Analysis Report Transferencia.exe

Overview

General Information

Sample Name:	Transferencia.exe
Analysis ID:	384290
MD5:	7c22c3e3b8726dd1b03e69c203590026
SHA1:	7715be6b73e52535d81b083a3dfd95568a729782
SHA256:	96fb89fdc3873864981ec26c355111c26c7ab5132770ead9d1d97bdfac32e566
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contain functionality to detect virtual machines

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Transferencia.exe	Virustotal: Detection: 28%			Perma Link
Source: Transferencia.exe	ReversingLabs: Detection: 68%

Machine Learning detection for sample

Source: Transferencia.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: Transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC88DE LoadLibraryA,InternetReadFile,

10_2_00DC88DE

Source: RegAsm.exe, 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp

String found in binary or memory: https://drive.google.com/uc?export=download&id=1cUL0K7dYgbhK7vN-RFgTfWB-AllHwx8q

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Transferencia.exe

Code function: 0_2_004145B8 OpenClipboard,

0_2_004145B8

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Transferencia.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC849A NtProtectVirtualMemory,	10_2_00DC849A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC2C3F NtSetInformationThread,	10_2_00DC2C3F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0BF8 NtSetInformationThread,LoadLibraryA,	10_2_00DC0BF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0724 EnumWindows,NtSetInformationThread,	10_2_00DC0724
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC64F1 NtSetInformationThread,	10_2_00DC64F1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC08E7 NtSetInformationThread,	10_2_00DC08E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC08BA NtSetInformationThread,	10_2_00DC08BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0848 NtSetInformationThread,	10_2_00DC0848
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC084A NtSetInformationThread,	10_2_00DC084A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC844B NtProtectVirtualMemory,	10_2_00DC844B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0878 NtSetInformationThread,	10_2_00DC0878
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC846D NtProtectVirtualMemory,	10_2_00DC846D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC6409 NtSetInformationThread,LoadLibraryA,	10_2_00DC6409
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC09C6 NtSetInformationThread,	10_2_00DC09C6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC09FC NtSetInformationThread,	10_2_00DC09FC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC69E2 NtSetInformationThread,	10_2_00DC69E2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC099A NtSetInformationThread,	10_2_00DC099A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0942 NtSetInformationThread,	10_2_00DC0942
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC096A NtSetInformationThread,	10_2_00DC096A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0AC7 NtSetInformationThread,	10_2_00DC0AC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0A6E NtSetInformationThread,	10_2_00DC0A6E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0A24 NtSetInformationThread,	10_2_00DC0A24
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC7BEA NtSetInformationThread,	10_2_00DC7BEA

PE file contains strange resources

Source: Transferencia.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Transferencia.exe, 00000000.00000000.192474638.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exe vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2XPr vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X7s vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2XSq vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X:vR vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs Transferencia.exe
Source: Transferencia.exe	Binary or memory string: OriginalFilenameYCIETRA.exe vs Transferencia.exe

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: Transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@3/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1332:120:WilError_01

Source: C:\Users\user\Desktop\Transferencia.exe

File created: C:\Users\user\AppData\Local\Temp\~DFE80FAB2DF37D26B6.TMP

Jump to behavior

Source: Transferencia.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Transferencia.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Transferencia.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Transferencia.exe	Virustotal: Detection: 28%
Source: Transferencia.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\Transferencia.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Users\user\Desktop\Transferencia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1324, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00404E48 pushfd ; iretd	0_2_00404E49
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00404049 pushfd ; iretd	0_2_0040404D
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040904D push eax; ret	0_2_00409056
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_004020CE pushfd ; iretd	0_2_004020FD
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402EEA push dword ptr [edi-4B012F33h]; retf	0_2_00402EFD
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_004020FE pushfd ; iretd	0_2_00402101
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00407E96 push esi; iretd	0_2_00407E9D
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040336C push fs; ret	0_2_00403405
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00408F70 push eax; ret	0_2_00408F7E
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00408976 push eax; ret	0_2_0040897A
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402302 pushfd ; iretd	0_2_00402305
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040911A push eax; iretd	0_2_00409182
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402BD9 pushfd ; iretd	0_2_00402BE1
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402F92 pushfd ; iretd	0_2_00402F95

Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contain functionality to detect virtual machines

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe		10_2_00DC421B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe		10_2_00DC4236

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0CFF LoadLibraryA,	10_2_00DC0CFF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0BF8 NtSetInformationThread,LoadLibraryA,	10_2_00DC0BF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0CBA	10_2_00DC0CBA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0C23	10_2_00DC0C23
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC1DBB LoadLibraryA,	10_2_00DC1DBB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0D04	10_2_00DC0D04
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC7E0C LoadLibraryA,	10_2_00DC7E0C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0B8E	10_2_00DC0B8E

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000503DB0 second address: 0000000000503DB0 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F16884CF258h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test al, bl 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F16884CF272h 0x00000024 cmp dh, 00000056h 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F16884CF1ACh 0x00000031 push ecx 0x00000032 jmp 00007F16884CF272h 0x00000034 push esi 0x00000035 jmp 00007F16884CF297h 0x00000037 call 00007F16884CF22Ch 0x0000003c pop esi 0x0000003d jmp esi 0x0000003f pop esi 0x00000040 call 00007F16884CF2C8h 0x00000045 call 00007F16884CF268h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000507E3E second address: 0000000000507E3E instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000500CE2 second address: 0000000000500CE2 instructions:

Tries to detect Any.run

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Transferencia.exe, 00000000.00000002.517554355.00000000006A9000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE:
Source: RegAsm.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000503DB0 second address: 0000000000503DB0 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F16884CF258h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test al, bl 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F16884CF272h 0x00000024 cmp dh, 00000056h 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F16884CF1ACh 0x00000031 push ecx 0x00000032 jmp 00007F16884CF272h 0x00000034 push esi 0x00000035 jmp 00007F16884CF297h 0x00000037 call 00007F16884CF22Ch 0x0000003c pop esi 0x0000003d jmp esi 0x0000003f pop esi 0x00000040 call 00007F16884CF2C8h 0x00000045 call 00007F16884CF268h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000504092 second address: 0000000000504092 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F168903D370h 0x0000001d popad 0x0000001e call 00007F1689039E45h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000507E3E second address: 0000000000507E3E instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000500CE2 second address: 0000000000500CE2 instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000500FA9 second address: 0000000000501036 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add edi, 00010000h 0x00000011 jmp 00007F16884CF276h 0x00000013 test bh, ah 0x00000015 push edi 0x00000016 test ch, dh 0x00000018 add edi, 04h 0x0000001b push edi 0x0000001c pushad 0x0000001d mov ax, 0E01h 0x00000021 cmp ax, 00000E01h 0x00000025 jne 00007F16884CEAFFh 0x0000002b popad 0x0000002c add edi, 04h 0x0000002f push edi 0x00000030 jmp 00007F16884CF27Ah 0x00000032 test ecx, ebx 0x00000034 push 0003E800h 0x00000039 cmp ax, 00001CE5h 0x0000003d pushad 0x0000003e lfence 0x00000041 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000DC4092 second address: 0000000000DC4092 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F168903D370h 0x0000001d popad 0x0000001e call 00007F1689039E45h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000DC0FA9 second address: 0000000000DC1036 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add edi, 00010000h 0x00000011 jmp 00007F16884CF276h 0x00000013 test bh, ah 0x00000015 push edi 0x00000016 test ch, dh 0x00000018 add edi, 04h 0x0000001b push edi 0x0000001c pushad 0x0000001d mov ax, 0E01h 0x00000021 cmp ax, 00000E01h 0x00000025 jne 00007F16884CEAFFh 0x0000002b popad 0x0000002c add edi, 04h 0x0000002f push edi 0x00000030 jmp 00007F16884CF27Ah 0x00000032 test ecx, ebx 0x00000034 push 0003E800h 0x00000039 cmp ax, 00001CE5h 0x0000003d pushad 0x0000003e lfence 0x00000041 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC88DE rdtsc

10_2_00DC88DE

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

API coverage: 7.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1260

Thread sleep time: -70000s >= -30000s

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Transferencia.exe, 00000000.00000002.517554355.00000000006A9000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe:

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC2C3F NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000

10_2_00DC2C3F

Found potential dummy code loops (likely to delay analysis)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread information set: HideFromDebugger

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC88DE rdtsc

10_2_00DC88DE

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC5079 LdrInitializeThunk,

10_2_00DC5079

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC60E3 mov eax, dword ptr fs:[00000030h]	10_2_00DC60E3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC29E7 mov eax, dword ptr fs:[00000030h]	10_2_00DC29E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC299C mov eax, dword ptr fs:[00000030h]	10_2_00DC299C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC29A6 mov eax, dword ptr fs:[00000030h]	10_2_00DC29A6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC26DC mov eax, dword ptr fs:[00000030h]	10_2_00DC26DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC2696 mov eax, dword ptr fs:[00000030h]	10_2_00DC2696
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC2684 mov eax, dword ptr fs:[00000030h]	10_2_00DC2684
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC6E17 mov eax, dword ptr fs:[00000030h]	10_2_00DC6E17
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC7E0C mov eax, dword ptr fs:[00000030h]	10_2_00DC7E0C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC2A37 mov eax, dword ptr fs:[00000030h]	10_2_00DC2A37
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC7E22 mov eax, dword ptr fs:[00000030h]	10_2_00DC7E22
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC1FD0 mov eax, dword ptr fs:[00000030h]	10_2_00DC1FD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC3B32 mov eax, dword ptr fs:[00000030h]	10_2_00DC3B32

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RegAsm.exe, 0000000A.00000002.587019635.0000000001600000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 0000000A.00000002.587019635.0000000001600000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000A.00000002.587019635.0000000001600000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 0000000A.00000002.587019635.0000000001600000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for submitted file

Source: Transferencia.exe	Virustotal: Detection: 28%			Perma Link
Source: Transferencia.exe	ReversingLabs: Detection: 68%

Machine Learning detection for sample

Source: Transferencia.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: Transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC88DE LoadLibraryA,InternetReadFile,

10_2_00DC88DE

Source: RegAsm.exe, 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp

String found in binary or memory: https://drive.google.com/uc?export=download&id=1cUL0K7dYgbhK7vN-RFgTfWB-AllHwx8q

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Transferencia.exe

Code function: 0_2_004145B8 OpenClipboard,

0_2_004145B8

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Transferencia.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC849A NtProtectVirtualMemory,	10_2_00DC849A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC2C3F NtSetInformationThread,	10_2_00DC2C3F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0BF8 NtSetInformationThread,LoadLibraryA,	10_2_00DC0BF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0724 EnumWindows,NtSetInformationThread,	10_2_00DC0724
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC64F1 NtSetInformationThread,	10_2_00DC64F1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC08E7 NtSetInformationThread,	10_2_00DC08E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC08BA NtSetInformationThread,	10_2_00DC08BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0848 NtSetInformationThread,	10_2_00DC0848
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC084A NtSetInformationThread,	10_2_00DC084A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC844B NtProtectVirtualMemory,	10_2_00DC844B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0878 NtSetInformationThread,	10_2_00DC0878
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC846D NtProtectVirtualMemory,	10_2_00DC846D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC6409 NtSetInformationThread,LoadLibraryA,	10_2_00DC6409
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC09C6 NtSetInformationThread,	10_2_00DC09C6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC09FC NtSetInformationThread,	10_2_00DC09FC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC69E2 NtSetInformationThread,	10_2_00DC69E2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC099A NtSetInformationThread,	10_2_00DC099A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0942 NtSetInformationThread,	10_2_00DC0942
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC096A NtSetInformationThread,	10_2_00DC096A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0AC7 NtSetInformationThread,	10_2_00DC0AC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0A6E NtSetInformationThread,	10_2_00DC0A6E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0A24 NtSetInformationThread,	10_2_00DC0A24
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC7BEA NtSetInformationThread,	10_2_00DC7BEA

PE file contains strange resources

Source: Transferencia.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Transferencia.exe, 00000000.00000000.192474638.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exe vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2XPr vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X7s vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2XSq vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X:vR vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs Transferencia.exe
Source: Transferencia.exe	Binary or memory string: OriginalFilenameYCIETRA.exe vs Transferencia.exe

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: Transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@3/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1332:120:WilError_01

Source: C:\Users\user\Desktop\Transferencia.exe

File created: C:\Users\user\AppData\Local\Temp\~DFE80FAB2DF37D26B6.TMP

Jump to behavior

Source: Transferencia.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Transferencia.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Transferencia.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Transferencia.exe	Virustotal: Detection: 28%
Source: Transferencia.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\Transferencia.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Users\user\Desktop\Transferencia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1324, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00404E48 pushfd ; iretd	0_2_00404E49
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00404049 pushfd ; iretd	0_2_0040404D
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040904D push eax; ret	0_2_00409056
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_004020CE pushfd ; iretd	0_2_004020FD
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402EEA push dword ptr [edi-4B012F33h]; retf	0_2_00402EFD
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_004020FE pushfd ; iretd	0_2_00402101
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00407E96 push esi; iretd	0_2_00407E9D
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040336C push fs; ret	0_2_00403405
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00408F70 push eax; ret	0_2_00408F7E
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00408976 push eax; ret	0_2_0040897A
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402302 pushfd ; iretd	0_2_00402305
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040911A push eax; iretd	0_2_00409182
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402BD9 pushfd ; iretd	0_2_00402BE1
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402F92 pushfd ; iretd	0_2_00402F95

Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contain functionality to detect virtual machines

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe		10_2_00DC421B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe		10_2_00DC4236

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0CFF LoadLibraryA,	10_2_00DC0CFF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0BF8 NtSetInformationThread,LoadLibraryA,	10_2_00DC0BF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0CBA	10_2_00DC0CBA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0C23	10_2_00DC0C23
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC1DBB LoadLibraryA,	10_2_00DC1DBB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0D04	10_2_00DC0D04
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC7E0C LoadLibraryA,	10_2_00DC7E0C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0B8E	10_2_00DC0B8E

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000503DB0 second address: 0000000000503DB0 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F16884CF258h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test al, bl 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F16884CF272h 0x00000024 cmp dh, 00000056h 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F16884CF1ACh 0x00000031 push ecx 0x00000032 jmp 00007F16884CF272h 0x00000034 push esi 0x00000035 jmp 00007F16884CF297h 0x00000037 call 00007F16884CF22Ch 0x0000003c pop esi 0x0000003d jmp esi 0x0000003f pop esi 0x00000040 call 00007F16884CF2C8h 0x00000045 call 00007F16884CF268h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000507E3E second address: 0000000000507E3E instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000500CE2 second address: 0000000000500CE2 instructions:

Tries to detect Any.run

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Transferencia.exe, 00000000.00000002.517554355.00000000006A9000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE:
Source: RegAsm.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000503DB0 second address: 0000000000503DB0 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F16884CF258h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test al, bl 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F16884CF272h 0x00000024 cmp dh, 00000056h 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F16884CF1ACh 0x00000031 push ecx 0x00000032 jmp 00007F16884CF272h 0x00000034 push esi 0x00000035 jmp 00007F16884CF297h 0x00000037 call 00007F16884CF22Ch 0x0000003c pop esi 0x0000003d jmp esi 0x0000003f pop esi 0x00000040 call 00007F16884CF2C8h 0x00000045 call 00007F16884CF268h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000504092 second address: 0000000000504092 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F168903D370h 0x0000001d popad 0x0000001e call 00007F1689039E45h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000507E3E second address: 0000000000507E3E instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000500CE2 second address: 0000000000500CE2 instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000500FA9 second address: 0000000000501036 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add edi, 00010000h 0x00000011 jmp 00007F16884CF276h 0x00000013 test bh, ah 0x00000015 push edi 0x00000016 test ch, dh 0x00000018 add edi, 04h 0x0000001b push edi 0x0000001c pushad 0x0000001d mov ax, 0E01h 0x00000021 cmp ax, 00000E01h 0x00000025 jne 00007F16884CEAFFh 0x0000002b popad 0x0000002c add edi, 04h 0x0000002f push edi 0x00000030 jmp 00007F16884CF27Ah 0x00000032 test ecx, ebx 0x00000034 push 0003E800h 0x00000039 cmp ax, 00001CE5h 0x0000003d pushad 0x0000003e lfence 0x00000041 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000DC4092 second address: 0000000000DC4092 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F168903D370h 0x0000001d popad 0x0000001e call 00007F1689039E45h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000DC0FA9 second address: 0000000000DC1036 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add edi, 00010000h 0x00000011 jmp 00007F16884CF276h 0x00000013 test bh, ah 0x00000015 push edi 0x00000016 test ch, dh 0x00000018 add edi, 04h 0x0000001b push edi 0x0000001c pushad 0x0000001d mov ax, 0E01h 0x00000021 cmp ax, 00000E01h 0x00000025 jne 00007F16884CEAFFh 0x0000002b popad 0x0000002c add edi, 04h 0x0000002f push edi 0x00000030 jmp 00007F16884CF27Ah 0x00000032 test ecx, ebx 0x00000034 push 0003E800h 0x00000039 cmp ax, 00001CE5h 0x0000003d pushad 0x0000003e lfence 0x00000041 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC88DE rdtsc

10_2_00DC88DE

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

API coverage: 7.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1260

Thread sleep time: -70000s >= -30000s

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Transferencia.exe, 00000000.00000002.517554355.00000000006A9000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe:

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC2C3F NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000

10_2_00DC2C3F

Found potential dummy code loops (likely to delay analysis)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread information set: HideFromDebugger

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC88DE rdtsc

10_2_00DC88DE

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC5079 LdrInitializeThunk,

10_2_00DC5079

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC60E3 mov eax, dword ptr fs:[00000030h]	10_2_00DC60E3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC29E7 mov eax, dword ptr fs:[00000030h]	10_2_00DC29E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC299C mov eax, dword ptr fs:[00000030h]	10_2_00DC299C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC29A6 mov eax, dword ptr fs:[00000030h]	10_2_00DC29A6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC26DC mov eax, dword ptr fs:[00000030h]	10_2_00DC26DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC2696 mov eax, dword ptr fs:[00000030h]	10_2_00DC2696
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC2684 mov eax, dword ptr fs:[00000030h]	10_2_00DC2684
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC6E17 mov eax, dword ptr fs:[00000030h]	10_2_00DC6E17
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC7E0C mov eax, dword ptr fs:[00000030h]	10_2_00DC7E0C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC2A37 mov eax, dword ptr fs:[00000030h]	10_2_00DC2A37
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC7E22 mov eax, dword ptr fs:[00000030h]	10_2_00DC7E22
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC1FD0 mov eax, dword ptr fs:[00000030h]	10_2_00DC1FD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC3B32 mov eax, dword ptr fs:[00000030h]	10_2_00DC3B32

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RegAsm.exe, 0000000A.00000002.587019635.0000000001600000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 0000000A.00000002.587019635.0000000001600000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000A.00000002.587019635.0000000001600000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 0000000A.00000002.587019635.0000000001600000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

ID:	384290
Product:	CloudBasic
Start time:	21:17:11
Start date:	08.04.2021
Sample:	Transferencia.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	7c22c3e3b8726dd1b03e69c203590026
SHA1:	7715be6b73e52535d81b083a3dfd95568a729782
SHA256:	96fb89fdc3873864981ec26c355111c26c7ab5132770ead9d1d97bdfac32e566
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report Transferencia.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map