Analysis Report IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Overview

General Information

Sample Name:	IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Analysis ID:	344014
MD5:	5525bb8a978d3ac15812c8d8ca9b8a57
SHA1:	dcb9549ff9c290e056f83639ad546b03206a0806
SHA256:	21f49ea6e105c22882a9fb0065803deee18eddb76767a30ddade2e2725eb65d9
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for domain / URL

Source: chengsolution.com	Virustotal: Detection: 8%			Perma Link
Source: https://chengsolution.com/vr/tembin_AbNFdk131.bin	Virustotal: Detection: 10%			Perma Link

Multi AV Scanner detection for submitted file

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Virustotal: Detection: 67%	Perma Link
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Metadefender: Detection: 37%	Perma Link
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe	ReversingLabs: Detection: 75%

Compliance:

Uses 32bit PE files

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 162.0.209.179:443 -> 192.168.2.4:49745 version: TLS 1.2

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ACPCA ACPCA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Code function: 2_2_0056907C LoadLibraryA,InternetReadFile,

2_2_0056907C

Source: unknown

DNS traffic detected: queries for: chengsolution.com

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

String found in binary or memory: https://chengsolution.com/vr/tembin_AbNFdk131.bin

Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 162.0.209.179:443 -> 192.168.2.4:49745 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000000.00000002.679600218.000000000074A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: initial sample	Static PE information: Filename: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02418B05 NtProtectVirtualMemory,	0_2_02418B05
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241907C LoadLibraryA,NtResumeThread,	0_2_0241907C
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024108BF EnumWindows,NtSetInformationThread,	0_2_024108BF
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02414EE3 NtWriteVirtualMemory,LoadLibraryA,	0_2_02414EE3
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02410A4D NtSetInformationThread,	0_2_02410A4D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419271 NtResumeThread,	0_2_02419271
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419202 NtResumeThread,	0_2_02419202
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02410A0D NtSetInformationThread,	0_2_02410A0D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419215 NtResumeThread,	0_2_02419215
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413A2E NtWriteVirtualMemory,	0_2_02413A2E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241923E NtResumeThread,	0_2_0241923E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413AF6 NtWriteVirtualMemory,	0_2_02413AF6
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413A88 NtWriteVirtualMemory,	0_2_02413A88
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02412294 NtSetInformationThread,NtWriteVirtualMemory,	0_2_02412294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024192AA NtResumeThread,	0_2_024192AA
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02417B5F NtSetInformationThread,	0_2_02417B5F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413B61 NtWriteVirtualMemory,	0_2_02413B61
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419369 NtResumeThread,	0_2_02419369
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241932C NtResumeThread,	0_2_0241932C
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024193D4 NtResumeThread,	0_2_024193D4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024153E5 NtWriteVirtualMemory,	0_2_024153E5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419396 NtResumeThread,	0_2_02419396
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413BB6 NtWriteVirtualMemory,	0_2_02413BB6
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413868 NtWriteVirtualMemory,	0_2_02413868
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413819 NtWriteVirtualMemory,	0_2_02413819
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024190D4 NtResumeThread,	0_2_024190D4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024138E0 NtWriteVirtualMemory,	0_2_024138E0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419082 NtWriteVirtualMemory,NtResumeThread,	0_2_02419082
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02410943 NtSetInformationThread,	0_2_02410943
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241094D NtSetInformationThread,	0_2_0241094D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413929 NtWriteVirtualMemory,	0_2_02413929
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419128 NtResumeThread,	0_2_02419128
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024139D1 NtWriteVirtualMemory,	0_2_024139D1
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024191D6 NtResumeThread,	0_2_024191D6
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413980 NtWriteVirtualMemory,	0_2_02413980
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024109BE NtSetInformationThread,	0_2_024109BE
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413E4E NtWriteVirtualMemory,	0_2_02413E4E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413E07 NtWriteVirtualMemory,	0_2_02413E07
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419608 NtResumeThread,	0_2_02419608
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413E34 NtWriteVirtualMemory,	0_2_02413E34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241963E NtResumeThread,	0_2_0241963E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024196D4 NtResumeThread,	0_2_024196D4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024136ED NtWriteVirtualMemory,	0_2_024136ED
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024196A5 NtResumeThread,	0_2_024196A5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413745 NtWriteVirtualMemory,	0_2_02413745
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419711 NtResumeThread,	0_2_02419711
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024137BD NtWriteVirtualMemory,	0_2_024137BD
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413C56 NtWriteVirtualMemory,	0_2_02413C56
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241945D NtResumeThread,	0_2_0241945D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413CE4 NtWriteVirtualMemory,	0_2_02413CE4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024194FA NtResumeThread,	0_2_024194FA
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419571 NtResumeThread,	0_2_02419571
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419531 NtResumeThread,	0_2_02419531
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413DD9 NtWriteVirtualMemory,	0_2_02413DD9
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024195E5 NtResumeThread,	0_2_024195E5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413D8E NtWriteVirtualMemory,	0_2_02413D8E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_005608BF EnumWindows,NtSetInformationThread,	2_2_005608BF
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00568B05 NtProtectVirtualMemory,	2_2_00568B05
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00560943 NtSetInformationThread,	2_2_00560943
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_0056094D NtSetInformationThread,	2_2_0056094D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_005609BE NtSetInformationThread,	2_2_005609BE
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00560A4D NtSetInformationThread,	2_2_00560A4D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00560A0D NtSetInformationThread,	2_2_00560A0D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00562294 NtSetInformationThread,	2_2_00562294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00567B5F NtSetInformationThread,	2_2_00567B5F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00561374 NtProtectVirtualMemory,	2_2_00561374
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_0056137C NtProtectVirtualMemory,	2_2_0056137C
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_005613C0 NtProtectVirtualMemory,	2_2_005613C0

Detected potential crypto function

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0040187B		0_2_0040187B
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0040422B		0_2_0040422B

Sample file is different than original file name gathered from version info

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000000.00000000.646048005.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameauricular.exe vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000000.00000002.679589804.0000000000730000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000002.00000002.1006189759.000000001DDA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000002.00000000.678655791.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameauricular.exe vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000002.00000002.1006207484.000000001DEF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Binary or memory string: OriginalFilenameauricular.exe vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Uses 32bit PE files

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@1/1

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\~DF49EDEC8FC18F3BDF.TMP

Jump to behavior

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Virustotal: Detection: 67%
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Metadefender: Detection: 37%
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe	ReversingLabs: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Process created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'	Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 7120, type: MEMORY
Source: Yara match	File source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 4168, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match	File source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 7120, type: MEMORY
Source: Yara match	File source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 4168, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02415B5E push edi; retf		0_2_02415B5F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00565B5E push edi; retf		2_2_00565B5F

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02414EE3 NtWriteVirtualMemory,LoadLibraryA,	0_2_02414EE3
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02412294 NtSetInformationThread,NtWriteVirtualMemory,	0_2_02412294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241838A	0_2_0241838A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024136DF	0_2_024136DF
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00562294 NtSetInformationThread,	2_2_00562294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_0056838A	2_2_0056838A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_005636DF	2_2_005636DF
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00564EE3 LoadLibraryA,	2_2_00564EE3

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 0000000002417D79 second address: 0000000002417D79 instructions:
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 00000000005617E4 second address: 0000000000567569 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop dword ptr [ebp+000000B4h] 0x00000010 cmp ax, bx 0x00000013 jmp 00007F10843A64E6h 0x00000015 test ecx, 108D7A16h 0x0000001b test dh, bh 0x0000001d push dword ptr [ebp+64h] 0x00000020 test ah, FFFFFFE3h 0x00000023 push 00000367h 0x00000028 push ecx 0x00000029 mov ecx, 22739622h 0x0000002e cmp ecx, 22739622h 0x00000034 jne 00007F10843A55B1h 0x0000003a pop ecx 0x0000003b push 00000031h 0x0000003d cmp dl, bl 0x0000003f push dword ptr [ebp+000000B4h] 0x00000045 call 00007F10843AC1B8h 0x0000004a cmp ebx, ecx 0x0000004c cmp dl, FFFFFFF3h 0x0000004f mov edx, dword ptr [esp+04h] 0x00000053 test ebx, edx 0x00000055 mov ecx, dword ptr [esp+08h] 0x00000059 test al, 1Eh 0x0000005b add edx, ecx 0x0000005d neg ecx 0x0000005f mov ebx, dword ptr [esp+0Ch] 0x00000063 cmp edx, F9C1C0D7h 0x00000069 mov eax, dword ptr [esp+10h] 0x0000006d pushad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 0000000000567569 second address: 0000000000567569 instructions:

Tries to detect Any.run

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 0000000002417D79 second address: 0000000002417D79 instructions:
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 000000000241870B second address: 000000000241870B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ecx 0x0000000c inc ebx 0x0000000d cmp dword ptr [ebx], 9090C350h 0x00000013 jne 00007F10843A6503h 0x00000015 cmp edx, dword ptr [ebx] 0x00000017 jne 00007F10843A64D8h 0x00000019 cmp byte ptr [ebx], FFFFFFE8h 0x0000001c jne 00007F10843A657Ah 0x00000022 cmp byte ptr [ebx], FFFFFFB8h 0x00000025 jne 00007F10843A650Eh 0x00000027 cmp ecx, 00002000h 0x0000002d jne 00007F10843A6338h 0x00000033 pushad 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 000000000056870B second address: 000000000056870B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ecx 0x0000000c inc ebx 0x0000000d cmp dword ptr [ebx], 9090C350h 0x00000013 jne 00007F1084A0CD13h 0x00000015 cmp edx, dword ptr [ebx] 0x00000017 jne 00007F1084A0CCE8h 0x00000019 cmp byte ptr [ebx], FFFFFFE8h 0x0000001c jne 00007F1084A0CD8Ah 0x00000022 cmp byte ptr [ebx], FFFFFFB8h 0x00000025 jne 00007F1084A0CD1Eh 0x00000027 cmp ecx, 00002000h 0x0000002d jne 00007F1084A0CB48h 0x00000033 pushad 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 00000000005617E4 second address: 0000000000567569 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop dword ptr [ebp+000000B4h] 0x00000010 cmp ax, bx 0x00000013 jmp 00007F10843A64E6h 0x00000015 test ecx, 108D7A16h 0x0000001b test dh, bh 0x0000001d push dword ptr [ebp+64h] 0x00000020 test ah, FFFFFFE3h 0x00000023 push 00000367h 0x00000028 push ecx 0x00000029 mov ecx, 22739622h 0x0000002e cmp ecx, 22739622h 0x00000034 jne 00007F10843A55B1h 0x0000003a pop ecx 0x0000003b push 00000031h 0x0000003d cmp dl, bl 0x0000003f push dword ptr [ebp+000000B4h] 0x00000045 call 00007F10843AC1B8h 0x0000004a cmp ebx, ecx 0x0000004c cmp dl, FFFFFFF3h 0x0000004f mov edx, dword ptr [esp+04h] 0x00000053 test ebx, edx 0x00000055 mov ecx, dword ptr [esp+08h] 0x00000059 test al, 1Eh 0x0000005b add edx, ecx 0x0000005d neg ecx 0x0000005f mov ebx, dword ptr [esp+0Ch] 0x00000063 cmp edx, F9C1C0D7h 0x00000069 mov eax, dword ptr [esp+10h] 0x0000006d pushad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 0000000000567569 second address: 0000000000567569 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Code function: 0_2_02410BA5 rdtsc

0_2_02410BA5

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Window / User API: threadDelayed 8415

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

API coverage: 7.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe TID: 4240	Thread sleep count: 200 > 30			Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe TID: 4240	Thread sleep time: -2000000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Last function: Thread delayed

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Code function: 0_2_024108BF NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?

0_2_024108BF

Hides threads from debuggers

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Thread information set: HideFromDebugger			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Code function: 0_2_02410BA5 rdtsc

0_2_02410BA5

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Code function: 0_2_02414A2D LdrInitializeThunk,

0_2_02414A2D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02412294 mov eax, dword ptr fs:[00000030h]	0_2_02412294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241838A mov eax, dword ptr fs:[00000030h]	0_2_0241838A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024183B9 mov eax, dword ptr fs:[00000030h]	0_2_024183B9
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413017 mov eax, dword ptr fs:[00000030h]	0_2_02413017
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413020 mov eax, dword ptr fs:[00000030h]	0_2_02413020
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413096 mov eax, dword ptr fs:[00000030h]	0_2_02413096
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024130AE mov eax, dword ptr fs:[00000030h]	0_2_024130AE
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02416924 mov eax, dword ptr fs:[00000030h]	0_2_02416924
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024141E9 mov eax, dword ptr fs:[00000030h]	0_2_024141E9
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02417632 mov eax, dword ptr fs:[00000030h]	0_2_02417632
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241845E mov eax, dword ptr fs:[00000030h]	0_2_0241845E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02418402 mov eax, dword ptr fs:[00000030h]	0_2_02418402
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241841F mov eax, dword ptr fs:[00000030h]	0_2_0241841F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02412D1A mov eax, dword ptr fs:[00000030h]	0_2_02412D1A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00563017 mov eax, dword ptr fs:[00000030h]	2_2_00563017
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00563020 mov eax, dword ptr fs:[00000030h]	2_2_00563020
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00563096 mov eax, dword ptr fs:[00000030h]	2_2_00563096
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_005630AE mov eax, dword ptr fs:[00000030h]	2_2_005630AE
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00566924 mov eax, dword ptr fs:[00000030h]	2_2_00566924
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_005641E9 mov eax, dword ptr fs:[00000030h]	2_2_005641E9
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00562294 mov eax, dword ptr fs:[00000030h]	2_2_00562294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_0056838A mov eax, dword ptr fs:[00000030h]	2_2_0056838A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_005683B9 mov eax, dword ptr fs:[00000030h]	2_2_005683B9
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_0056845E mov eax, dword ptr fs:[00000030h]	2_2_0056845E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_0056841F mov eax, dword ptr fs:[00000030h]	2_2_0056841F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00568402 mov eax, dword ptr fs:[00000030h]	2_2_00568402
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00562D1A mov eax, dword ptr fs:[00000030h]	2_2_00562D1A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00567632 mov eax, dword ptr fs:[00000030h]	2_2_00567632

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Process created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'

Jump to behavior

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000002.00000002.1000756448.0000000000EA0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000002.00000002.1000756448.0000000000EA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000002.00000002.1000756448.0000000000EA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000002.00000002.1000756448.0000000000EA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.0.209.179	unknown	Canada		35893	ACPCA	true

Contacted Domains

Name	IP	Active
chengsolution.com	162.0.209.179	true

AV Detection:

Multi AV Scanner detection for domain / URL

Source: chengsolution.com	Virustotal: Detection: 8%			Perma Link
Source: https://chengsolution.com/vr/tembin_AbNFdk131.bin	Virustotal: Detection: 10%			Perma Link

Multi AV Scanner detection for submitted file

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Virustotal: Detection: 67%	Perma Link
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Metadefender: Detection: 37%	Perma Link
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe	ReversingLabs: Detection: 75%

Compliance:

Uses 32bit PE files

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 162.0.209.179:443 -> 192.168.2.4:49745 version: TLS 1.2

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ACPCA ACPCA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Code function: 2_2_0056907C LoadLibraryA,InternetReadFile,

2_2_0056907C

Source: unknown

DNS traffic detected: queries for: chengsolution.com

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

String found in binary or memory: https://chengsolution.com/vr/tembin_AbNFdk131.bin

Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 162.0.209.179:443 -> 192.168.2.4:49745 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000000.00000002.679600218.000000000074A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: initial sample	Static PE information: Filename: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02418B05 NtProtectVirtualMemory,	0_2_02418B05
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241907C LoadLibraryA,NtResumeThread,	0_2_0241907C
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024108BF EnumWindows,NtSetInformationThread,	0_2_024108BF
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02414EE3 NtWriteVirtualMemory,LoadLibraryA,	0_2_02414EE3
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02410A4D NtSetInformationThread,	0_2_02410A4D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419271 NtResumeThread,	0_2_02419271
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419202 NtResumeThread,	0_2_02419202
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02410A0D NtSetInformationThread,	0_2_02410A0D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419215 NtResumeThread,	0_2_02419215
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413A2E NtWriteVirtualMemory,	0_2_02413A2E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241923E NtResumeThread,	0_2_0241923E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413AF6 NtWriteVirtualMemory,	0_2_02413AF6
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413A88 NtWriteVirtualMemory,	0_2_02413A88
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02412294 NtSetInformationThread,NtWriteVirtualMemory,	0_2_02412294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024192AA NtResumeThread,	0_2_024192AA
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02417B5F NtSetInformationThread,	0_2_02417B5F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413B61 NtWriteVirtualMemory,	0_2_02413B61
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419369 NtResumeThread,	0_2_02419369
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241932C NtResumeThread,	0_2_0241932C
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024193D4 NtResumeThread,	0_2_024193D4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024153E5 NtWriteVirtualMemory,	0_2_024153E5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419396 NtResumeThread,	0_2_02419396
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413BB6 NtWriteVirtualMemory,	0_2_02413BB6
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413868 NtWriteVirtualMemory,	0_2_02413868
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413819 NtWriteVirtualMemory,	0_2_02413819
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024190D4 NtResumeThread,	0_2_024190D4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024138E0 NtWriteVirtualMemory,	0_2_024138E0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419082 NtWriteVirtualMemory,NtResumeThread,	0_2_02419082
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02410943 NtSetInformationThread,	0_2_02410943
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241094D NtSetInformationThread,	0_2_0241094D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413929 NtWriteVirtualMemory,	0_2_02413929
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419128 NtResumeThread,	0_2_02419128
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024139D1 NtWriteVirtualMemory,	0_2_024139D1
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024191D6 NtResumeThread,	0_2_024191D6
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413980 NtWriteVirtualMemory,	0_2_02413980
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024109BE NtSetInformationThread,	0_2_024109BE
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413E4E NtWriteVirtualMemory,	0_2_02413E4E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413E07 NtWriteVirtualMemory,	0_2_02413E07
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419608 NtResumeThread,	0_2_02419608
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413E34 NtWriteVirtualMemory,	0_2_02413E34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241963E NtResumeThread,	0_2_0241963E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024196D4 NtResumeThread,	0_2_024196D4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024136ED NtWriteVirtualMemory,	0_2_024136ED
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024196A5 NtResumeThread,	0_2_024196A5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413745 NtWriteVirtualMemory,	0_2_02413745
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419711 NtResumeThread,	0_2_02419711
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024137BD NtWriteVirtualMemory,	0_2_024137BD
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413C56 NtWriteVirtualMemory,	0_2_02413C56
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241945D NtResumeThread,	0_2_0241945D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413CE4 NtWriteVirtualMemory,	0_2_02413CE4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024194FA NtResumeThread,	0_2_024194FA
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419571 NtResumeThread,	0_2_02419571
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02419531 NtResumeThread,	0_2_02419531
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413DD9 NtWriteVirtualMemory,	0_2_02413DD9
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024195E5 NtResumeThread,	0_2_024195E5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413D8E NtWriteVirtualMemory,	0_2_02413D8E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_005608BF EnumWindows,NtSetInformationThread,	2_2_005608BF
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00568B05 NtProtectVirtualMemory,	2_2_00568B05
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00560943 NtSetInformationThread,	2_2_00560943
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_0056094D NtSetInformationThread,	2_2_0056094D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_005609BE NtSetInformationThread,	2_2_005609BE
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00560A4D NtSetInformationThread,	2_2_00560A4D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00560A0D NtSetInformationThread,	2_2_00560A0D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00562294 NtSetInformationThread,	2_2_00562294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00567B5F NtSetInformationThread,	2_2_00567B5F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00561374 NtProtectVirtualMemory,	2_2_00561374
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_0056137C NtProtectVirtualMemory,	2_2_0056137C
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_005613C0 NtProtectVirtualMemory,	2_2_005613C0

Detected potential crypto function

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0040187B		0_2_0040187B
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0040422B		0_2_0040422B

Sample file is different than original file name gathered from version info

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000000.00000000.646048005.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameauricular.exe vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000000.00000002.679589804.0000000000730000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000002.00000002.1006189759.000000001DDA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000002.00000000.678655791.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameauricular.exe vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000002.00000002.1006207484.000000001DEF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Binary or memory string: OriginalFilenameauricular.exe vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Uses 32bit PE files

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@1/1

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\~DF49EDEC8FC18F3BDF.TMP

Jump to behavior

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Virustotal: Detection: 67%
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Metadefender: Detection: 37%
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe	ReversingLabs: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Process created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'	Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 7120, type: MEMORY
Source: Yara match	File source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 4168, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match	File source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 7120, type: MEMORY
Source: Yara match	File source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 4168, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02415B5E push edi; retf		0_2_02415B5F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00565B5E push edi; retf		2_2_00565B5F

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02414EE3 NtWriteVirtualMemory,LoadLibraryA,	0_2_02414EE3
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02412294 NtSetInformationThread,NtWriteVirtualMemory,	0_2_02412294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241838A	0_2_0241838A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024136DF	0_2_024136DF
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00562294 NtSetInformationThread,	2_2_00562294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_0056838A	2_2_0056838A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_005636DF	2_2_005636DF
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00564EE3 LoadLibraryA,	2_2_00564EE3

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 0000000002417D79 second address: 0000000002417D79 instructions:
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 00000000005617E4 second address: 0000000000567569 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop dword ptr [ebp+000000B4h] 0x00000010 cmp ax, bx 0x00000013 jmp 00007F10843A64E6h 0x00000015 test ecx, 108D7A16h 0x0000001b test dh, bh 0x0000001d push dword ptr [ebp+64h] 0x00000020 test ah, FFFFFFE3h 0x00000023 push 00000367h 0x00000028 push ecx 0x00000029 mov ecx, 22739622h 0x0000002e cmp ecx, 22739622h 0x00000034 jne 00007F10843A55B1h 0x0000003a pop ecx 0x0000003b push 00000031h 0x0000003d cmp dl, bl 0x0000003f push dword ptr [ebp+000000B4h] 0x00000045 call 00007F10843AC1B8h 0x0000004a cmp ebx, ecx 0x0000004c cmp dl, FFFFFFF3h 0x0000004f mov edx, dword ptr [esp+04h] 0x00000053 test ebx, edx 0x00000055 mov ecx, dword ptr [esp+08h] 0x00000059 test al, 1Eh 0x0000005b add edx, ecx 0x0000005d neg ecx 0x0000005f mov ebx, dword ptr [esp+0Ch] 0x00000063 cmp edx, F9C1C0D7h 0x00000069 mov eax, dword ptr [esp+10h] 0x0000006d pushad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 0000000000567569 second address: 0000000000567569 instructions:

Tries to detect Any.run

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 0000000002417D79 second address: 0000000002417D79 instructions:
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 000000000241870B second address: 000000000241870B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ecx 0x0000000c inc ebx 0x0000000d cmp dword ptr [ebx], 9090C350h 0x00000013 jne 00007F10843A6503h 0x00000015 cmp edx, dword ptr [ebx] 0x00000017 jne 00007F10843A64D8h 0x00000019 cmp byte ptr [ebx], FFFFFFE8h 0x0000001c jne 00007F10843A657Ah 0x00000022 cmp byte ptr [ebx], FFFFFFB8h 0x00000025 jne 00007F10843A650Eh 0x00000027 cmp ecx, 00002000h 0x0000002d jne 00007F10843A6338h 0x00000033 pushad 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 000000000056870B second address: 000000000056870B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ecx 0x0000000c inc ebx 0x0000000d cmp dword ptr [ebx], 9090C350h 0x00000013 jne 00007F1084A0CD13h 0x00000015 cmp edx, dword ptr [ebx] 0x00000017 jne 00007F1084A0CCE8h 0x00000019 cmp byte ptr [ebx], FFFFFFE8h 0x0000001c jne 00007F1084A0CD8Ah 0x00000022 cmp byte ptr [ebx], FFFFFFB8h 0x00000025 jne 00007F1084A0CD1Eh 0x00000027 cmp ecx, 00002000h 0x0000002d jne 00007F1084A0CB48h 0x00000033 pushad 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 00000000005617E4 second address: 0000000000567569 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop dword ptr [ebp+000000B4h] 0x00000010 cmp ax, bx 0x00000013 jmp 00007F10843A64E6h 0x00000015 test ecx, 108D7A16h 0x0000001b test dh, bh 0x0000001d push dword ptr [ebp+64h] 0x00000020 test ah, FFFFFFE3h 0x00000023 push 00000367h 0x00000028 push ecx 0x00000029 mov ecx, 22739622h 0x0000002e cmp ecx, 22739622h 0x00000034 jne 00007F10843A55B1h 0x0000003a pop ecx 0x0000003b push 00000031h 0x0000003d cmp dl, bl 0x0000003f push dword ptr [ebp+000000B4h] 0x00000045 call 00007F10843AC1B8h 0x0000004a cmp ebx, ecx 0x0000004c cmp dl, FFFFFFF3h 0x0000004f mov edx, dword ptr [esp+04h] 0x00000053 test ebx, edx 0x00000055 mov ecx, dword ptr [esp+08h] 0x00000059 test al, 1Eh 0x0000005b add edx, ecx 0x0000005d neg ecx 0x0000005f mov ebx, dword ptr [esp+0Ch] 0x00000063 cmp edx, F9C1C0D7h 0x00000069 mov eax, dword ptr [esp+10h] 0x0000006d pushad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	RDTSC instruction interceptor: First address: 0000000000567569 second address: 0000000000567569 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Code function: 0_2_02410BA5 rdtsc

0_2_02410BA5

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Window / User API: threadDelayed 8415

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

API coverage: 7.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe TID: 4240	Thread sleep count: 200 > 30			Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe TID: 4240	Thread sleep time: -2000000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Last function: Thread delayed

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Code function: 0_2_024108BF NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?

0_2_024108BF

Hides threads from debuggers

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Thread information set: HideFromDebugger			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Code function: 0_2_02410BA5 rdtsc

0_2_02410BA5

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Code function: 0_2_02414A2D LdrInitializeThunk,

0_2_02414A2D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02412294 mov eax, dword ptr fs:[00000030h]	0_2_02412294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241838A mov eax, dword ptr fs:[00000030h]	0_2_0241838A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024183B9 mov eax, dword ptr fs:[00000030h]	0_2_024183B9
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413017 mov eax, dword ptr fs:[00000030h]	0_2_02413017
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413020 mov eax, dword ptr fs:[00000030h]	0_2_02413020
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02413096 mov eax, dword ptr fs:[00000030h]	0_2_02413096
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024130AE mov eax, dword ptr fs:[00000030h]	0_2_024130AE
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02416924 mov eax, dword ptr fs:[00000030h]	0_2_02416924
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_024141E9 mov eax, dword ptr fs:[00000030h]	0_2_024141E9
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02417632 mov eax, dword ptr fs:[00000030h]	0_2_02417632
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241845E mov eax, dword ptr fs:[00000030h]	0_2_0241845E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02418402 mov eax, dword ptr fs:[00000030h]	0_2_02418402
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_0241841F mov eax, dword ptr fs:[00000030h]	0_2_0241841F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 0_2_02412D1A mov eax, dword ptr fs:[00000030h]	0_2_02412D1A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00563017 mov eax, dword ptr fs:[00000030h]	2_2_00563017
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00563020 mov eax, dword ptr fs:[00000030h]	2_2_00563020
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00563096 mov eax, dword ptr fs:[00000030h]	2_2_00563096
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_005630AE mov eax, dword ptr fs:[00000030h]	2_2_005630AE
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00566924 mov eax, dword ptr fs:[00000030h]	2_2_00566924
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_005641E9 mov eax, dword ptr fs:[00000030h]	2_2_005641E9
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00562294 mov eax, dword ptr fs:[00000030h]	2_2_00562294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_0056838A mov eax, dword ptr fs:[00000030h]	2_2_0056838A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_005683B9 mov eax, dword ptr fs:[00000030h]	2_2_005683B9
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_0056845E mov eax, dword ptr fs:[00000030h]	2_2_0056845E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_0056841F mov eax, dword ptr fs:[00000030h]	2_2_0056841F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00568402 mov eax, dword ptr fs:[00000030h]	2_2_00568402
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00562D1A mov eax, dword ptr fs:[00000030h]	2_2_00562D1A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Code function: 2_2_00567632 mov eax, dword ptr fs:[00000030h]	2_2_00567632

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Process created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'

Jump to behavior

Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000002.00000002.1000756448.0000000000EA0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000002.00000002.1000756448.0000000000EA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000002.00000002.1000756448.0000000000EA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000002.00000002.1000756448.0000000000EA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

ID:	344014
Product:	CloudBasic
Start time:	21:11:27
Start date:	25.01.2021
Sample:	IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5525bb8a978d3ac15812c8d8ca9b8a57
SHA1:	dcb9549ff9c290e056f83639ad546b03206a0806
SHA256:	21f49ea6e105c22882a9fb0065803deee18eddb76767a30ddade2e2725eb65d9
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains