Analysis Report New_Shipment_order#345-4252.exe

Overview

General Information

Sample Name: New_Shipment_order#345-4252.exe
Analysis ID: 357306
MD5: 89f618eee49448598d46ea03cd0e0ebb
SHA1: 7e5b187d617212801d5ffe49245108885b521793
SHA256: 39874f3eb3d660ef8af1c02af08ddfa4d3dc14aedf2c216e3e1f8639813bf2e1
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Compliance:

barindex
Uses 32bit PE files
Source: New_Shipment_order#345-4252.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.6:49753 version: TLS 1.2

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.130.233 162.159.130.233
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005681C2 InternetReadFile, 21_2_005681C2
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com/CPS0v
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/)
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/9
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/;
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/B
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/C
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/K
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/M
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/P
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/S
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842430053.0000000000A07000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.bin
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.bin)
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.bin1
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842430053.0000000000A07000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.bin3
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842430053.0000000000A07000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.bin:
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842430053.0000000000A07000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.binC
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842430053.0000000000A07000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.binH
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.binI
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842430053.0000000000A07000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.binL
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.binQ
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842430053.0000000000A07000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.binR
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.binWy
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.bina
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842430053.0000000000A07000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.binf
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842430053.0000000000A07000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.binj
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/813843419184365593/814034797084540958/uSBKpe156.binln
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/k
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/l
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/o
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842374649.00000000009B8000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/or?
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/r
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842625264.0000000002500000.00000004.00000001.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842453796.0000000000A1F000.00000004.00000020.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.6:49753 version: TLS 1.2

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: New_Shipment_order#345-4252.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005604D5 EnumWindows,NtSetInformationThread, 21_2_005604D5
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562E99 NtSetInformationThread, 21_2_00562E99
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005607DB NtProtectVirtualMemory, 21_2_005607DB
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_0056104D NtProtectVirtualMemory, 21_2_0056104D
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00561015 NtProtectVirtualMemory, 21_2_00561015
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00561005 NtProtectVirtualMemory, 21_2_00561005
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005610ED NtProtectVirtualMemory, 21_2_005610ED
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00561099 NtProtectVirtualMemory, 21_2_00561099
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00561089 NtProtectVirtualMemory, 21_2_00561089
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005610AD NtProtectVirtualMemory, 21_2_005610AD
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00568115 NtProtectVirtualMemory, 21_2_00568115
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00567D59 NtProtectVirtualMemory, 21_2_00567D59
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005605DD NtSetInformationThread, 21_2_005605DD
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005605C7 NtSetInformationThread, 21_2_005605C7
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005605F9 NtSetInformationThread, 21_2_005605F9
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005605B1 NtSetInformationThread, 21_2_005605B1
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_0056064B NtSetInformationThread, 21_2_0056064B
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00560665 NtSetInformationThread, 21_2_00560665
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00560615 NtSetInformationThread, 21_2_00560615
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005606C5 NtSetInformationThread, 21_2_005606C5
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005606FD NtSetInformationThread, 21_2_005606FD
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00560689 NtSetInformationThread, 21_2_00560689
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005606AB NtSetInformationThread, 21_2_005606AB
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00560713 NtSetInformationThread, 21_2_00560713
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562FC0 NtSetInformationThread, 21_2_00562FC0
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562FE3 NtSetInformationThread,LoadLibraryA, 21_2_00562FE3
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00566795 NtSetInformationThread, 21_2_00566795
Detected potential crypto function
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005607DB 21_2_005607DB
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_0056127B 21_2_0056127B
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005612D5 21_2_005612D5
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005612ED 21_2_005612ED
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00561289 21_2_00561289
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005612A1 21_2_005612A1
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00561311 21_2_00561311
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00564519 21_2_00564519
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005646B1 21_2_005646B1
PE file contains strange resources
Source: New_Shipment_order#345-4252.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: New_Shipment_order#345-4252.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: New_Shipment_order#345-4252.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: New_Shipment_order#345-4252.exe, 00000000.00000000.317901681.0000000000418000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSkydningernes.exe vs New_Shipment_order#345-4252.exe
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.846298931.000000001DDB0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs New_Shipment_order#345-4252.exe
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.846269173.000000001DC60000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs New_Shipment_order#345-4252.exe
Source: New_Shipment_order#345-4252.exe, 00000015.00000000.589662948.0000000000418000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSkydningernes.exe vs New_Shipment_order#345-4252.exe
Source: New_Shipment_order#345-4252.exe Binary or memory string: OriginalFilenameSkydningernes.exe vs New_Shipment_order#345-4252.exe
Uses 32bit PE files
Source: New_Shipment_order#345-4252.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.troj.evad.winEXE@3/0@1/1
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe File created: C:\Users\user\AppData\Local\Temp\~DFD33BEEF0D3EDA279.TMP Jump to behavior
Source: New_Shipment_order#345-4252.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe 'C:\Users\user\Desktop\New_Shipment_order#345-4252.exe'
Source: unknown Process created: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe 'C:\Users\user\Desktop\New_Shipment_order#345-4252.exe'
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Process created: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe 'C:\Users\user\Desktop\New_Shipment_order#345-4252.exe' Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: New_Shipment_order#345-4252.exe PID: 6760, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: New_Shipment_order#345-4252.exe PID: 6760, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005678DD push eax; iretd 21_2_00567897
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005672C6 push edi; ret 21_2_005672C8
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005656A9 push edx; iretd 21_2_005656AB
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562BC6 21_2_00562BC6
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562BB3 21_2_00562BB3
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562BB1 LoadLibraryA, 21_2_00562BB1
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562C39 21_2_00562C39
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562C21 21_2_00562C21
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562C89 21_2_00562C89
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562CB9 21_2_00562CB9
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562CA1 21_2_00562CA1
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe RDTSC instruction interceptor: First address: 0000000000435BB1 second address: 0000000000435BB1 instructions:
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe RDTSC instruction interceptor: First address: 0000000000565DD7 second address: 0000000000565DD7 instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842119436.0000000000560000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe RDTSC instruction interceptor: First address: 0000000000430121 second address: 0000000000434104 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d call 00007F2AECC80C9Ah 0x00000012 pop dword ptr [ebp+44h] 0x00000015 jmp 00007F2AECC80C92h 0x00000017 test eax, ebx 0x00000019 push dword ptr [ebp+44h] 0x0000001c jmp 00007F2AECC80C92h 0x0000001e cmp cx, dx 0x00000021 call 00007F2AECC84BEFh 0x00000026 mov ebx, dword ptr [esp+04h] 0x0000002a inc ebx 0x0000002b dec ebx 0x0000002c xor edx, edx 0x0000002e jmp 00007F2AECC80C92h 0x00000030 pushad 0x00000031 lfence 0x00000034 rdtsc
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe RDTSC instruction interceptor: First address: 0000000000434104 second address: 0000000000434104 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, ebx 0x0000000d mov ecx, 00001000h 0x00000012 jmp 00007F2AEC880122h 0x00000014 test ebx, 549F426Ch 0x0000001a div ecx 0x0000001c cmp edx, 00000000h 0x0000001f jne 00007F2AEC8800C8h 0x00000021 dec ebx 0x00000022 xor edx, edx 0x00000024 jmp 00007F2AEC880122h 0x00000026 pushad 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe RDTSC instruction interceptor: First address: 0000000000430BC5 second address: 0000000000430D77 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp eax, 00000000h 0x0000000e je 00007F2AECC80DF7h 0x00000014 jmp 00007F2AECC80C92h 0x00000016 cmp edx, ecx 0x00000018 mov ecx, dword ptr [ebp+5Ch] 0x0000001b jmp 00007F2AECC80C92h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe RDTSC instruction interceptor: First address: 0000000000435BB1 second address: 0000000000435BB1 instructions:
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe RDTSC instruction interceptor: First address: 0000000000560121 second address: 0000000000564104 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d call 00007F2AECC80C9Ah 0x00000012 pop dword ptr [ebp+44h] 0x00000015 jmp 00007F2AECC80C92h 0x00000017 test eax, ebx 0x00000019 push dword ptr [ebp+44h] 0x0000001c jmp 00007F2AECC80C92h 0x0000001e cmp cx, dx 0x00000021 call 00007F2AECC84BEFh 0x00000026 mov ebx, dword ptr [esp+04h] 0x0000002a inc ebx 0x0000002b dec ebx 0x0000002c xor edx, edx 0x0000002e jmp 00007F2AECC80C92h 0x00000030 pushad 0x00000031 lfence 0x00000034 rdtsc
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe RDTSC instruction interceptor: First address: 0000000000564104 second address: 0000000000564104 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, ebx 0x0000000d mov ecx, 00001000h 0x00000012 jmp 00007F2AEC880122h 0x00000014 test ebx, 549F426Ch 0x0000001a div ecx 0x0000001c cmp edx, 00000000h 0x0000001f jne 00007F2AEC8800C8h 0x00000021 dec ebx 0x00000022 xor edx, edx 0x00000024 jmp 00007F2AEC880122h 0x00000026 pushad 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe RDTSC instruction interceptor: First address: 0000000000560BC5 second address: 0000000000560D77 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp eax, 00000000h 0x0000000e je 00007F2AECC80DF7h 0x00000014 jmp 00007F2AECC80C92h 0x00000016 cmp edx, ecx 0x00000018 mov ecx, dword ptr [ebp+5Ch] 0x0000001b jmp 00007F2AECC80C92h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe RDTSC instruction interceptor: First address: 0000000000565DD7 second address: 0000000000565DD7 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005608B9 rdtsc 21_2_005608B9
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Window / User API: threadDelayed 749 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe API coverage: 4.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe TID: 3628 Thread sleep count: 749 > 30 Jump to behavior
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe TID: 3628 Thread sleep time: -7490000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Last function: Thread delayed
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842430053.0000000000A07000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWo
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842374649.00000000009B8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842119436.0000000000560000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005604D5 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,? 21_2_005604D5
Hides threads from debuggers
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005608B9 rdtsc 21_2_005608B9
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00560202 LdrInitializeThunk, 21_2_00560202
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00564057 mov eax, dword ptr fs:[00000030h] 21_2_00564057
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562859 mov eax, dword ptr fs:[00000030h] 21_2_00562859
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_0056284A mov eax, dword ptr fs:[00000030h] 21_2_0056284A
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562871 mov eax, dword ptr fs:[00000030h] 21_2_00562871
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562829 mov eax, dword ptr fs:[00000030h] 21_2_00562829
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005628B7 mov eax, dword ptr fs:[00000030h] 21_2_005628B7
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005628A9 mov eax, dword ptr fs:[00000030h] 21_2_005628A9
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562BC6 mov eax, dword ptr fs:[00000030h] 21_2_00562BC6
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562BB3 mov eax, dword ptr fs:[00000030h] 21_2_00562BB3
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562BB1 mov eax, dword ptr fs:[00000030h] 21_2_00562BB1
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_0056745D mov eax, dword ptr fs:[00000030h] 21_2_0056745D
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_0056740D mov eax, dword ptr fs:[00000030h] 21_2_0056740D
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562C39 mov eax, dword ptr fs:[00000030h] 21_2_00562C39
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562C21 mov eax, dword ptr fs:[00000030h] 21_2_00562C21
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005674C1 mov eax, dword ptr fs:[00000030h] 21_2_005674C1
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00567484 mov eax, dword ptr fs:[00000030h] 21_2_00567484
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00562CA1 mov eax, dword ptr fs:[00000030h] 21_2_00562CA1
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005674A9 mov eax, dword ptr fs:[00000030h] 21_2_005674A9
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_0056753B mov eax, dword ptr fs:[00000030h] 21_2_0056753B
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_005666AB mov eax, dword ptr fs:[00000030h] 21_2_005666AB
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00565FA1 mov eax, dword ptr fs:[00000030h] 21_2_00565FA1
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00561FAE mov eax, dword ptr fs:[00000030h] 21_2_00561FAE

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Process created: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe 'C:\Users\user\Desktop\New_Shipment_order#345-4252.exe' Jump to behavior
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842508428.0000000000F40000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842508428.0000000000F40000.00000002.00000001.sdmp Binary or memory string: Progman
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842508428.0000000000F40000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: New_Shipment_order#345-4252.exe, 00000015.00000002.842508428.0000000000F40000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\New_Shipment_order#345-4252.exe Code function: 21_2_00561DCD cpuid 21_2_00561DCD
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.159.130.233
 unknown United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cdn.discordapp.com 162.159.130.233 true