Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.15881.18357.exe

Overview

General Information

Sample name:	SecuriteInfo.com.FileRepMalware.15881.18357.exe
Analysis ID:	1664658
MD5:	c37235367c898eca6efefd178b37073c
SHA1:	582d38d0486a0c07b1db43e869c763b1cf9c5209
SHA256:	dae238e356a89cd2b4ab0efa82eea9091ef45d172cd8421bfcce70672da80c23
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

GuLoader

Score:	54
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Joe Sandbox ML detected suspicious sample

Sigma detected: New RUN Key Pointing to Suspicious Folder

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

May check the online IP address of the machine

Sigma detected: CurrentVersion Autorun Keys Modification

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

SecuriteInfo.com.FileRepMalware.15881.18357.exe (PID: 6856 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe" MD5: C37235367C898ECA6EFEFD178B37073C)

SecuriteInfo.com.FileRepMalware.15881.18357.exe (PID: 2504 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe" MD5: C37235367C898ECA6EFEFD178B37073C)

OUTLOOK.EXE (PID: 2176 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding MD5: 91A5292942864110ED734005B7E005C0)

hormoner.exe (PID: 2704 cmdline: "C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe" MD5: C37235367C898ECA6EFEFD178B37073C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1953649569.0000000004403000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000012.00000002.3352574234.0000000004423000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: SecuriteInfo.com.FileRepMalware.15881.18357.exe PID: 2504	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe, ProcessId: 2504, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Rangerendes

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe, ProcessId: 2504, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Rangerendes

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2176, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\SearchToolbarsDisabled

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-14T16:33:09.537501+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49953	162.55.60.2	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-14T16:33:07.371692+0200	2803270	2	Potentially Bad Traffic	192.168.2.8	49952	192.210.150.28	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://showip.net/??	Avira URL Cloud: Label: malware
Source: http://showip.net/9?	Avira URL Cloud: Label: malware
Source: http://showip.net/y	Avira URL Cloud: Label: malware
Source: http://192.210.150.28/1/vRTpeEEAKb245.bin	Avira URL Cloud: Label: malware
Source: http://showip.net/_?	Avira URL Cloud: Label: malware
Source: http://showip.net/u?	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe	Virustotal: Detection: 37%			Perma Link
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe	ReversingLabs: Detection: 36%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 81.1%

Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000001.1952062684.0000000000649000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: mshtml.pdbUGP source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000001.1952062684.0000000000649000.00000020.00000001.01000000.0000000B.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Code function: 0_2_0040676F FindFirstFileW,FindClose,	0_2_0040676F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Code function: 0_2_00402902 FindFirstFileW,	0_2_00402902
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Code function: 0_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405B23
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Code function: 18_2_0040676F FindFirstFileW,FindClose,	18_2_0040676F
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Code function: 18_2_00402902 FindFirstFileW,	18_2_00402902
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Code function: 18_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	18_2_00405B23

Source: Joe Sandbox View

IP Address: 162.55.60.2 162.55.60.2

Source: unknown

DNS query: name: showip.net

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49952 -> 192.210.150.28:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49953 -> 162.55.60.2:80

Source: global traffic

HTTP traffic detected: GET /1/vRTpeEEAKb245.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0Host: 192.210.150.28Cache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /1/vRTpeEEAKb245.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0Host: 192.210.150.28Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net

Source: global traffic

DNS traffic detected: DNS query: showip.net

Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000002.3358243158.0000000006C70000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000002.3357702442.0000000005388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.28/1/vRTpeEEAKb245.bin
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 00000000.00000000.866327979.000000000040A000.00000008.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 00000000.00000002.1952383081.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000000.1949137884.000000000040A000.00000008.00000001.01000000.00000003.sdmp, hormoner.exe, 00000012.00000000.2717590811.000000000040A000.00000008.00000001.01000000.0000000E.sdmp, hormoner.exe, 00000012.00000002.3342503466.000000000040A000.00000004.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628445006.0000000005403000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628348211.0000000005446000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628416140.00000000053F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schema.org
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628416140.00000000053F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000002.3357702442.0000000005388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628416140.00000000053F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/9?
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628416140.00000000053F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/??
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000002.3357702442.00000000053EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629642103.00000000053F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628416140.00000000053F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2630598353.00000000053F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/_?
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628416140.00000000053F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/u?
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000002.3357702442.0000000005388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/y
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000001.1952062684.0000000000649000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628416140.00000000053F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.maxmind.com
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000001.1952062684.00000000005F2000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000001.1952062684.00000000005F2000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628851188.000000000545D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628851188.000000000545D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628416140.00000000053F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629466331.000000000540D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000001.1952062684.0000000000649000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628445006.0000000005403000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628348211.0000000005446000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628416140.00000000053F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://showip.net/
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628445006.0000000005403000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628348211.0000000005446000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628416140.00000000053F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://showip.net/?checkip=
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628416140.00000000053F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://unpkg.com/leaflet
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628851188.000000000545D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20w
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628851188.000000000545D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628375909.0000000005430000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628416140.00000000053F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628445006.0000000005403000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628348211.0000000005446000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628416140.00000000053F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openstreetmap.org/copyright

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

Code function: 0_2_004055B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004055B8

Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Process Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Code function: 0_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034C5
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Code function: 18_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		18_2_004034C5

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Code function: 0_2_00407458	0_2_00407458
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Code function: 0_2_6DCB1B5F	0_2_6DCB1B5F
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Code function: 18_2_00407458	18_2_00407458
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Code function: 18_2_5FF21B5F	18_2_5FF21B5F

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsfCF2A.tmp\System.dll 7A9DDEE34562CD3703F1502B5C70E99CD5BBA15DE2B6845A3555033D7F6CB2A5
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsqFB2B.tmp\System.dll 7A9DDEE34562CD3703F1502B5C70E99CD5BBA15DE2B6845A3555033D7F6CB2A5

Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal54.troj.spyw.evad.winEXE@5/21@1/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Code function: 0_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034C5
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Code function: 18_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		18_2_004034C5

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

Code function: 0_2_00404858 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404858

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

Code function: 0_2_004021A2 CoCreateInstance,

0_2_004021A2

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

File created: C:\Users\user\emergences.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

File created: C:\Users\user\AppData\Local\Temp\nsaF9E2.tmp

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2630081199.000000000547B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628851188.0000000005408000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2628851188.000000000540C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629582438.0000000005408000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe	Virustotal: Detection: 37%
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe "C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

File written: C:\Users\user\AppData\Local\Temp\Krlhaars\Nonsensibility23.ini

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Automated click: Next >
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Automated click: Next >
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Automated click: Next >

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000001.1952062684.0000000000649000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: mshtml.pdbUGP source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000001.1952062684.0000000000649000.00000020.00000001.01000000.0000000B.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.1953649569.0000000004403000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3352574234.0000000004423000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

Code function: 0_2_6DCB1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6DCB1B5F

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	File created: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	File created: C:\Users\user\AppData\Local\Temp\nsqFB2B.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	File created: C:\Users\user\AppData\Local\Temp\nsfCF2A.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Rangerendes	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Rangerendes	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Rangerendes	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Rangerendes	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (58).png

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	API/Special instruction interceptor: Address: 4D07632
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	API/Special instruction interceptor: Address: 2057632

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	RDTSC instruction interceptor: First address: 4CC1265 second address: 4CC1265 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7B39142BDCh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F7B39142B38h 0x00000008 cmp eax, edx 0x0000000a cld 0x0000000b inc ebp 0x0000000c cmp cx, bx 0x0000000f inc ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	RDTSC instruction interceptor: First address: 2011265 second address: 2011265 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7B38F824ECh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F7B38F82448h 0x00000008 cmp eax, edx 0x0000000a cld 0x0000000b inc ebp 0x0000000c cmp cx, bx 0x0000000f inc ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	RDTSC instruction interceptor: First address: 4CE1265 second address: 4CE1265 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7B39142BDCh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F7B39142B38h 0x00000008 cmp eax, edx 0x0000000a cld 0x0000000b inc ebp 0x0000000c cmp cx, bx 0x0000000f inc ebx 0x00000010 rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqFB2B.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsfCF2A.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Code function: 0_2_0040676F FindFirstFileW,FindClose,	0_2_0040676F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Code function: 0_2_00402902 FindFirstFileW,	0_2_00402902
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	Code function: 0_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405B23
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Code function: 18_2_0040676F FindFirstFileW,FindClose,	18_2_0040676F
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Code function: 18_2_00402902 FindFirstFileW,	18_2_00402902
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	Code function: 18_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	18_2_00405B23

Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 00000000.00000002.1953143356.0000000000658000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000002.3357702442.00000000053DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000002.3357702442.0000000005388000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 00000000.00000002.1953143356.0000000000658000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: SecuriteInfo.com.FileRepMalware.15881.18357.exe, 0000000C.00000003.2629848553.0000000005460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	API call chain: ExitProcess graph end node	graph_0-4163
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	API call chain: ExitProcess graph end node	graph_0-4314
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	API call chain: ExitProcess graph end node	graph_18-4315
Source: C:\Users\user\AppData\Local\Temp\frottering\hormoner.exe	API call chain: ExitProcess graph end node	graph_18-4164

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

Code function: 0_2_6DCB1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6DCB1B5F

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

Code function: 0_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034C5

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.15881.18357.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Jump to behavior

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.FileRepMalware.15881.18357.exe PID: 2504, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	1 OS Credential Dumping	31 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Modify Registry	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	3 File and Directory Discovery	Distributed Component Object Model	1 Clipboard Data	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.FileRepMalware.15881.18357.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.15881.18357.exe