Author Topic: Win32/Mebre flagged as Malicious at Hybrid Analysis  (Read 786 times)

0 Members and 1 Guest are viewing this topic.

Offline lichesssatrancturkiye

  • Jr. Member
  • **
  • Posts: 28
Win32/Mebre flagged as Malicious at Hybrid Analysis
« on: April 16, 2023, 08:49:56 PM »
https://www.hybrid-analysis.com/sample/bf989b510924dcf11e1a41e6173591fc5415db7dbaeaca56e39b15af2f8f7f5b/642863d0fa2aee297d0eae51
hXXps://wXw.mebre.com.tr/ this file is malware according to hybrid. Locks screen at start. Probably it's spyware. Getting some data from users? (accused).
Thoughts? Is this a trojan or something?
Malicious thing:
Contains ability to reboot/shutdown the operating system malicious thing for this program.
Suspicious Indicators32
Anti-Reverse Engineering
Possibly checks for known debuggers/analysis tools
General
Contains ability to find and load resources of a specific module
Reads configuration files (.ini files)
Installation/Persistence
Found a string that may be used as part of an injection method
Scans for the windows taskbar (may be used for explorer injection)
Network Related
Found potential IP address in binary/memory
Ransomware/Banking
Contains ability to update the user profile
Spyware/Information Retrieval
Calls an API typically used for keylogging
Calls an API typically used to retrieve information about the current system
Contains ability to read the host's architecture
Contains ability to retrieve the fully qualified path of module
System Destruction
Contains ability to remove directories
System Security
Adjusts debug privileges
Calls an API typically used to enable or disable privileges in the specified access token
Contains ability to adjust token privileges
Queries the display settings of system associated file extensions
Unusual Characteristics
Imports suspicious APIs
Installs hooks/patches the running process
Regards Turkeytmfounder.
« Last Edit: April 17, 2023, 08:23:34 AM by lichesssatrancturkiye »

Offline lichesssatrancturkiye

  • Jr. Member
  • **
  • Posts: 28

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 88159
  • No support PMs thanks
Re: Win32/Mebre flagged as Malicious at Hybrid Analysis
« Reply #2 on: April 16, 2023, 10:43:23 PM »
Please modify the active link to a site you consider malicious to prevent accidental exposure and or promotion - e.g. hXXps://wXw.mebre.com.tr/

You can use the - Reporting a possible Malicious sample File or Website - https://www.avast.com/report-malicious-file.php to report to Avast.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.9.6082 (build 23.9.8494.792) UI 1.0.781/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33748
  • malware fighter
Re: Win32/Mebre flagged as Malicious at Hybrid Analysis
« Reply #3 on: April 18, 2023, 03:58:30 PM »
I get a cloudflare landing error for that apparently malicious site.
Part of a probably unwanted (malicious) app.

Good you reported to avast's.

Re-analysed URL does seem not to be flagged:
https://www.virustotal.com/gui/url/e84c37bcb43b822b7fea239e0d5e9998810638b9cac98bfa0af48b4fe62bceb1?nocache=1

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!