https://www.hybrid-analysis.com/sample/bf989b510924dcf11e1a41e6173591fc5415db7dbaeaca56e39b15af2f8f7f5b/642863d0fa2aee297d0eae51hXXps://wXw.mebre.com.tr/ this file is malware according to hybrid. Locks screen at start. Probably it's spyware. Getting some data from users? (accused).
Thoughts? Is this a trojan or something?
Malicious thing:
Contains ability to reboot/shutdown the operating system malicious thing for this program.
Suspicious Indicators32
Anti-Reverse Engineering
Possibly checks for known debuggers/analysis tools
General
Contains ability to find and load resources of a specific module
Reads configuration files (.ini files)
Installation/Persistence
Found a string that may be used as part of an injection method
Scans for the windows taskbar (may be used for explorer injection)
Network Related
Found potential IP address in binary/memory
Ransomware/Banking
Contains ability to update the user profile
Spyware/Information Retrieval
Calls an API typically used for keylogging
Calls an API typically used to retrieve information about the current system
Contains ability to read the host's architecture
Contains ability to retrieve the fully qualified path of module
System Destruction
Contains ability to remove directories
System Security
Adjusts debug privileges
Calls an API typically used to enable or disable privileges in the specified access token
Contains ability to adjust token privileges
Queries the display settings of system associated file extensions
Unusual Characteristics
Imports suspicious APIs
Installs hooks/patches the running process
Regards Turkeytmfounder.
