Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Calyciform.exe

Overview

General Information

Sample name:Calyciform.exe
Analysis ID:1554165
MD5:0b813c3349387a69277d7f8a0d20fe3d
SHA1:d0c4aa5fffba33d1f7c9c184cd3acb90f6a75650
SHA256:d2473f318c1386699bdd8442cfe5455d44e18ec23d4b2482ffc82c7c227ab9ad
Infos:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Switches to a custom stack to bypass stack traces
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • Calyciform.exe (PID: 1676 cmdline: "C:\Users\user\Desktop\Calyciform.exe" MD5: 0B813C3349387A69277D7F8A0D20FE3D)
    • Calyciform.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\Calyciform.exe" MD5: 0B813C3349387A69277D7F8A0D20FE3D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.130225753929.0000000002FAF000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000002.00000002.134606321221.000000000174F000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: Calyciform.exeReversingLabs: Detection: 45%
      Source: Calyciform.exeVirustotal: Detection: 37%Perma Link
      Source: Calyciform.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Calyciform.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmp
      Source: Binary string: mshtml.pdbUGP source: Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmp
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_00405745 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405745
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_00406280 FindFirstFileA,FindClose,0_2_00406280
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_004026FE FindFirstFileA,0_2_004026FE
      Source: global trafficTCP traffic: 192.168.11.20:49771 -> 45.137.22.248:80
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.248
      Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin
      Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin#?_v
      Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin/?Kv
      Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin7?Sv
      Source: Calyciform.exe, 00000002.00000002.134609519488.0000000002897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binJ
      Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binK?
      Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binM
      Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binS?
      Source: Calyciform.exe, 00000002.00000002.134609519488.0000000002897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin_
      Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin_?
      Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binedvmbusRFCOMM
      Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binh
      Source: Calyciform.exe, 00000002.00000002.134609519488.0000000002897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binl
      Source: Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
      Source: Calyciform.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: Calyciform.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: Calyciform.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
      Source: Calyciform.exeString found in binary or memory: http://s.symcd.com06
      Source: Calyciform.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
      Source: Calyciform.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
      Source: Calyciform.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
      Source: Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.gopher.ftp://ftp.
      Source: Calyciform.exe, 00000002.00000001.129567935037.0000000000626000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
      Source: Calyciform.exe, 00000002.00000001.129567935037.00000000005F2000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
      Source: Calyciform.exe, 00000002.00000001.129567935037.00000000005F2000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
      Source: Calyciform.exeString found in binary or memory: https://d.symcb.com/cps0%
      Source: Calyciform.exeString found in binary or memory: https://d.symcb.com/rpa0
      Source: Calyciform.exeString found in binary or memory: https://d.symcb.com/rpa0.
      Source: Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_004051E2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004051E2
      Source: C:\Users\user\Desktop\Calyciform.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\vmmouse.catJump to dropped file
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_004031E9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031E9
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_00404A210_2_00404A21
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_6D6A1A9C0_2_6D6A1A9C
      Source: Calyciform.exeStatic PE information: invalid certificate
      Source: Calyciform.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal68.troj.evad.winEXE@3/8@0/1
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_004031E9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031E9
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_004044AE GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004044AE
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_004020D1 CoCreateInstance,MultiByteToWideChar,0_2_004020D1
      Source: C:\Users\user\Desktop\Calyciform.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\PuerperantJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeFile created: C:\Users\user\AppData\Local\Temp\nse9AF4.tmpJump to behavior
      Source: Calyciform.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Calyciform.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Calyciform.exeReversingLabs: Detection: 45%
      Source: Calyciform.exeVirustotal: Detection: 37%
      Source: C:\Users\user\Desktop\Calyciform.exeFile read: C:\Users\user\Desktop\Calyciform.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Calyciform.exe "C:\Users\user\Desktop\Calyciform.exe"
      Source: C:\Users\user\Desktop\Calyciform.exeProcess created: C:\Users\user\Desktop\Calyciform.exe "C:\Users\user\Desktop\Calyciform.exe"
      Source: C:\Users\user\Desktop\Calyciform.exeProcess created: C:\Users\user\Desktop\Calyciform.exe "C:\Users\user\Desktop\Calyciform.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: msi.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: msi.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: Calyciform.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmp
      Source: Binary string: mshtml.pdbUGP source: Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000000.00000002.130225753929.0000000002FAF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.134606321221.000000000174F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_6D6A1A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_6D6A1A9C
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_6D6A2F20 push eax; ret 0_2_6D6A2F4E
      Source: C:\Users\user\Desktop\Calyciform.exeFile created: C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Calyciform.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\PuerperantJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\Scrivano.SekJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\Bluetooth Suite help_HUN.chmJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\Grundkoncept.FehJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\anycollseq.cJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\list-drag-handle-symbolic.svgJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\user-idle.pngJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\vmmouse.catJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\Calyciform.exeAPI/Special instruction interceptor: Address: 37DE4BA
      Source: C:\Users\user\Desktop\Calyciform.exeAPI/Special instruction interceptor: Address: 1F7E4BA
      Tries to detect Any.run
      Source: C:\Users\user\Desktop\Calyciform.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: Calyciform.exe, 00000000.00000002.130224651433.0000000000A38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE0
      Source: C:\Users\user\Desktop\Calyciform.exeFile opened / queried: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\vmmouse.catJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Calyciform.exe TID: 5572Thread sleep count: 106 > 30Jump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exe TID: 5572Thread sleep time: -106000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Calyciform.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_00405745 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405745
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_00406280 FindFirstFileA,FindClose,0_2_00406280
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_004026FE FindFirstFileA,0_2_004026FE
      Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: Calyciform.exe, 00000002.00000002.134609519488.0000000002897000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
      Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
      Source: Calyciform.exe, 00000000.00000002.130224651433.0000000000A38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmmouse.cat
      Source: vmmouse.cat.0.drBinary or memory string: VMware, Inc.
      Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: vmmouse.cat.0.drBinary or memory string: vmmouse.inf0E
      Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: Calyciform.exe, 00000000.00000002.130224651433.0000000000A38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Scrivano.SekBluetooth Suite help_HUN.chmGrundkoncept.Fehanycollseq.clist-drag-handle-symbolic.svguser-idle.pngvmmouse.cat%Omkomne52%\TheologicallySoftware\Energizingfireetageshusets
      Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
      Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Calyciform.exe, 00000000.00000002.130224651433.0000000000A38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\vmmouse.catK$9
      Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: Calyciform.exe, 00000000.00000002.130224651433.0000000000A38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe0
      Source: vmmouse.cat.0.drBinary or memory string: vmmouse.sys0M
      Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
      Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWc
      Source: C:\Users\user\Desktop\Calyciform.exeAPI call chain: ExitProcess graph end nodegraph_0-4450
      Source: C:\Users\user\Desktop\Calyciform.exeAPI call chain: ExitProcess graph end nodegraph_0-4616
      Source: C:\Users\user\Desktop\Calyciform.exeSystem information queried: ModuleInformationJump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_0040643A LdrInitializeThunk,0_2_0040643A
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_6D6A1A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_6D6A1A9C
      Source: C:\Users\user\Desktop\Calyciform.exeProcess created: C:\Users\user\Desktop\Calyciform.exe "C:\Users\user\Desktop\Calyciform.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Calyciform.exeCode function: 0_2_004031E9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031E9

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      Registry Run Keys / Startup Folder      		1
      Access Token Manipulation      		1
      Masquerading      		OS Credential Dumping311
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading      		11
      Process Injection      		12
      Virtualization/Sandbox Evasion      		LSASS Memory12
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Clipboard Data      		Junk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      Registry Run Keys / Startup Folder      		1
      Access Token Manipulation      		Security Account Manager2
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading      		11
      Process Injection      		NTDS14
      System Information Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.