Source: Remittance advice.exe | Virustotal: Detection: 45% | Perma Link |
Source: Remittance advice.exe | ReversingLabs: Detection: 36% |
Source: Remittance advice.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 4x nop then lfence |
Source: Remittance advice.exe, 00000000.00000002.1328575340.000000000067A000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
Source: C:\Users\user\Desktop\Remittance advice.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00405DCE |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00406E03 |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00406EE2 |
Source: Remittance advice.exe, 00000000.00000002.1327563785.0000000000417000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameEnantiopathia6.exe vs Remittance advice.exe |
Source: Remittance advice.exe, 00000000.00000002.1329075986.0000000002230000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameuser32j% vs Remittance advice.exe |
Source: Remittance advice.exe | Binary or memory string: OriginalFilenameEnantiopathia6.exe vs Remittance advice.exe |
Source: Remittance advice.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal72.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\Remittance advice.exe | File created: C:\Users\user\AppData\Local\Temp\~DFACCDFEC25FC090FE.TMP | Jump to behavior |
Source: Remittance advice.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Remittance advice.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: C:\Users\user\Desktop\Remittance advice.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: Remittance advice.exe | Virustotal: Detection: 45% |
Source: Remittance advice.exe | ReversingLabs: Detection: 36% |
Source: Yara match | File source: Process Memory Space: Remittance advice.exe PID: 6336, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Remittance advice.exe PID: 6336, type: MEMORY |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_0040182E push edi; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_0040882E push ds; ret |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_004020D6 push edi; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00408152 push es; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_0040B10A push es; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00409120 push es; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_004081CC push es; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_004092C9 push es; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00408AE9 pushad ; ret |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_0040A37F push es; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00408B2E push ecx; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_0040A381 push es; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_0040A391 push es; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00409393 push es; ret |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_0040A3A1 push es; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_004093B2 push es; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00409C7F pushad ; ret |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00409C36 push es; ret |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_0040A4C6 push es; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00409CDA push es; ret |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_0040A4E6 push es; ret |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_004094E8 push es; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_0040A566 push es; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_0040A532 push es; ret |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_0040A532 push es; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_0040A532 push es; ret |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_004085F1 pushad ; ret |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_0040A5B2 push es; ret |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00408DB8 push cs; iretd |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_004056C2 push ss; retf |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00409E9C pushfd ; retf |
Source: C:\Users\user\Desktop\Remittance advice.exe | Process information set: NOOPENFILEERRORBOX |
Source: Remittance advice.exe, 00000000.00000002.1327620350.0000000000460000.00000040.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEF |
Source: Remittance advice.exe | Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\Remittance advice.exe | RDTSC instruction interceptor: First address: 0000000000403F92 second address: 0000000000403F92 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 dec edi 0x00000004 jmp 00007F5D84D1C3D7h 0x00000006 cmp edi, 00000000h 0x00000009 jne 00007F5D84D1C393h 0x0000000b pushad 0x0000000c jmp 00007F5D84D1C3CEh 0x0000000e rdtsc |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00403D4F rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Remittance advice.exe, 00000000.00000002.1327620350.0000000000460000.00000040.00000001.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exef |
Source: Remittance advice.exe | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\Remittance advice.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00403D4F rdtsc |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00461068 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_004632FE mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_004613DF mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00463D88 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00463D97 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_00461E88 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Remittance advice.exe | Code function: 0_2_004637AD mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Remittance advice.exe, 00000000.00000002.1328805905.0000000000D00000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: Remittance advice.exe, 00000000.00000002.1328805905.0000000000D00000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: Remittance advice.exe, 00000000.00000002.1328805905.0000000000D00000.00000002.00000001.sdmp | Binary or memory string: SProgram Managerl |
Source: Remittance advice.exe, 00000000.00000002.1328805905.0000000000D00000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd, |
Source: Remittance advice.exe, 00000000.00000002.1328805905.0000000000D00000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.