Loading ...

Play interactive tourEdit tour

Analysis Report Payment Invoice#04731.exe

Overview

General Information

Sample Name:Payment Invoice#04731.exe
Analysis ID:297539
MD5:83da463e287e2e6a4e9b1697faf633e8
SHA1:6893cea36ec094da3546902ad065cac71de4a6af
SHA256:aa4e2696bcaf8829c80af64cf785a43c6aeff3f42ef5e69181c9d0e02834d2af
Tags:exeGuLoader

Most interesting Screenshot:

Detection

AveMaria GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AveMaria stealer
Yara detected Generic Dropper
Yara detected GuLoader
Allocates memory in foreign processes
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to get notified if a device is plugged in / out
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Spawns drivers
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • Payment Invoice#04731.exe (PID: 7072 cmdline: 'C:\Users\user\Desktop\Payment Invoice#04731.exe' MD5: 83DA463E287E2E6A4E9B1697FAF633E8)
    • Payment Invoice#04731.exe (PID: 6264 cmdline: 'C:\Users\user\Desktop\Payment Invoice#04731.exe' MD5: 83DA463E287E2E6A4E9B1697FAF633E8)
      • cmd.exe (PID: 4180 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • rdpdr.sys (PID: 4 cmdline: MD5: 52A6CC99F5934CFAE88353C47B6193E7)
  • tsusbhub.sys (PID: 4 cmdline: MD5: 3A84A09CBC42148A0C7D00B3E82517F1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.245281807.0000000000A79000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0x21b8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0x21b8:$c1: Elevation:Administrator!new:
00000001.00000003.245522453.0000000000A94000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0x18438:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0x18438:$c1: Elevation:Administrator!new:
00000001.00000003.245522453.0000000000A94000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
    00000001.00000003.245514186.0000000000A72000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
      00000001.00000003.245569810.0000000000AA6000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x6438:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      • 0x6438:$c1: Elevation:Administrator!new:
      Click to see the 11 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Group Modification LoggingShow sources
      Source: Event LogsAuthor: Alexandr Yampolskyi, SOC Prime: Data: EventID: 4728, Source: Microsoft-Windows-Security-Auditing, data 0: -, data 1: S-1-5-21-3853321935-2125563209-4053062332-1003, data 2: None, data 3: computer, data 4: S-1-5-21-3853321935-2125563209-4053062332-513, data 5: S-1-5-21-3853321935-2125563209-4053062332-1002, data 6: user, data 7: computer, data 8: 0x190be, data 9: -
      Sigma detected: Local User CreationShow sources
      Source: Event LogsAuthor: Patrick Bareiss: Data: EventID: 4720, Source: Microsoft-Windows-Security-Auditing, data 0: mjemxBD, data 1: computer, data 10: -, data 11: %%1793, data 12: %%1793, data 13: %%1793, data 14: %%1793, data 15: %%1793, data 16: %%1794, data 17: %%1794, data 18: 513, data 19: -, data 2: S-1-5-21-3853321935-2125563209-4053062332-1003, data 20: 0x0, data 21: 0x15, data 22: %%2080 %%2082 %%2084, data 23: %%1793, data 24: -, data 25: %%1797, data 3: S-1-5-21-3853321935-2125563209-4053062332-1002, data 4: user, data 5: computer, data 6: 0x190be, data 7: -, data 8: mjemxBD, data 9: %%1793

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: Payment Invoice#04731.exeAvira: detected
      Antivirus detection for URL or domainShow sources
      Source: https://mscni.org/hk_KoKrxbGo126.binAvira URL Cloud: Label: malware
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files\Microsoft DN1\sqlmap.dllMetadefender: Detection: 21%Perma Link
      Source: C:\Program Files\Microsoft DN1\sqlmap.dllReversingLabs: Detection: 37%
      Multi AV Scanner detection for submitted fileShow sources
      Source: Payment Invoice#04731.exeReversingLabs: Detection: 14%
      Yara detected AveMaria stealerShow sources
      Source: Yara matchFile source: 00000001.00000003.245522453.0000000000A94000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245514186.0000000000A72000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245569810.0000000000AA6000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245581463.0000000000A72000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245003501.0000000000A94000.00000004.00000001.sdmp, type: MEMORY
      Source: 0.0.Payment Invoice#04731.exe.400000.0.unpackAvira: Label: TR/AD.VBCryptor.xiiay
      Source: 1.0.Payment Invoice#04731.exe.400000.0.unpackAvira: Label: TR/AD.VBCryptor.xiiay
      Source: 3.2.cmd.exe.3560000.1.unpackAvira: Label: TR/AD.VBCryptor.xiiay
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B148D UnregisterDeviceNotification,1_2_006B148D
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC82630 FindFirstFileW,FindNextFileW,FindClose,GetLogicalDrives,CharLowerW,1_2_1EC82630
      Source: global trafficTCP traffic: 192.168.2.3:49735 -> 103.199.17.61:5200
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownTCP traffic detected without corresponding DNS query: 103.199.17.61
      Source: unknownDNS traffic detected: queries for: mscni.org
      Source: Payment Invoice#04731.exe, 00000001.00000003.304946663.0000000000A53000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
      Source: Payment Invoice#04731.exe, 00000001.00000003.304946663.0000000000A53000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: Payment Invoice#04731.exe, 00000001.00000003.304946663.0000000000A53000.00000004.00000001.sdmpString found in binary or memory: http://crl.usertrust.ctC
      Source: Payment Invoice#04731.exe, 00000001.00000003.304946663.0000000000A53000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
      Source: Payment Invoice#04731.exe, 00000001.00000003.304946663.0000000000A53000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: Payment Invoice#04731.exe, 00000001.00000003.304946663.0000000000A53000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0#
      Source: Payment Invoice#04731.exe, 00000001.00000003.268323234.0000000000A8B000.00000004.00000001.sdmp, sqlmap.dll.1.drString found in binary or memory: http://stascorp.comDVarFileInfo$
      Source: Payment Invoice#04731.exe, 00000001.00000003.245522453.0000000000A94000.00000004.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
      Source: Payment Invoice#04731.exe, 00000001.00000002.482645024.00000000006B0000.00000040.00000001.sdmpString found in binary or memory: https://mscni.org/hk_KoKrxbGo126.bin
      Source: Payment Invoice#04731.exe, 00000001.00000002.483593214.0000000000A1C000.00000004.00000001.sdmpString found in binary or memory: https://mscni.org/j
      Source: Payment Invoice#04731.exe, 00000001.00000002.483593214.0000000000A1C000.00000004.00000001.sdmpString found in binary or memory: https://mscni.org/r
      Source: Payment Invoice#04731.exe, 00000001.00000003.304946663.0000000000A53000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Installs a global keyboard hookShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Payment Invoice#04731.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC3E550 OpenClipboard,1_2_1EC3E550
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC3D2D0 GetClipboardData,RtlNtStatusToDosError,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlAllocateHeap,GdiCreateLocalEnhMetaFile,GdiCreateLocalMetaFilePict,GlobalSize,GlobalFree,GlobalAlloc,MultiByteToWideChar,GlobalReAlloc,MultiByteToWideChar,MultiByteToWideChar,GlobalReAlloc,GlobalFree,GlobalFree,GdiConvertBitmapV5,GdiConvertBitmapV5,WideCharToMultiByte,GlobalReAlloc,WideCharToMultiByte,RtlEnterCriticalSection,RtlLeaveCriticalSection,GlobalFree,GlobalFree,RtlFreeHeap,1_2_1EC3D2D0
      Source: Payment Invoice#04731.exeBinary or memory string: GetRawInputData

      E-Banking Fraud:

      barindex
      Yara detected AveMaria stealerShow sources
      Source: Yara matchFile source: 00000001.00000003.245522453.0000000000A94000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245514186.0000000000A72000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245569810.0000000000AA6000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245581463.0000000000A72000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245003501.0000000000A94000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: Payment Invoice#04731.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Payment Invoice#04731.exe
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023349BA NtResumeThread,0_2_023349BA
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023345A0 NtProtectVirtualMemory,0_2_023345A0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02334A30 NtResumeThread,0_2_02334A30
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02334A09 NtResumeThread,0_2_02334A09
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02334A60 NtResumeThread,0_2_02334A60
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02333256 NtWriteVirtualMemory,0_2_02333256
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02334AB5 NtResumeThread,0_2_02334AB5
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02334ADD NtResumeThread,0_2_02334ADD
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02334B56 NtResumeThread,0_2_02334B56
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023303A0 NtSetInformationThread,TerminateProcess,0_2_023303A0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02334B90 NtResumeThread,0_2_02334B90
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02330000 NtWriteVirtualMemory,0_2_02330000
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023338A1 NtWriteVirtualMemory,0_2_023338A1
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023318D5 NtWriteVirtualMemory,0_2_023318D5
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023349B1 NtResumeThread,0_2_023349B1
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023349E4 NtResumeThread,0_2_023349E4
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023349C0 NtResumeThread,0_2_023349C0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023311C4 NtWriteVirtualMemory,LoadLibraryA,0_2_023311C4
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02331E3C NtWriteVirtualMemory,0_2_02331E3C
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02331F18 NtWriteVirtualMemory,0_2_02331F18
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023317CF NtWriteVirtualMemory,0_2_023317CF
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02331C04 NtWriteVirtualMemory,0_2_02331C04
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02331CA8 NtWriteVirtualMemory,0_2_02331CA8
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02331D6C NtWriteVirtualMemory,0_2_02331D6C
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC48EC0 PeekMessageW,NtYieldExecution,1_2_1EC48EC0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC35A00 PeekMessageA,NtYieldExecution,1_2_1EC35A00
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC3CF79 RtlInitUnicodeString,NtOpenKey,RtlInitUnicodeString,RtlAllocateHeap,NtQueryValueKey,NtClose,GetSystemDirectoryW,RtlAllocateHeap,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,RtlFreeHeap,RtlFreeHeap,FreeLibrary,RtlFreeHeap,1_2_1EC3CF79
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC960D0 WaitForInputIdle,NtQueryInformationProcess,RtlRestoreLastWin32Error,1_2_1EC960D0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC23C30 NtCallbackReturn,1_2_1EC23C30
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC3D581 NtQueryWnfStateData,1_2_1EC3D581
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC3CD5E GetSystemDirectoryW,RtlInitUnicodeString,NtOpenKey,RtlInitUnicodeString,NtQueryValueKey,LoadLibraryExW,NtClose,GlobalFree,GlobalFree,GlobalAlloc,RtlRestoreLastWin32Error,1_2_1EC3CD5E
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC7B90B GetSystemWindowsDirectoryW,RtlAllocateHeap,GetSystemWindowsDirectoryW,swprintf_s,memset,CreateProcessW,NtClose,NtClose,RtlFreeHeap,1_2_1EC7B90B
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B45A0 NtProtectVirtualMemory,1_2_006B45A0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B49BA NtSetInformationThread,1_2_006B49BA
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B49E4 NtSetInformationThread,1_2_006B49E4
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B49C0 NtSetInformationThread,1_2_006B49C0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B49B1 NtSetInformationThread,1_2_006B49B1
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B4A60 NtSetInformationThread,1_2_006B4A60
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B4A30 NtSetInformationThread,1_2_006B4A30
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B4A09 NtSetInformationThread,1_2_006B4A09
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B4ADD NtSetInformationThread,1_2_006B4ADD
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B4AB5 NtSetInformationThread,1_2_006B4AB5
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023332560_2_02333256
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023300F40_2_023300F4
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC8E6DC1_2_1EC8E6DC
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC31ADF1_2_1EC31ADF
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC36EE01_2_1EC36EE0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC2B2B01_2_1EC2B2B0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC2C2101_2_1EC2C210
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC492301_2_1EC49230
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC363C31_2_1EC363C3
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC76BC51_2_1EC76BC5
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC27BF01_2_1EC27BF0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC35BF01_2_1EC35BF0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC307F01_2_1EC307F0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC463801_2_1EC46380
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC47F901_2_1EC47F90
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC477B01_2_1EC477B0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC24F501_2_1EC24F50
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC45B001_2_1EC45B00
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC2D7201_2_1EC2D720
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC26CD01_2_1EC26CD0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC6BCD01_2_1EC6BCD0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC7DCF91_2_1EC7DCF9
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC2FC801_2_1EC2FC80
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC810811_2_1EC81081
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC2D0401_2_1EC2D040
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC2E0501_2_1EC2E050
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC255C01_2_1EC255C0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC479E01_2_1EC479E0
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC759481_2_1EC75948
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC36D001_2_1EC36D00
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC2C9201_2_1EC2C920
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B00F41_2_006B00F4
      Source: Joe Sandbox ViewDropped File: C:\Program Files\Microsoft DN1\sqlmap.dll 798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
      Source: Payment Invoice#04731.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Payment Invoice#04731.exeBinary or memory string: OriginalFilename vs Payment Invoice#04731.exe
      Source: Payment Invoice#04731.exe, 00000000.00000002.234677670.00000000022E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Payment Invoice#04731.exe
      Source: Payment Invoice#04731.exe, 00000000.00000000.217046570.0000000000425000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameculli.exe vs Payment Invoice#04731.exe
      Source: Payment Invoice#04731.exeBinary or memory string: OriginalFilename vs Payment Invoice#04731.exe
      Source: Payment Invoice#04731.exe, 00000001.00000003.268323234.0000000000A8B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamerdpwrap.dllB vs Payment Invoice#04731.exe
      Source: Payment Invoice#04731.exe, 00000001.00000002.486640279.000000001D500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Payment Invoice#04731.exe
      Source: Payment Invoice#04731.exe, 00000001.00000003.279933264.0000000000AC5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamerfxvmt.dllj% vs Payment Invoice#04731.exe
      Source: Payment Invoice#04731.exe, 00000001.00000002.489667353.000000001E2E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameculli.exe vs Payment Invoice#04731.exe
      Source: Payment Invoice#04731.exe, 00000001.00000001.234174578.0000000000400000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMSHTML.TLBD vs Payment Invoice#04731.exe
      Source: Payment Invoice#04731.exe, 00000001.00000002.486622740.000000001D4F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Payment Invoice#04731.exe
      Source: Payment Invoice#04731.exe, 00000001.00000002.490285789.000000001ECAB000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Payment Invoice#04731.exe
      Source: Payment Invoice#04731.exeBinary or memory string: OriginalFilenameculli.exe vs Payment Invoice#04731.exe
      Source: unknownDriver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys
      Source: 00000001.00000003.245281807.0000000000A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
      Source: 00000001.00000003.245522453.0000000000A94000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
      Source: 00000001.00000003.245569810.0000000000AA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
      Source: 00000001.00000003.245581463.0000000000A72000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
      Source: 00000001.00000003.245003501.0000000000A94000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@6/2@1/2
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeFile created: C:\Users\user\AppData\Local\Microsoft Vision\Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_01
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeFile created: C:\Users\user\AppData\Local\Temp\~DFBC45DDAF5D4E8639.TMPJump to behavior
      Source: Payment Invoice#04731.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Payment Invoice#04731.exeReversingLabs: Detection: 14%
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeFile read: C:\Users\user\Desktop\Payment Invoice#04731.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Payment Invoice#04731.exe 'C:\Users\user\Desktop\Payment Invoice#04731.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Payment Invoice#04731.exe 'C:\Users\user\Desktop\Payment Invoice#04731.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeProcess created: C:\Users\user\Desktop\Payment Invoice#04731.exe 'C:\Users\user\Desktop\Payment Invoice#04731.exe' Jump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeFile written: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeDirectory created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeDirectory created: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
      Source: Binary string: RfxVmt.pdb source: Payment Invoice#04731.exe, 00000001.00000003.279933264.0000000000AC5000.00000004.00000001.sdmp
      Source: Binary string: RfxVmt.pdbGCTL source: Payment Invoice#04731.exe, 00000001.00000003.279933264.0000000000AC5000.00000004.00000001.sdmp
      Source: Binary string: wuser32.pdb source: Payment Invoice#04731.exe
      Source: Binary string: wuser32.pdbUGP source: Payment Invoice#04731.exe, 00000001.00000002.490159390.000000001EC10000.00000040.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Payment Invoice#04731.exe PID: 7072, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Payment Invoice#04731.exe PID: 6264, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Payment Invoice#04731.exe PID: 7072, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Payment Invoice#04731.exe PID: 6264, type: MEMORY
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B39E2 LoadLibraryA,GetProcAddress,1_2_006B39E2
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_00417D59 push dword ptr [ecx-3C004E4Fh]; ret 0_2_00417D69
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC4FA0D push ecx; ret 1_2_1EC4FA20
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeFile created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to dropped file
      Source: C:\Windows\system32\drivers\tsusbhub.sysRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\WdfJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\ParametersJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Contains functionality to hide user accountsShow sources
      Source: Payment Invoice#04731.exe, 00000001.00000003.304946663.0000000000A53000.00000004.00000001.sdmpString found in binary or memory: WARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
      Source: Payment Invoice#04731.exe, 00000001.00000003.245522453.0000000000A94000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
      Source: Payment Invoice#04731.exe, 00000001.00000003.245522453.0000000000A94000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeFile opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | deleteJump to behavior
      Hides user accountsShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList mjemxBDJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Payment Invoice#04731.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02333A7D rdtsc 0_2_02333A7D
      Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 936Jump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeDropped PE file which has not been started: C:\Program Files\Microsoft DN1\sqlmap.dllJump to dropped file
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exe TID: 4648Thread sleep count: 60 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exe TID: 6496Thread sleep count: 936 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exe TID: 6496Thread sleep time: -11232000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC82630 FindFirstFileW,FindNextFileW,FindClose,GetLogicalDrives,CharLowerW,1_2_1EC82630
      Source: Payment Invoice#04731.exe, 00000000.00000002.252489375.0000000004D8A000.00000004.00000001.sdmp, Payment Invoice#04731.exe, 00000001.00000002.484077206.00000000022DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: Payment Invoice#04731.exe, 00000000.00000002.252489375.0000000004D8A000.00000004.00000001.sdmp, Payment Invoice#04731.exe, 00000001.00000002.484077206.00000000022DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: Payment Invoice#04731.exe, 00000001.00000002.484077206.00000000022DA000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
      Source: Payment Invoice#04731.exe, 00000000.00000002.252489375.0000000004D8A000.00000004.00000001.sdmp, Payment Invoice#04731.exe, 00000001.00000002.484077206.00000000022DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: Payment Invoice#04731.exe, 00000000.00000002.252489375.0000000004D8A000.00000004.00000001.sdmp, Payment Invoice#04731.exe, 00000001.00000002.484077206.00000000022DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: Payment Invoice#04731.exe, 00000000.00000002.252489375.0000000004D8A000.00000004.00000001.sdmp, Payment Invoice#04731.exe, 00000001.00000002.484077206.00000000022DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: Payment Invoice#04731.exe, 00000001.00000002.484077206.00000000022DA000.00000004.00000001.sdmpBinary or memory string: vmicvss
      Source: Payment Invoice#04731.exe, 00000001.00000003.304915867.0000000000A35000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: Payment Invoice#04731.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: Payment Invoice#04731.exe, 00000000.00000002.252489375.0000000004D8A000.00000004.00000001.sdmp, Payment Invoice#04731.exe, 00000001.00000002.484077206.00000000022DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: Payment Invoice#04731.exe, 00000000.00000002.252489375.0000000004D8A000.00000004.00000001.sdmp, Payment Invoice#04731.exe, 00000001.00000002.484077206.00000000022DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: Payment Invoice#04731.exe, 00000000.00000002.252489375.0000000004D8A000.00000004.00000001.sdmp, Payment Invoice#04731.exe, 00000001.00000002.484077206.00000000022DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: Payment Invoice#04731.exe, 00000001.00000002.484077206.00000000022DA000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
      Source: C:\Windows\system32\drivers\tsusbhub.sysSystem information queried: ModuleInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023303A0 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,000000000_2_023303A0
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02333A7D rdtsc 0_2_02333A7D
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B39E2 LoadLibraryA,GetProcAddress,1_2_006B39E2
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02333B91 mov eax, dword ptr fs:[00000030h]0_2_02333B91
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02332167 mov eax, dword ptr fs:[00000030h]0_2_02332167
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023341E5 mov eax, dword ptr fs:[00000030h]0_2_023341E5
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023311C4 mov eax, dword ptr fs:[00000030h]0_2_023311C4
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_02331618 mov eax, dword ptr fs:[00000030h]0_2_02331618
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023337AA mov eax, dword ptr fs:[00000030h]0_2_023337AA
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 0_2_023317CF mov eax, dword ptr fs:[00000030h]0_2_023317CF
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B17CF mov eax, dword ptr fs:[00000030h]1_2_006B17CF
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B2167 mov eax, dword ptr fs:[00000030h]1_2_006B2167
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B41E5 mov eax, dword ptr fs:[00000030h]1_2_006B41E5
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B11C4 mov eax, dword ptr fs:[00000030h]1_2_006B11C4
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_006B1618 mov eax, dword ptr fs:[00000030h]1_2_006B1618
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 3_2_0314001A mov eax, dword ptr fs:[00000030h]3_2_0314001A
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC4BF4B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_1EC4BF4B
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: 1_2_1EC4BF61 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_1EC4BF61

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 3140000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 3160000 protect: page read and writeJump to behavior
      Creates a thread in another existing process (thread injection)Show sources
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeThread created: C:\Windows\SysWOW64\cmd.exe EIP: 314010EJump to behavior
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 3140000Jump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 3160000Jump to behavior
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeProcess created: C:\Users\user\Desktop\Payment Invoice#04731.exe 'C:\Users\user\Desktop\Payment Invoice#04731.exe' Jump to behavior
      Source: Payment Invoice#04731.exe, 00000001.00000002.483819010.0000000000A7F000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: Payment Invoice#04731.exe, 00000001.00000002.483936395.0000000000E80000.00000002.00000001.sdmp, cmd.exe, 00000003.00000002.485875017.0000000003DA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: Payment Invoice#04731.exeBinary or memory string: GetProgmanWindow
      Source: Payment Invoice#04731.exe, 00000001.00000002.483936395.0000000000E80000.00000002.00000001.sdmp, cmd.exe, 00000003.00000002.485875017.0000000003DA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: Payment Invoice#04731.exe, 00000001.00000002.483819010.0000000000A7F000.00000004.00000001.sdmpBinary or memory string: Program ManagerE
      Source: Payment Invoice#04731.exe, 00000001.00000002.483936395.0000000000E80000.00000002.00000001.sdmp, cmd.exe, 00000003.00000002.485875017.0000000003DA0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: Payment Invoice#04731.exe, 00000001.00000002.483819010.0000000000A7F000.00000004.00000001.sdmpBinary or memory string: Program Manager-
      Source: Payment Invoice#04731.exe, 00000001.00000002.483936395.0000000000E80000.00000002.00000001.sdmp, cmd.exe, 00000003.00000002.485875017.0000000003DA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: Payment Invoice#04731.exe, 00000001.00000002.483819010.0000000000A7F000.00000004.00000001.sdmpBinary or memory string: Program ManagerU
      Source: Payment Invoice#04731.exeBinary or memory string: SetProgmanWindow
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeCode function: GetLocaleInfoW,wcstol,1_2_1EC93175
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Lowering of HIPS / PFW / Operating System Security Settings:

      barindex
      Increases the number of concurrent connection per server for Internet ExplorerShow sources
      Source: C:\Users\user\Desktop\Payment Invoice#04731.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected AveMaria stealerShow sources
      Source: Yara matchFile source: 00000001.00000003.245522453.0000000000A94000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245514186.0000000000A72000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245569810.0000000000AA6000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245581463.0000000000A72000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245003501.0000000000A94000.00000004.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: Payment Invoice#04731.exe PID: 6264, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Payment Invoice#04731.exe PID: 6264, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected AveMaria stealerShow sources
      Source: Yara matchFile source: 00000001.00000003.245522453.0000000000A94000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245514186.0000000000A72000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245569810.0000000000AA6000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245581463.0000000000A72000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000003.245003501.0000000000A94000.00000004.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsNative API1LSASS Driver1LSASS Driver1Obfuscated Files or Information1Input Capture111Peripheral Device Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationEndpoint Denial of Service1
      Default AccountsScheduled Task/JobWindows Service2Windows Service2Software Packing1LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture111Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection312Masquerading3Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion22NTDSSecurity Software Discovery521Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection312LSA SecretsVirtualization/Sandbox Evasion22SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsProcess Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Users2DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue