Automated Malware Analysis Report for Hitmanpro Universal Crack (64

ID: 40923 Sample Name: HitmanPro Universal Crack (64 bit).exe Cookbook: default.jbs Time: 05:18:12 Date: 25/12/2017 Version: 20.0.0 Table of Contents

Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Signature Overview 6 AV Detection: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 Persistence and Installation Behavior: 6 Data Obfuscation: 6 Spreading: 6 System Summary: 6 HIPS / PFW / Operating System Protection Evasion: 7 Anti Debugging: 7 Malware Analysis System Evasion: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 8 Dropped Files 8 Domains 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 8 IPs 9 Domains 9 ASN 9 Dropped Files 9 Screenshot 9 Startup 10 Created / dropped Files 10 Contacted Domains/Contacted IPs 10 Contacted Domains 10 Contacted IPs 10 Static File Info 10 General 10 File Icon 11 Static PE Info 11 General 11 Entrypoint Preview 11 Data Directories 12 Sections 12 Resources 13 Imports 13 Network Behavior 13

Copyright Joe Security LLC 2017 Page 2 of 14 Code Manipulations 13 Statistics 13 System Behavior 13 Analysis Process: HitmanPro Universal Crack (64 bit).exe PID: 3256 Parent PID: 2948 13 General 13 File Activities 13 File Created 14 File Written 14 Disassembly 14 Code Analysis 14

Overview

General Information

Joe Sandbox Version: 20.0.0 Analysis ID: 40923 Start time: 05:18:12 Joe Sandbox Product: CloudBasic Start date: 25.12.2017 Overall analysis duration: 0h 4m 50s Hypervisor based Inspection enabled: false Report type: light Sample file name: HitmanPro Universal Crack (64 bit).exe Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Detection: MAL Classification: mal60.winEXE@1/2@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 39.8% (good quality ratio 39.1%) Quality average: 81.2% Quality standard deviation: 24.5% Cookbook Comments: Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe

Detection

Strategy Score Range Reporting Detection

Threshold 60 0 - 100 Report FP / FN

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

• AV Detection • Key, Mouse, Clipboard, Microphone and Screen Capturing • Persistence and Installation Behavior • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Antivirus detection for dropped file

Antivirus detection for submitted file

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Persistence and Installation Behavior:

Drops PE files

Data Obfuscation:

Binary may include packed or encrypted code

Contains functionality to dynamically determine API calls

PE file contains an invalid checksum

Spreading:

Contains functionality to enumerate / list files inside a directory

System Summary:

Contains modern PE file flags such as dynamic base (ASLR) or NX

Classification label

Contains functionality to load and extract PE file embedded resources

Creates temporary files

PE file has an executable .text section and no other executable section

Reads software policies

Sample is known by Antivirus (Virustotal or Metascan)

Uses an in-process (OLE) Automation server

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains strange resources

Sample file is different than original file name gathered from version info

PE file has a writeable .text section Copyright Joe Security LLC 2017 Page 6 of 14 HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Contains functionality to query system information

Program exit points

Contains functionality for execution timing, often used to detect debuggers

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Language, Device and Operating System Detection:

Contains functionality to query windows version

Behavior Graph

Hide Legend Legend: Process Signature Created File Behavior Graph DNS/IP Info Is Dropped ID: 40923 Is Windows Process

Number of created Registry Values Sample: HitmanPro Universal... Number of created Files Startdate: 25/12/2017 Visual Basic

Architecture: WINDOWS Delphi

Score: 60 Java

.Net C# or VB.NET

started C, C++ or other language

Is malicious

HitmanPro Universal...

dropped dropped

dup2patcher.dll, PE32 bassmod.dll, PE32

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

Source Detection Cloud Link HitmanPro Universal Crack (64 bit).exe 63% virustotal Browse HitmanPro Universal Crack (64 bit).exe 45% metadefender Browse

Dropped Files

Source Detection Cloud Link C:\Users\HERBBL~1\AppData\Local\Temp\bassmod.dll 3% virustotal Browse C:\Users\HERBBL~1\AppData\Local\Temp\bassmod.dll 0% metadefender Browse C:\Users\HERBBL~1\AppData\Local\Temp\dup2patcher.dll 25% virustotal Browse

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

No context

Domains

No context

ASN

No context

Dropped Files

Associated Sample Match Name / URL SHA 256 Detection Link Context C:\Users\HERBBL~1\AppData\Local\Temp\bassm poweriso.6.x.patch.exe 05418c503589319a46d7ba2cb95 malicious Browse od.dll ac0905dd3223752ef31c5257339f 4ef037850 agiledotnet-patch.exe 92225e5a84e8021a97a3e9b5b86 malicious Browse 6e000075ab2653e12f4cb5e1352 59de556cc3 Service Provider Lic 69909d397b447c084230aba457e malicious Browse ense.exe 10599425a6389bf52f3baf2530a6 56cfa47ad GlassWire #U7eInjector e448b5d6e0db6a837a9be4d0605 malicious Browse #U7eUniversal Cra 298a720ac525a783302a21cfb09f ck.exe 08d77e54f

Screenshot

System is w7 HitmanPro Universal Crack (64 bit).exe (PID: 3256 cmdline: 'C:\Users\user\Desktop\HitmanPro Universal Crack (64 bit).exe' MD5: C4433CA2721EADC9F423418B12702CF3) cleanup

Created / dropped Files

C:\Users\HERBBL~1\AppData\Local\Temp\bassmod.dll File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5: 780D14604D49E3C634200C523DEF8351 SHA1: E208EF6F421D2260070A9222F1F918F1DE0A8EEB SHA-256: 844EB66A10B848D3A71A8C63C35F0A01550A46D2FF8503E2CA8947978B03B4D2 SHA-512: A49C030F11DA8F0CDC4205C86BEC00653EC2F8899983CAD9D7195FD23255439291AAEC5A7E128E1A103EFD93B8566E86F 15AF89EBA4EFEBF9DEBCE14A7A5564B Malicious: false Antivirus: Antivirus: virustotal, Detection: 3%, Browse Antivirus: metadefender, Detection: 0%, Browse Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\dup2patcher.dll File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5: 4749BFF0E381AFCC30F3B4E2561DAF3A SHA1: C09E868DFA1C2364F3896F73F78A59722EF5F88B SHA-256: 0B613DF892AA456419CBEAD866F6E5D8FEFAC21F4BDDB3EB4EFAC7FB9DA2C3B6 SHA-512: C00BFA854B28D72050DFEB86B8D80C2CFAC55B211A5268AA4DD3DCE74E48FB369029BAC63F7F4BC5CE818DCFDD44D3 E3E16847275F9B586CDF4EA30170E7D5C9 Malicious: true Antivirus: Antivirus: virustotal, Detection: 25%, Browse Reputation: low

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type: PE32 executable (GUI) Intel 80386, for MS Windows TrID: Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: HitmanPro Universal Crack (64 bit).exe File size: 668672 MD5: c4433ca2721eadc9f423418b12702cf3 SHA1: e9a9804091d259c42f88c9b6e2b559452162d8f3

SHA256: e96512d95762f0394593a4d66387fe757c98923719fcf7fd 5a835af16dd5fcee SHA512: 20017217d949ad3737e505bd58dfc617d3c5f0ee9454989 8f1067d387785131de41a2c0ecb915c97205301134b137 3dfaf54798c3f21b3a51d77dd137b7e3619 File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... i.m.-...-.. .-...... ,...B...... -...<...B...,...B...,...B...,...Rich-...... PE..L...... P...... +......

File Icon

Static PE Info

General Entrypoint: 0x40102b Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x50D4CDC2 [Fri Dec 21 20:59:46 2012 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 0 File Version Major: 5 File Version Minor: 0 Subsystem Version Major: 5 Subsystem Version Minor: 0 Import Hash: dc73a9bd8de0fd640549c85ac4089b87

Entrypoint Preview

Instruction call 00007F11ACCEDA5Ch push 00000000h call 00007F11ACCEDB5Ah push ebp mov ebp, esp add esp, FFFFFBF4h push esi push edi push ebx push 00000000h call 00007F11ACCEDB59h mov dword ptr [00403030h], eax mov dword ptr [ebp-08h], 00000000h push 0000000Ah push 00403000h push 00000000h call 00007F11ACCEDB33h or eax, eax je 00007F11ACCEDA73h mov dword ptr [ebp-04h], eax push dword ptr [ebp-04h] push 00000000h call 00007F11ACCEDB52h mov dword ptr [ebp-0Ch], eax push dword ptr [ebp-04h] push 00000000h

Copyright Joe Security LLC 2017 Page 11 of 14 Instruction call 00007F11ACCEDB39h or eax, eax je 00007F11ACCEDA55h mov dword ptr [ebp-08h], eax cmp dword ptr [ebp-08h], 00000000h je 00007F11ACCEDA84h push 00000004h push 00001000h push dword ptr [ebp-0Ch] push 00000000h call 00007F11ACCEDB2Dh mov edi, eax push dword ptr [ebp-0Ch] push dword ptr [ebp-08h] push edi call 00007F11ACCEDB13h mov dword ptr [ebp-08h], edi push DEADBEEFh push dword ptr [ebp-0Ch] push dword ptr [ebp-08h] call 00007F11ACCED994h cmp dword ptr [ebp-08h], 00000000h je 00007F11ACCEDA86h lea eax, dword ptr [ebp-0000040Ch] push eax push 00000400h call 00007F11ACCEDAD7h push 00403004h lea eax, dword ptr [ebp-0000040Ch] push eax call 00007F11ACCEDAEAh

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x2050 0x28 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x4000 0xa274c .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0xa7000 0x34 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2000 0x48 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x1f6 0x200 False 0.70703125 data 5.06407990051 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x2000 0x1d8 0x200 False 0.55859375 data 4.27063873433 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .data 0x3000 0x34 0x200 False 0.078125 data 0.568988040426 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x4000 0xa274c 0xa2800 False 0.937427884615 data 7.98554537256 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ

Copyright Joe Security LLC 2017 Page 12 of 14 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .reloc 0xa7000 0x52 0x200 False 0.123046875 data 0.736046433021 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABLE , IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_ICON 0x41f8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x4660 0x988 data RT_ICON 0x4fe8 0x25a8 dBase IV DBT of `.DBF, blocks size 48, block length 9216, next free block index 40, 1st item "\004\004\004B\004\004\004B\004\004\004B\006\006\00 6B\007\007\007B\005\005\005D\005\005\005A\013\013\0 13\016" RT_ICON 0x7590 0x10a8 data RT_ICON 0x8638 0x9544 PNG image data, 256 x 256, 8-bit/color RGBA, non- interlaced RT_RCDATA 0x11b7c 0x94800 data RT_GROUP_ICON 0xa637c 0x4c MS Windows icon resource - 5 icons, 16x16, 256-colors RT_MANIFEST 0xa63c8 0x382 XML document text

Imports

DLL Import kernel32.dll DeleteFileA, ExitProcess, FindResourceA, FreeLibrary, GetModuleHandleA, GetProcAddress, GetTempPathA, LoadLibraryA, LoadResource, RtlMoveMemory, SizeofResource, VirtualAlloc, lstrcatA, CloseHandle, CreateFileA, FlushFileBuffers, WriteFile

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: HitmanPro Universal Crack (64 bit).exe PID: 3256 Parent PID: 2948

General

Start time: 05:18:18 Start date: 25/12/2017 Path: C:\Users\user\Desktop\HitmanPro Universal Crack (64 bit).exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\HitmanPro Universal Crack (64 bit).exe' Imagebase: 0x755c0000 File size: 668672 bytes MD5 hash: C4433CA2721EADC9F423418B12702CF3 Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\dup2patcher.dll read attributes normal synchronous io success or wait 1 11A11A4 CreateFileA and synchronize non alert and n and generic on directory file write

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\dup2patcher.dll unknown 608256 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 11A11C6 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... bd...... ! 00 00 00 00 00 00 00 .....n#...... u...... 00 00 00 00 00 00 00 .....u...... u...... u...... u 00 00 00 00 00 00 00 ...... Rich...... 00 00 00 f8 00 00 00 ...... PE..L.. 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d6 62 64 99 92 03 0a ca 92 03 0a ca 92 03 0a ca f1 21 20 ca 90 03 0a ca 6e 23 18 ca 94 03 0a ca fd 75 96 ca 90 03 0a ca 92 03 0b ca ab 03 0a ca 1c 1c 19 ca cf 03 0a ca fd 75 94 ca 82 03 0a ca fd 75 91 ca 93 03 0a ca fd 75 90 ca 93 03 0a ca fd 75 97 ca 93 03 0a ca 52 69 63 68 92 03 0a ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05

Disassembly

Code Analysis