Basic Information:
------------------------------------------
Target OS: Windows
Target Arch: Intel 32bit
File Type: PE32 Executable
Lang: C
Size: 1.2M
MD5SUM: e4b124fd84cc1c93020c29362c804b82
Test Environment:
- Hybrid Analysis
 \
  |--> CrowdStrike Falcon
  |--> MetaDefender
  |--> VirusTotal
------------------------------------------

Functions:
------------------------------------
- Registry
 \
  |--> RegOpenKeyExW
  |--> RegQueryInfoKeyW
  |--> RtlUnwind
  |--> RegQueryValueExW
  |--> RegCloseKey
  |--> RegCreateKeyExW
  |--> RegSetValueExW
  |--> RegDeleteKeyW
  |--> RegDeleteValueW
  |--> RegEnumKeyW
  |--> RegEnumKeyExW
  |--> CLSIDFromProgID

- File
 \
  |--> CreateFileA
  |--> CreateFileW
  |--> ReadFile
  |--> WriteFile
  |--> DeleteFileW
  |--> FindResourceW
  |--> LoadResource
  |--> FindNextFileW
  |--> SetFilePointer
  |--> GetSystemTimeAsFileTime
  |--> GetFileType
  |--> GetModuleFileNameW
  |--> GetModuleFileNameA
  |--> FlushFileBuffers
  |--> SetEndOfFile
  |--> SetFileAttributesW
  |--> GetFileAttributesW
  |--> GetFileSize
  |--> GetFileSizeEx
  |--> FindFirstFileW
  |--> GetFileVersionInfoSizeW
  |--> GetFileVersionInfoW
  |--> FindClose
  |--> PathCombineW

- Networking/Web
 \
  |--> ConnectNamedPipe
  |--> CreatePipe
  |--> DisconnectNamedPipe
  |--> InternetCloseHandle
  |--> InternetReadFile

- Process
 \
  |--> LocalFree
  |--> VirtualAlloc
  |--> CreateThread
  |--> GlobalAlloc
  |--> HeapAlloc
  |--> HeapFree
  |--> OpenProcess
  |--> EnumProcesses
  |--> GetProcAddress
  |--> ExitProcess
  |--> GetExitCodeProcess
  |--> TerminateProcess
  |--> GetProcessHeap
  |--> CreateProcessW
  |--> GetProcessWindowStation
  |--> GetCurrentProcessId
  |--> GetCurrentProcess
  |--> CorExitProcess
  |--> InitializeCriticalSection
  |--> InitializeCriticalSectionAndSpinCount
  |--> EnterCriticalSection
  |--> SetUnhandledExceptionFilter

- Handling modules/resources
 \
  |--> LoadLibraryA
  |--> LoadResource
  |--> LoadLibraryW
  |--> LoadLibraryExW
  |--> LoadStringW
  |--> GetModuleHandleA
  |--> GetModuleHandleW
  |--> InitCommonControlsEx

- Evasion/Bypassing
 \
  |--> IsDebuggerPresent
  |--> GetTickCount

- System/Persistence
 \
  |--> ShellExecuteW
  |--> ShellExecuteExW

- COMObject
 \
  |--> OleInitialize
  |--> CoInitialize
  |--> CoCreateInstance
  |--> CreateStreamOnHGlobal
  |--> CoUninitialize

- Cryptography
 \
  |--> EncodePointer
  |--> DecodePointer

- Information Gathering
 \
  |--> GetLocalTime
  |--> GetWindowThreadProcessId
  |--> BitBlt
  |--> GetDC
  |--> GetVersion
  |--> CreateToolhelp32Snapshot
  |--> FlsGetValue
  |--> GetUserObjectInformationA
  |--> GetCursorPos
  |--> GetStartupInfoA
  |--> GetStartupInfoW
  |--> TlsGetValue
  |--> GetCurrentThreadId
  |--> GetEnvironmentStringsW
  |--> GetCPInfo
  |--> GetACP
  |--> GetOEMCP
  |--> GetLocaleInfoA
  |--> GetStringTypeA
  |--> GetStringTypeW
  |--> VirtualQuery
  |--> CheckTokenMembership
  |--> GetSystemDefaultUILanguage
  |--> GetMonitorInfoW
  |--> GAIsProcessorFeaturePresent
  |--> IsProcessorFeaturePresent
  |--> GetCapture
  |--> GetSystemTime
------------------------------------

Abilities:
--------------------------------------------
- It does evasive tricks against AV's
- It manipulates Windows Registry
- It manipulates files
- It connects malicious hosts to get malicious files
--------------------------------------------

Connections:
------------------------------------
- http://media-get.com
 \
  |--> Online
  |--> Redirects to https://mediaget.com

- http://www.adcash.com
 \
  |--> Online
  |--> Redirects to https://adcash.com/

- https://install.media-get.ru/index2.php
 \
  |--> Offline
  |--> Probably this file installs malicious files from here 
------------------------------------

Extracted URL Strings:
----------------------------------------------
- http://www.adcash.com/scr
- http://default-loader.ru/med
- http://cdn.playpw.com//spqk_pack/Pr
- http://legal.yandex.com.tr/browser_agreement/
- http://legal.yandex.ru/browser_agreement/
- http://legal.yandex.ru/desktop_software_agreement/
- http://legal.yandex.com.tr/desktop_software_agreement/
- http://247dns.com/user-agreement
- http://247dns.com/pol
- http://www.usertrust.com
- http://crl.usertrust.com/UTN-USERF
- http://ocsp.usertrust.com
- http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
- http://crl.comodoca.com/COMODOCodeS
- http://ocsp.comodoca.com
- https://secure.comodo.net/CPS0A
----------------------------------------------

Detected by:
------------------------------------
- VirusTotal
 \
  |--> 43/73

- Hybrid Analysis
 \
  |--> CrowdStrike Falcon
   \-> %70
   /
  |--> MetaDefender
   \-> %34
   /
  |--> VirusTotal
   \-> %58

- Scan reports
 \
  |--> Hybrid Analysis
   \-> https://www.hybrid-analysis.com/sample/faa99774b3cca21695b74ea2ac90575faa7682fdcfaf4ffd4c4811802b047766
   \-> https://www.hybrid-analysis.com/sample/faa99774b3cca21695b74ea2ac90575faa7682fdcfaf4ffd4c4811802b047766/5ed402952948b97e8c540a23
   /
  |--> VirusTotal
   \-> https://www.virustotal.com/gui/file/faa99774b3cca21695b74ea2ac90575faa7682fdcfaf4ffd4c4811802b047766/detection
------------------------------------

Linked DLL Files:
------------------------------------
- kernel32.dll & KERNEL32.DLL
- USER32.DLL & USER32.dll
- ADVAPI32.dll
- COMCTL32.dll
- GDI32.dll
- ole32.dll
- OLEAUT32.dll
- PSAPI.DLL
- SHELL32.dll
- SHLWAPI.dll
- VERSION.dll
- WININET.dll
------------------------------------

Used Tools During Tests:
----------------------------------------------
- Qu1cksc0pe
 \
  |--> https://github.com/CYB3RMX/Qu1cksc0pe

- Sandbox Environments
 \
  |--> https://www.virustotal.com
  |--> https://www.hybrid-analysis.com

- Strings
- Rabin2
----------------------------------------------
