Because of hardware issues, I’m currently running very limited analytics, as I’m currently unable to create a secure analytics environment. Therefore, this time I can only offer incomplete information regarding the following file. The file implements various Anti-VM techniques and succeeds very well with that. :-La
The file is not recognized by VT for several days! But despite my limited analysis capabilities, I’m pretty sure the file must be considered as malicious.
Matched Yara Rules: crime_win_gamarue_andromeda_common_strings
Some suspicious/malicious Indicators:Compiler: Visual C/C++(19.00.24210), Packer: Overlay > zlib, File has multiple binary anomalies (The file doesn’t register any VersionInfo, File ignores Code Integrity, The file checksum is invalid > checksum: “0x00000000”, ImageBase is suspicious > Value in File > “5368709120”, Imports sensitive Libraries > “Windows Socket 2.0 32-Bit DLL”, Contains another files > type: Flash, location: overlay, offset: “0x00275E6F”, type: Flash, location: overlay, offset: “0x004BA03B”, type: Flash, location: overlay, offset: “0x005EA293”, The file-ratio of the overlay is suspicious > ratio: “95.98%”), The file may be hiding some of its imports (GetProcAddress, LoadLibraryExW, LoadLibraryA), Reads data out of its own binary image, Checks if being debugged, Calls the “sleep-function” many times, Uses low level APIs, Enumerates local disk drives, Leverages the raw socket API to access the Internet, File was downloaded from an IP/domain known to propagate malicious content > hxxp://18.104.22.168/attach/get/■■■.exe > VirusTotal
I am very curious about the classification by a Comodo expert and in a few days my entire hardware should be ready for use again.