Loading ...

Play interactive tourEdit tour

Analysis Report Payment Invoice#5638.scr

Overview

General Information

Sample Name:Payment Invoice#5638.scr (renamed file extension from scr to exe)
Analysis ID:297374
MD5:1cd212ef2cc038492735ee828fcebe25
SHA1:9e236ed52518e1a957d6649b8a4c115c9cc8971d
SHA256:ed384b7f5efea452a5c23b8c68dc7ed07178b4f6f4162b04448118ee2b5ef684
Tags:GuLoaderscr

Most interesting Screenshot:

Detection

AveMaria GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected AveMaria stealer
Yara detected Generic Dropper
Yara detected GuLoader
Allocates memory in foreign processes
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • Payment Invoice#5638.exe (PID: 6672 cmdline: 'C:\Users\user\Desktop\Payment Invoice#5638.exe' MD5: 1CD212EF2CC038492735EE828FCEBE25)
    • Payment Invoice#5638.exe (PID: 6884 cmdline: 'C:\Users\user\Desktop\Payment Invoice#5638.exe' MD5: 1CD212EF2CC038492735EE828FCEBE25)
      • cmd.exe (PID: 6944 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.243465482.0000000000AAE000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0x2378:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0x2378:$c1: Elevation:Administrator!new:
00000002.00000003.243558636.0000000000AB9000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0x2aaa8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0x2aaa8:$c1: Elevation:Administrator!new:
00000002.00000003.243558636.0000000000AB9000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
    00000002.00000003.243525430.0000000000AA8000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
      00000002.00000003.243411103.0000000000ACC000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x17aa8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      • 0x17aa8:$c1: Elevation:Administrator!new:
      Click to see the 8 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: Payment Invoice#5638.exeAvira: detected
      Multi AV Scanner detection for submitted fileShow sources
      Source: Payment Invoice#5638.exeVirustotal: Detection: 29%Perma Link
      Source: Payment Invoice#5638.exeReversingLabs: Detection: 37%
      Yara detected AveMaria stealerShow sources
      Source: Yara matchFile source: 00000002.00000003.243558636.0000000000AB9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.243525430.0000000000AA8000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.243411103.0000000000ACC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.243666132.0000000000AA8000.00000004.00000001.sdmp, type: MEMORY
      Source: global trafficTCP traffic: 192.168.2.3:49731 -> 103.199.17.61:5200
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownDNS traffic detected: queries for: mscni.org
      Source: Payment Invoice#5638.exe, 00000002.00000002.484798968.0000000000A6A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
      Source: Payment Invoice#5638.exe, 00000002.00000002.484828791.0000000000A87000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: Payment Invoice#5638.exe, 00000002.00000002.484828791.0000000000A87000.00000004.00000001.sdmpString found in binary or memory: http://crl.usertrust.ce
      Source: Payment Invoice#5638.exe, 00000002.00000002.484798968.0000000000A6A000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
      Source: Payment Invoice#5638.exe, 00000002.00000002.484798968.0000000000A6A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: Payment Invoice#5638.exe, 00000002.00000002.484798968.0000000000A6A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0#
      Source: Payment Invoice#5638.exe, 00000002.00000003.243558636.0000000000AB9000.00000004.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
      Source: Payment Invoice#5638.exe, 00000002.00000002.484189378.00000000006B0000.00000040.00000001.sdmpString found in binary or memory: https://mscni.org/hk_qfIvrO18.bin
      Source: Payment Invoice#5638.exe, 00000002.00000002.484798968.0000000000A6A000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
      Source: Payment Invoice#5638.exe, 00000002.00000003.243558636.0000000000AB9000.00000004.00000001.sdmpBinary or memory string: GetRawInputData

      E-Banking Fraud:

      barindex
      Yara detected AveMaria stealerShow sources
      Source: Yara matchFile source: 00000002.00000003.243558636.0000000000AB9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.243525430.0000000000AA8000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.243411103.0000000000ACC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.243666132.0000000000AA8000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: Payment Invoice#5638.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Payment Invoice#5638.exe
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B002F2 EnumWindows,NtSetInformationThread,TerminateProcess,0_2_02B002F2
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B02AFA NtSetInformationThread,TerminateProcess,LdrInitializeThunk,LoadLibraryA,0_2_02B02AFA
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B04AC5 NtProtectVirtualMemory,0_2_02B04AC5
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B04E89 NtSetInformationThread,TerminateProcess,NtResumeThread,0_2_02B04E89
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B03CBC NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,0_2_02B03CBC
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B03D4B NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,0_2_02B03D4B
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B04297 NtWriteVirtualMemory,0_2_02B04297
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B03A7E NtSetInformationThread,TerminateProcess,0_2_02B03A7E
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B03BFA NtWriteVirtualMemory,0_2_02B03BFA
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B00373 NtSetInformationThread,TerminateProcess,0_2_02B00373
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B00341 NtSetInformationThread,TerminateProcess,0_2_02B00341
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B00000 NtSetInformationThread,TerminateProcess,0_2_02B00000
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B0206E NtWriteVirtualMemory,0_2_02B0206E
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B05056 NtResumeThread,0_2_02B05056
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B01049 NtSetInformationThread,TerminateProcess,0_2_02B01049
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B011C6 NtSetInformationThread,TerminateProcess,0_2_02B011C6
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B05165 NtResumeThread,0_2_02B05165
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B04EB5 NtResumeThread,0_2_02B04EB5
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B04E8F NtResumeThread,0_2_02B04E8F
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B04EDC NtResumeThread,0_2_02B04EDC
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B01E76 NtWriteVirtualMemory,0_2_02B01E76
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B04FB2 NtResumeThread,0_2_02B04FB2
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B04F85 NtResumeThread,0_2_02B04F85
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B04F35 NtResumeThread,0_2_02B04F35
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B04F11 NtResumeThread,0_2_02B04F11
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B01F71 NtWriteVirtualMemory,0_2_02B01F71
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B04F5E NtResumeThread,0_2_02B04F5E
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B01CBC NtWriteVirtualMemory,0_2_02B01CBC
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B03C37 NtWriteVirtualMemory,0_2_02B03C37
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B0459F NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,0_2_02B0459F
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B01D88 NtWriteVirtualMemory,0_2_02B01D88
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B2AFA NtSetInformationThread,NtProtectVirtualMemory,LoadLibraryA,2_2_006B2AFA
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B02F2 EnumWindows,NtSetInformationThread,2_2_006B02F2
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B4AC5 NtProtectVirtualMemory,2_2_006B4AC5
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B4E89 NtSetInformationThread,NtSetInformationThread,2_2_006B4E89
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B3D4B NtSetInformationThread,2_2_006B3D4B
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B3A7E NtSetInformationThread,2_2_006B3A7E
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B1049 NtSetInformationThread,2_2_006B1049
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B5056 NtSetInformationThread,2_2_006B5056
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B0000 NtSetInformationThread,2_2_006B0000
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B08EA NtProtectVirtualMemory,2_2_006B08EA
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B4EDC NtSetInformationThread,2_2_006B4EDC
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B08D6 NtProtectVirtualMemory,2_2_006B08D6
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B3CBC NtSetInformationThread,2_2_006B3CBC
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B4EB5 NtSetInformationThread,2_2_006B4EB5
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B4E8F NtSetInformationThread,2_2_006B4E8F
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B5165 NtSetInformationThread,2_2_006B5165
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B0373 NtSetInformationThread,2_2_006B0373
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B0973 NtProtectVirtualMemory,2_2_006B0973
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B0341 NtSetInformationThread,2_2_006B0341
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B4F5E NtSetInformationThread,2_2_006B4F5E
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B0933 NtProtectVirtualMemory,2_2_006B0933
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B4F35 NtSetInformationThread,2_2_006B4F35
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B091F NtProtectVirtualMemory,2_2_006B091F
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B4F11 NtSetInformationThread,2_2_006B4F11
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B11C6 NtSetInformationThread,2_2_006B11C6
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B09A9 NtProtectVirtualMemory,2_2_006B09A9
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B4FB2 NtSetInformationThread,2_2_006B4FB2
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B4F85 NtSetInformationThread,2_2_006B4F85
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B459F NtSetInformationThread,2_2_006B459F
      Source: Payment Invoice#5638.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Payment Invoice#5638.exeBinary or memory string: OriginalFilename vs Payment Invoice#5638.exe
      Source: Payment Invoice#5638.exe, 00000000.00000002.234477457.0000000000425000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDerma.exe vs Payment Invoice#5638.exe
      Source: Payment Invoice#5638.exeBinary or memory string: OriginalFilename vs Payment Invoice#5638.exe
      Source: Payment Invoice#5638.exe, 00000002.00000002.489602713.000000001D990000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Payment Invoice#5638.exe
      Source: Payment Invoice#5638.exe, 00000002.00000001.234332320.0000000000400000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMSHTML.TLBD vs Payment Invoice#5638.exe
      Source: Payment Invoice#5638.exe, 00000002.00000002.489563560.000000001D900000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Payment Invoice#5638.exe
      Source: Payment Invoice#5638.exe, 00000002.00000002.490014139.000000001DD8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDerma.exe vs Payment Invoice#5638.exe
      Source: Payment Invoice#5638.exeBinary or memory string: OriginalFilenameDerma.exe vs Payment Invoice#5638.exe
      Source: 00000002.00000003.243465482.0000000000AAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
      Source: 00000002.00000003.243558636.0000000000AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
      Source: 00000002.00000003.243411103.0000000000ACC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@6/0@1/2
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeFile created: C:\Users\user\AppData\Local\Microsoft Vision\Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeFile created: C:\Users\user\AppData\Local\Temp\~DF739584D7F9033847.TMPJump to behavior
      Source: Payment Invoice#5638.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Payment Invoice#5638.exeVirustotal: Detection: 29%
      Source: Payment Invoice#5638.exeReversingLabs: Detection: 37%
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeFile read: C:\Users\user\Desktop\Payment Invoice#5638.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Payment Invoice#5638.exe 'C:\Users\user\Desktop\Payment Invoice#5638.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Payment Invoice#5638.exe 'C:\Users\user\Desktop\Payment Invoice#5638.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeProcess created: C:\Users\user\Desktop\Payment Invoice#5638.exe 'C:\Users\user\Desktop\Payment Invoice#5638.exe' Jump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Payment Invoice#5638.exe PID: 6672, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Payment Invoice#5638.exe PID: 6884, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Payment Invoice#5638.exe PID: 6672, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Payment Invoice#5638.exe PID: 6884, type: MEMORY
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B3BD2 LoadLibraryA,GetProcAddress,2_2_006B3BD2
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_00418089 push dword ptr [ecx-3C004E4Fh]; ret 0_2_00418099

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Contains functionality to hide user accountsShow sources
      Source: Payment Invoice#5638.exe, 00000002.00000003.243558636.0000000000AB9000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
      Source: Payment Invoice#5638.exe, 00000002.00000003.243558636.0000000000AB9000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeFile opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Payment Invoice#5638.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeRDTSC instruction interceptor: First address: 0000000002B02B5B second address: 0000000002B039E0 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov edx, 95F3A792h 0x00000008 call 00007FBEA0B44511h 0x0000000d push esi 0x0000000e jmp 00007FBEA0B436E2h 0x00000010 test ah, ah 0x00000012 push edx 0x00000013 pushad 0x00000014 mov edi, 000000A6h 0x00000019 rdtsc
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeRDTSC instruction interceptor: First address: 0000000002B02BBF second address: 0000000002B039E0 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov edx, C29C5019h 0x00000008 call 00007FBEA0B429ADh 0x0000000d push esi 0x0000000e jmp 00007FBEA0B41BE2h 0x00000010 test ah, ah 0x00000012 push edx 0x00000013 pushad 0x00000014 mov edi, 000000A6h 0x00000019 rdtsc
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeRDTSC instruction interceptor: First address: 00000000006B2B5B second address: 00000000006B39E0 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov edx, 95F3A792h 0x00000008 call 00007FBEA0B44511h 0x0000000d push esi 0x0000000e jmp 00007FBEA0B436E2h 0x00000010 test ah, ah 0x00000012 push edx 0x00000013 pushad 0x00000014 mov edi, 000000A6h 0x00000019 rdtsc
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeRDTSC instruction interceptor: First address: 00000000006B2BBF second address: 00000000006B39E0 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov edx, C29C5019h 0x00000008 call 00007FBEA0B429ADh 0x0000000d push esi 0x0000000e jmp 00007FBEA0B41BE2h 0x00000010 test ah, ah 0x00000012 push edx 0x00000013 pushad 0x00000014 mov edi, 000000A6h 0x00000019 rdtsc
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B02AFA rdtsc 0_2_02B02AFA
      Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 939Jump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exe TID: 6928Thread sleep count: 60 > 30Jump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exe TID: 6928Thread sleep time: -70000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exe TID: 7060Thread sleep count: 939 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exe TID: 7060Thread sleep time: -11268000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: Payment Invoice#5638.exe, 00000000.00000002.242402588.0000000004C2A000.00000004.00000001.sdmp, Payment Invoice#5638.exe, 00000002.00000002.485031647.000000000230A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: Payment Invoice#5638.exe, 00000000.00000002.242402588.0000000004C2A000.00000004.00000001.sdmp, Payment Invoice#5638.exe, 00000002.00000002.485031647.000000000230A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: Payment Invoice#5638.exe, 00000002.00000002.485031647.000000000230A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
      Source: Payment Invoice#5638.exe, 00000000.00000002.242402588.0000000004C2A000.00000004.00000001.sdmp, Payment Invoice#5638.exe, 00000002.00000002.485031647.000000000230A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: Payment Invoice#5638.exe, 00000000.00000002.242402588.0000000004C2A000.00000004.00000001.sdmp, Payment Invoice#5638.exe, 00000002.00000002.485031647.000000000230A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: Payment Invoice#5638.exe, 00000000.00000002.242402588.0000000004C2A000.00000004.00000001.sdmp, Payment Invoice#5638.exe, 00000002.00000002.485031647.000000000230A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: Payment Invoice#5638.exe, 00000002.00000002.485031647.000000000230A000.00000004.00000001.sdmpBinary or memory string: vmicvss
      Source: Payment Invoice#5638.exe, 00000002.00000002.484798968.0000000000A6A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: Payment Invoice#5638.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: Payment Invoice#5638.exe, 00000000.00000002.242402588.0000000004C2A000.00000004.00000001.sdmp, Payment Invoice#5638.exe, 00000002.00000002.485031647.000000000230A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: Payment Invoice#5638.exe, 00000000.00000002.242402588.0000000004C2A000.00000004.00000001.sdmp, Payment Invoice#5638.exe, 00000002.00000002.485031647.000000000230A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: Payment Invoice#5638.exe, 00000000.00000002.242402588.0000000004C2A000.00000004.00000001.sdmp, Payment Invoice#5638.exe, 00000002.00000002.485031647.000000000230A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: Payment Invoice#5638.exe, 00000002.00000002.485031647.000000000230A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B002F2 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,?0_2_02B002F2
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B02AFA rdtsc 0_2_02B02AFA
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B02AFA NtSetInformationThread,TerminateProcess,LdrInitializeThunk,LoadLibraryA,0_2_02B02AFA
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B3BD2 LoadLibraryA,GetProcAddress,2_2_006B3BD2
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B03D4B mov eax, dword ptr fs:[00000030h]0_2_02B03D4B
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B012D6 mov eax, dword ptr fs:[00000030h]0_2_02B012D6
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B02328 mov eax, dword ptr fs:[00000030h]0_2_02B02328
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B018CB mov eax, dword ptr fs:[00000030h]0_2_02B018CB
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B0399F mov eax, dword ptr fs:[00000030h]0_2_02B0399F
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B045BB mov eax, dword ptr fs:[00000030h]0_2_02B045BB
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 0_2_02B0459F mov eax, dword ptr fs:[00000030h]0_2_02B0459F
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B18CB mov eax, dword ptr fs:[00000030h]2_2_006B18CB
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B3D4B mov eax, dword ptr fs:[00000030h]2_2_006B3D4B
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B12D6 mov eax, dword ptr fs:[00000030h]2_2_006B12D6
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B2328 mov eax, dword ptr fs:[00000030h]2_2_006B2328
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B45BB mov eax, dword ptr fs:[00000030h]2_2_006B45BB
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B399F mov eax, dword ptr fs:[00000030h]2_2_006B399F
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeCode function: 2_2_006B459F mov eax, dword ptr fs:[00000030h]2_2_006B459F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 3_2_031F001A mov eax, dword ptr fs:[00000030h]3_2_031F001A

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 31F0000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 3200000 protect: page read and writeJump to behavior
      Creates a thread in another existing process (thread injection)Show sources
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeThread created: C:\Windows\SysWOW64\cmd.exe EIP: 31F010EJump to behavior
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 31F0000Jump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 3200000Jump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeProcess created: C:\Users\user\Desktop\Payment Invoice#5638.exe 'C:\Users\user\Desktop\Payment Invoice#5638.exe' Jump to behavior
      Source: Payment Invoice#5638.exe, 00000002.00000002.484903545.0000000000EB0000.00000002.00000001.sdmp, cmd.exe, 00000003.00000002.485893098.0000000004020000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: Payment Invoice#5638.exe, 00000002.00000002.484903545.0000000000EB0000.00000002.00000001.sdmp, cmd.exe, 00000003.00000002.485893098.0000000004020000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: Payment Invoice#5638.exe, 00000002.00000002.484903545.0000000000EB0000.00000002.00000001.sdmp, cmd.exe, 00000003.00000002.485893098.0000000004020000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: Payment Invoice#5638.exe, 00000002.00000002.484903545.0000000000EB0000.00000002.00000001.sdmp, cmd.exe, 00000003.00000002.485893098.0000000004020000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Lowering of HIPS / PFW / Operating System Security Settings:

      barindex
      Increases the number of concurrent connection per server for Internet ExplorerShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#5638.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected AveMaria stealerShow sources
      Source: Yara matchFile source: 00000002.00000003.243558636.0000000000AB9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.243525430.0000000000AA8000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.243411103.0000000000ACC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.243666132.0000000000AA8000.00000004.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: Payment Invoice#5638.exe PID: 6884, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Payment Invoice#5638.exe PID: 6884, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected AveMaria stealerShow sources
      Source: Yara matchFile source: 00000002.00000003.243558636.0000000000AB9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.243525430.0000000000AA8000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.243411103.0000000000ACC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.243666132.0000000000AA8000.00000004.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsNative API1Path InterceptionProcess Injection312Masquerading3Input Capture11Security Software Discovery521Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationEndpoint Denial of Service1
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion22LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection312Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Hidden Files and Directories1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Users1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Information Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet