Analysis Report 4AtUJN8Hdu.exe

Overview

General Information

Sample Name: 4AtUJN8Hdu.exe
Analysis ID: 356514
MD5: d7e81abce9332847471b89e50b241172
SHA1: a6455d3a4fb9c2e5627dcbf46702a4e16c2492da
SHA256: 6141efb6f1598e2205806c5a788e61c489440dfc942984ee1688bb68ad0f18df
Tags: exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: mtspsmjeli.sch.id Virustotal: Detection: 12% Perma Link
Source: http://mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\win.exe Virustotal: Detection: 35% Perma Link
Source: C:\Users\user\AppData\Roaming\win.exe ReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: 4AtUJN8Hdu.exe Virustotal: Detection: 35% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\win.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 4AtUJN8Hdu.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: 4AtUJN8Hdu.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.150.60.242 103.150.60.242
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cl/VK_Remcos%20v2_AxaGIU151.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /cl/VK_Remcos%20v2_AxaGIU151.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: mtspsmjeli.sch.id
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp String found in binary or memory: http://mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: win.exe, 0000001E.00000002.753745838.000000000067A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00566C80 NtSetInformationThread, 26_2_00566C80
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00566766 NtProtectVirtualMemory, 26_2_00566766
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_0056631A NtSetInformationThread, 26_2_0056631A
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00560534 EnumWindows,NtSetInformationThread, 26_2_00560534
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00566E75 NtSetInformationThread, 26_2_00566E75
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_0056061B NtSetInformationThread, 26_2_0056061B
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_005606D3 NtSetInformationThread, 26_2_005606D3
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00560EDD NtProtectVirtualMemory, 26_2_00560EDD
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00566EDB NtSetInformationThread, 26_2_00566EDB
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_005668F5 NtProtectVirtualMemory, 26_2_005668F5
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00566CE5 NtSetInformationThread, 26_2_00566CE5
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_0056069F NtSetInformationThread, 26_2_0056069F
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00566C99 NtSetInformationThread, 26_2_00566C99
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00566EA3 NtSetInformationThread, 26_2_00566EA3
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00560743 NtSetInformationThread, 26_2_00560743
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00566D6A NtSetInformationThread, 26_2_00566D6A
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00560F68 NtProtectVirtualMemory, 26_2_00560F68
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_005605DE NtSetInformationThread, 26_2_005605DE
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00566DD9 NtSetInformationThread, 26_2_00566DD9
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_005659CD NtSetInformationThread, 26_2_005659CD
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00560DBD NtProtectVirtualMemory, 26_2_00560DBD
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00560FA1 NtProtectVirtualMemory, 26_2_00560FA1
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00566DAB NtSetInformationThread, 26_2_00566DAB
Detected potential crypto function
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 0_2_00402BF9 0_2_00402BF9
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00564B29 26_2_00564B29
PE file contains strange resources
Source: 4AtUJN8Hdu.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: win.exe.26.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: 4AtUJN8Hdu.exe, 00000000.00000000.227272150.0000000000418000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameRidgepieceudtrreu.exe vs 4AtUJN8Hdu.exe
Source: 4AtUJN8Hdu.exe, 00000000.00000002.686046598.00000000021F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs 4AtUJN8Hdu.exe
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712764051.000000001E020000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 4AtUJN8Hdu.exe
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712764051.000000001E020000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 4AtUJN8Hdu.exe
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712402397.000000001DC50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs 4AtUJN8Hdu.exe
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712447968.000000001DF20000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 4AtUJN8Hdu.exe
Source: 4AtUJN8Hdu.exe, 0000001A.00000000.684091283.0000000000418000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameRidgepieceudtrreu.exe vs 4AtUJN8Hdu.exe
Source: 4AtUJN8Hdu.exe Binary or memory string: OriginalFilenameRidgepieceudtrreu.exe vs 4AtUJN8Hdu.exe
Uses 32bit PE files
Source: 4AtUJN8Hdu.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/3@1/1
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe File created: C:\Users\user\AppData\Roaming\win.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_01
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-K77NUC
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe File created: C:\Users\user\AppData\Local\Temp\~DFCACFC5B555D77E93.TMP Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Source: 4AtUJN8Hdu.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 4AtUJN8Hdu.exe Virustotal: Detection: 35%
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe File read: C:\Users\user\Desktop\4AtUJN8Hdu.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\4AtUJN8Hdu.exe 'C:\Users\user\Desktop\4AtUJN8Hdu.exe'
Source: unknown Process created: C:\Users\user\Desktop\4AtUJN8Hdu.exe 'C:\Users\user\Desktop\4AtUJN8Hdu.exe'
Source: unknown Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: 4AtUJN8Hdu.exe PID: 6564, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: 4AtUJN8Hdu.exe PID: 6564, type: MEMORY
PE file contains an invalid checksum
Source: 4AtUJN8Hdu.exe Static PE information: real checksum: 0x27364 should be: 0x25d86
Source: win.exe.26.dr Static PE information: real checksum: 0x27364 should be: 0x25d86
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 0_2_0040546F push edx; iretd 0_2_00405471
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 0_2_00404889 push ds; retf 0_2_0040488A
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 0_2_0040769A push esp; iretd 0_2_0040769B

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe File created: C:\Users\user\AppData\Roaming\win.exe Jump to dropped file
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE`
Source: 4AtUJN8Hdu.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00560A8C rdtsc 26_2_00560A8C
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe`
Source: 4AtUJN8Hdu.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_0056631A NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00400000,?,00000000 26_2_0056631A
Hides threads from debuggers
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00560A8C rdtsc 26_2_00560A8C
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00563623 LdrInitializeThunk, 26_2_00563623
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_0056229F mov eax, dword ptr fs:[00000030h] 26_2_0056229F
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_0056631A mov eax, dword ptr fs:[00000030h] 26_2_0056631A
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00561AD5 mov eax, dword ptr fs:[00000030h] 26_2_00561AD5
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_005662DB mov eax, dword ptr fs:[00000030h] 26_2_005662DB
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_005654F7 mov eax, dword ptr fs:[00000030h] 26_2_005654F7
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_005622AB mov eax, dword ptr fs:[00000030h] 26_2_005622AB
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00564D4A mov eax, dword ptr fs:[00000030h] 26_2_00564D4A
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_0056632D mov eax, dword ptr fs:[00000030h] 26_2_0056632D
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00562FEA mov eax, dword ptr fs:[00000030h] 26_2_00562FEA
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00565582 mov eax, dword ptr fs:[00000030h] 26_2_00565582

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe Jump to behavior
Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe Code function: 26_2_00560ABC cpuid 26_2_00560ABC
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356514 Sample: 4AtUJN8Hdu.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for domain / URL 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected GuLoader 2->40 42 3 other signatures 2->42 9 4AtUJN8Hdu.exe 1 2->9         started        12 win.exe 1 2->12         started        14 win.exe 1 2->14         started        process3 signatures4 48 Contains functionality to hide a thread from the debugger 9->48 16 4AtUJN8Hdu.exe 4 10 9->16         started        process5 dnsIp6 34 mtspsmjeli.sch.id 103.150.60.242, 49744, 80 PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID unknown 16->34 30 C:\Users\user\AppData\Roaming\win.exe, PE32 16->30 dropped 32 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 16->32 dropped 44 Tries to detect Any.run 16->44 46 Hides threads from debuggers 16->46 21 wscript.exe 1 16->21         started        file7 signatures8 process9 process10 23 cmd.exe 1 21->23         started        process11 25 win.exe 1 23->25         started        28 conhost.exe 23->28         started        signatures12 50 Multi AV Scanner detection for dropped file 25->50 52 Machine Learning detection for dropped file 25->52
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.150.60.242
 unknown unknown
45325 PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID true

Contacted Domains

Name IP Active
mtspsmjeli.sch.id 103.150.60.242 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin true
  • 15%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown