As promised, prime crypt, a new crypting service available on HackForums.Net, was looked at by the Krabs Investigation Team. A sample of it was provided to us by a fellow malwarehuntermen (not to be confused with the twitter user malwarehunterteam), and we shall put it under the critical lense of Bikini Bottom’s finest patties.

Sample information:

SHA256: cd71ed4ed74ada0b274364c3cd35435d8d0dda700a9757eec89756f72c93eff7
File size:  261.5 KB
File type: Generic CIL Executable

We begin opening the sample in DnSpy and going to the entrypoint.

As we could see, quite a lot of junk code is employed. Scrolling down, one can spot certain odities.

And finally, the last call.

Looking at the last call, it becomes rather obvious what’s going on.

So we break and dump the bytes of konze to get the second executable.

SHA256: ceac396e284c535be1e09765f8140f225989aa3df9c785599c579d965847636d
File size: 84.0 KB
File type: Generic CIL Executable

The file has 7 functions available:

The anti-debugging mechanism is quite honestly, laughable at best.

The main function’s body:

Once again, we break and dump, to get the final file.

SHA256: b2df25f38e857aa7128ea5006f2b4c75ecabf18383f13ff9bca40c80e25fdacf
File size: 54.5 KB
File type: MSIL Dll

The DLL name is surprisingly familiar, ClassLibrary1.

Where did I hear of this before? Oh right, the countless pastes that uses the same pasted runpe!

As expected, it is also filled with junk code.

However, since we already know that it is going to call the function Inj() from the reversing of the previous binaries, we shall jump straight into it. First in the exhibit, the cancerous sister-process based persistence (end process tree anyone?)

Schtasks startup method:

Pasted, trashy, and very very very detected RunPE:

Removing ZoneID with cmd because the coder is not capable of using the DeleteFile API (or any windows API in general, for that matter).

Disabling UAC and Regedit in a totally undetected manner. No AVs ever thought about stopping this operation! Or did they?

The apex of this “coder”‘s incompetence show when he fails to disable PDB and instead chooses to hex edit parts of the PDB path out in 1 executable.

But fails to do so in another.

Finally verdict: Utterly pasted trashware that will stand no chance against modern HIPs engine, poorly coded crapware that nobody should buy. Mazekeen is an incompetent developer and should be treated as such. The initial sample is available on hybrid-analysis for all your download and viewing pleasure.