Crim[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Crim.zip
Size

2.7MB
MD5

a69661750c30be49247340fc8c523dd4
SHA1

5c5d59bb8e4f375f7c9415b3163182e5e8150507
SHA256

a0f39727d356ddb7105224b59966493dcb9486133f91a6e05dec1ccc4ba5f8c3
SHA512

99a0033e17f5fc615f8638742ce74d5d3f6bb54c020a289cff7c89530ca4408fe2e086c9ca181de0cf4086c03fd91396725bcefd190ec6085073da6a9ecd9c44
SSDEEP

49152:ePrN+LhzrghuPqsDxWzeZuiz8RRrmn29kfTvzt2fTNsin0ND2y2:wN+LBjSsDxRIq8zEikfDcfein0cl

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/crim/crim.dll
unpack001/crim/crim.exe

Files

Crim.zip
.zip
crim/crim.dll
.dll windows:6 windows x64 arch:x64

73d3057586c1eff9d5e0cc373b478411

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Users\Mark\Projects\C++\sugma-clicker\sugma-cheat\bin\x64\Release\sugma-cheat.pdb

Imports

winmm

PlaySoundW
PlaySoundA

kernel32

LockResource
CreateThread
LoadResource
GetCurrentProcessId
LoadLibraryA
QueryPerformanceFrequency
GetProcAddress
FreeLibrary
QueryPerformanceCounter
MultiByteToWideChar
GlobalAlloc
GlobalFree
GlobalLock
WideCharToMultiByte
GlobalUnlock
LoadLibraryW
FlushInstructionCache
VirtualProtect
HeapCreate
HeapDestroy
HeapAlloc
HeapReAlloc
HeapFree
GetCurrentProcess
GetCurrentThreadId
OpenThread
GetThreadContext
SetThreadContext
SuspendThread
ResumeThread
CloseHandle
GetModuleHandleW
CreateToolhelp32Snapshot
Thread32First
Thread32Next
DisableThreadLibraryCalls
VirtualFree
VirtualQuery
GetSystemInfo
HeapSize
CreateFileW
GetStringTypeW
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
GetFileSizeEx
GetConsoleOutputCP
WriteFile
FlushFileBuffers
ReadConsoleW
GetConsoleMode
SetFilePointerEx
GetFileType
GetStdHandle
LCMapStringW
Sleep
GetModuleHandleA
FindResourceA
SizeofResource
WriteConsoleW
SetEndOfFile
VirtualAlloc
WaitForSingleObjectEx
InitializeCriticalSectionEx
GetSystemTimeAsFileTime
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
CreateEventW
IsDebuggerPresent
RaiseException
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
InitializeSListHead
GetLastError
GetProcessHeap
RtlUnwindEx
RtlPcToFileHeader
InterlockedFlushSList
GetModuleFileNameW
LoadLibraryExW
SetLastError
EncodePointer
RtlUnwind
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
ReadFile
GetModuleHandleExW
ExitProcess

user32

EnumWindows
GetCursorPos
GetForegroundWindow
OpenClipboard
CloseClipboard
EmptyClipboard
GetClipboardData
SetClipboardData
GetKeyState
ScreenToClient
ClientToScreen
IsChild
LoadCursorW
SetCursor
GetClientRect
MessageBoxA
GetWindowThreadProcessId
CallWindowProcW
GetWindow
IsWindowVisible
SetWindowLongPtrW
SendMessageW
GetKeyNameTextA
GetAsyncKeyState
SetCursorPos

imm32

ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext

Sections

.text
Size: 678KB - Virtual size: 677KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 252KB - Virtual size: 252KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 37KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 3.4MB - Virtual size: 3.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
crim/crim.exe
.exe windows:6 windows x64 arch:x64

4e62a24f8e280284a25d06ae594e279c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Mark\Projects\C++\sugma-clicker\sugma-launcher\bin\x64\Release\sugma-launcher.pdb

Imports

ntdll

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext
NtWriteVirtualMemory
NtAllocateVirtualMemory

kernel32

GetCurrentProcess
WaitForSingleObject
GetModuleHandleA
OpenProcess
CloseHandle
GetProcAddress
GetModuleFileNameA
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleW
UnhandledExceptionFilter
InitializeSListHead
IsDebuggerPresent
CreateRemoteThread
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
TerminateProcess

user32

GetWindowTextA
GetWindowThreadProcessId
EnumWindows

advapi32

AdjustTokenPrivileges
OpenProcessToken
LookupPrivilegeValueW

msvcp140

?_Xlength_error@std@@YAXPEBD@Z
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memset
__current_exception_context
memchr
__current_exception
memmove
_CxxThrowException
__C_specific_handler
__std_exception_destroy
memcmp
memcpy
__std_exception_copy

api-ms-win-crt-stdio-l1-1-0

__p__commode
__stdio_common_vfprintf
_set_fmode
__acrt_iob_func

api-ms-win-crt-runtime-l1-1-0

__p___argc
_configure_narrow_argv
_initialize_narrow_environment
_register_thread_local_exe_atexit_callback
_register_onexit_function
_crt_atexit
terminate
_c_exit
_set_app_type
_cexit
_exit
__p___argv
_seh_filter_exe
exit
_invalid_parameter_noinfo_noreturn
_initterm_e
_initterm
_initialize_onexit_table
_get_initial_narrow_environment

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
free
_set_new_mode

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 672B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 80B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

73d3057586c1eff9d5e0cc373b478411

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

winmm

kernel32

user32

imm32

Sections

.text Size: 678KB - Virtual size: 677KB

.rdata Size: 252KB - Virtual size: 252KB

.data Size: 4KB - Virtual size: 11KB

.pdata Size: 37KB - Virtual size: 37KB

_RDATA Size: 512B - Virtual size: 244B

.rsrc Size: 3.4MB - Virtual size: 3.4MB

.reloc Size: 4KB - Virtual size: 3KB

4e62a24f8e280284a25d06ae594e279c

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

kernel32

user32

advapi32

msvcp140

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 8KB - Virtual size: 7KB

.rdata Size: 7KB - Virtual size: 6KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 1024B - Virtual size: 672B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 512B - Virtual size: 80B

.text
Size: 678KB - Virtual size: 677KB

.rdata
Size: 252KB - Virtual size: 252KB

.data
Size: 4KB - Virtual size: 11KB

.pdata
Size: 37KB - Virtual size: 37KB

_RDATA
Size: 512B - Virtual size: 244B

.rsrc
Size: 3.4MB - Virtual size: 3.4MB

.reloc
Size: 4KB - Virtual size: 3KB

.text
Size: 8KB - Virtual size: 7KB

.rdata
Size: 7KB - Virtual size: 6KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 1024B - Virtual size: 672B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 512B - Virtual size: 80B