMessage
SetWindowPos
TranslateMessage
CreateWindowExA
DefWindowProcA
ShowWindow
DestroyWindow
DispatchMessageA
SetClipboardData
GetClipboardData
EmptyClipboard
CloseClipboard
MonitorFromWindow
OpenClipboard
SetFocus
GetCursorPos
ReleaseDC
SetCursorPos
EnumDisplayMonitors
PeekMessageA
ScreenToClient
UnregisterClassA
IsIconic
SetForegroundWindow
ReleaseCapture
GetClientRect
SetWindowLongW
SetCursor
SetCapture
WindowFromPoint
GetCapture
SetWindowLongA
ClientToScreen
IsChild
GetMonitorInfoA
GetForegroundWindow
SetLayeredWindowAttributes
BringWindowToTop
gdi32
GetDeviceCaps
advapi32
CryptHashData
CryptEncrypt
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptCreateHash
CryptDestroyKey
CryptDestroyHash
CryptImportKey
shell32
ord155
SHGetKnownFolderPath
SHOpenFolderAndSelectItems
SHGetFolderPathA
SHParseDisplayName
oleaut32
SysAllocString
VariantClear
SysFreeString
msvcp140
_Xtime_get_ticks
_Query_perf_counter
_Thrd_sleep
_Query_perf_frequency
?_Xlength_error@std@@YAXPBD@Z
normaliz
IdnToAscii
ws2_32
WSAIoctl
setsockopt
WSACleanup
WSAStartup
WSASetLastError
socket
accept
bind
connect
getsockname
listen
htons
select
recv
getaddrinfo
freeaddrinfo
recvfrom
sendto
getpeername
ioctlsocket
htonl
gethostname
ntohs
WSAGetLastError
closesocket
WSAWaitForMultipleEvents
WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
send
getsockopt
__WSAFDIsSet
crypt32
CertEnumCertificatesInStore
CertFreeCertificateChain
CertOpenStore
CertCloseStore
CertFreeCertificateChainEngine
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringA
CryptQueryObject
CertCreateCertificateChainEngine
CertGetCertificateChain
wldap32
ord26
ord27
ord32
ord33
ord35
ord79
ord30
ord200
ord301
ord217
ord46
ord22
ord211
ord60
ord45
ord50
ord143
ord41
d3d9
Direct3DCreate9
d3dx9_43
D3DXCreateTextureFromFileInMemoryEx
imm32
ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext
bcrypt
BCryptGenRandom
vcruntime140
_except_handler4_common
__current_exception_context
__current_exception
_CxxThrowException
memmove
memchr
memcpy
strrchr
memset
strchr
strstr
__std_terminate
__std_exception_copy
__std_exception_destroy
__CxxFrameHandler3
api-ms-win-crt-runtime-l1-1-0
_errno
__sys_errlist
__sys_nerr
_register_thread_local_exe_atexit_callback
_beginthreadex
_c_exit
_exit
_initterm_e
exit
_invalid_parameter_noinfo_noreturn
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
terminate
_seh_filter_exe
_set_app_type
_controlfp_s
_get_narrow_winmain_command_line
_initterm
api-ms-win-crt-stdio-l1-1-0
fputc
_set_fmode
_lseeki64
fgets
_open
__p__commode
fopen
feof
fflush
_read
_write
fputs
_close
fclose
__acrt_iob_func
__stdio_common_vsscanf
__stdio_common_vsprintf
fread
_wfopen
fwrite
fseek
ftell
api-ms-win-crt-heap-l1-1-0
_set_new_mode
malloc
_callnewh
realloc
calloc
free
api-ms-win-crt-filesystem-l1-1-0
_unlink
_access
_fstat64
remove
_stat64i32
_stat64
api-ms-win-crt-locale-l1-1-0
setlocale
_configthreadlocale
api-ms-win-crt-string-l1-1-0
strcspn
strncmp
_strdup
strpbrk
strspn
strncpy
api-ms-win-crt-utility-l1-1-0
qsort
api-ms-win-crt-convert-l1-1-0
wcstombs
strtoll
atoi
strtoul
strtol
api-ms-win-crt-time-l1-1-0
_time64
_gmtime64
strftime
api-ms-win-crt-math-l1-1-0
_libm_sse2_sin_precise
_fdopen
_libm_sse2_acos_precise
ceil
_libm_sse2_sqrt_precise
_libm_sse2_cos_precise
__setusermatherr
Sections
.text Size: 599KB - Virtual size: 598KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 86KB - Virtual size: 85KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 525KB - Virtual size: 526KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 142KB - Virtual size: 141KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 22KB - Virtual size: 22KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ