Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SWIFT Payment Advise 39 430-25.exe

Overview

General Information

Sample Name:SWIFT Payment Advise 39 430-25.exe
Analysis ID:385257
MD5:758028b3f6c428890bf423f4bf61493f
SHA1:f23458e2f4b1ec7b1b626892878fbc8a81bcc8d6
SHA256:7e2f0e6ba024408d3b889101de8ab48b3592b465e7a33c95c4fbcb5a4c912fb7
Tags:GuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SWIFT Payment Advise 39 430-25.exe (PID: 5960 cmdline: 'C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe' MD5: 758028B3F6C428890BF423F4BF61493F)
    • ieinstal.exe (PID: 6896 cmdline: 'C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1dZX_cFlErs_ZNtLRip3fHBXb5WHo03u0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.497022856.0000000003232000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: SWIFT Payment Advise 39 430-25.exe PID: 5960JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: ieinstal.exe PID: 6896JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000B.00000002.497022856.0000000003232000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1dZX_cFlErs_ZNtLRip3fHBXb5WHo03u0"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: SWIFT Payment Advise 39 430-25.exeReversingLabs: Detection: 27%
        Source: SWIFT Payment Advise 39 430-25.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: unknownHTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.7:49708 version: TLS 1.2

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1dZX_cFlErs_ZNtLRip3fHBXb5WHo03u0
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownDNS traffic detected: queries for: doc-0s-40-docs.googleusercontent.com
        Source: ieinstal.exeString found in binary or memory: https://drive.google.com/uc?export=download&id=1dZX_cFlErs_ZNtLRip3fHBXb5WHo03u0
        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
        Source: unknownHTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.7:49708 version: TLS 1.2

        System Summary:

        barindex
        Potential malicious icon foundShow sources
        Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: SWIFT Payment Advise 39 430-25.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: SWIFT Payment Advise 39 430-25.exe
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C10A0B NtWriteVirtualMemory,TerminateProcess,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C17BA6 NtProtectVirtualMemory,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C10B3E NtWriteVirtualMemory,TerminateProcess,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C1073E EnumWindows,NtSetInformationThread,NtWriteVirtualMemory,LoadLibraryA,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C1809C NtSetContextThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C132C3 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C182E6 NtSetContextThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C13247 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C183CF NtSetContextThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C107ED NtSetInformationThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C17FF5 NtProtectVirtualMemory,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C133F8 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C18382 NtSetContextThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C12F8C NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C18336 NtSetContextThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C1333F NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C108EE NtSetInformationThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C15CF4 NtSetInformationThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C180FD NtSetContextThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C134AB NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C180B3 NtSetContextThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C18462 NtSetContextThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C1841B NtSetContextThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C1082A NtSetInformationThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C13032 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C155D5 NtSetInformationThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C181D6 NtSetContextThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C185ED NtSetContextThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C17589 NtSetInformationThread,LoadLibraryA,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C18195 NtSetContextThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C18544 NtSetContextThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C18151 NtSetContextThread,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C1315E NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C13112 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C18521 NtSetContextThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03233B4A Sleep,LdrInitializeThunk,NtProtectVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03232B48 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03237BA6 NtProtectVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03232BC8 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03233C71 LdrInitializeThunk,NtProtectVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_0323809C NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03238521 NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03238336 NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03238544 NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03238151 NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03238382 NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03238195 NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03232B9A TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_032385ED NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03233BF3 LdrInitializeThunk,NtProtectVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03237FF5 NtProtectVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_032383CF NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_032381D6 NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_0323841B NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03238462 NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03233C6A LdrInitializeThunk,NtProtectVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03232C6E NtProtectVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03233CA0 LdrInitializeThunk,NtProtectVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_032380B3 NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_032382E6 NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_032380FD NtSetInformationThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03232AC8 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
        Source: SWIFT Payment Advise 39 430-25.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.373593850.0000000002330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs SWIFT Payment Advise 39 430-25.exe
        Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.374797254.0000000002CA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SWIFT Payment Advise 39 430-25.exe
        Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000000.228478344.0000000000419000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePlateaued1.exe vs SWIFT Payment Advise 39 430-25.exe
        Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.373551867.00000000021D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT Payment Advise 39 430-25.exe
        Source: SWIFT Payment Advise 39 430-25.exeBinary or memory string: OriginalFilenamePlateaued1.exe vs SWIFT Payment Advise 39 430-25.exe
        Source: SWIFT Payment Advise 39 430-25.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@3/2@5/2
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9aJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
        Source: SWIFT Payment Advise 39 430-25.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: SWIFT Payment Advise 39 430-25.exeReversingLabs: Detection: 27%
        Source: unknownProcess created: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe 'C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe'
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe'
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe'
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 0000000B.00000002.497022856.0000000003232000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 6896, type: MEMORY
        Yara detected VB6 Downloader GenericShow sources
        Source: Yara matchFile source: Process Memory Space: SWIFT Payment Advise 39 430-25.exe PID: 5960, type: MEMORY
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_0040F8F4 push edx; ret
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_00406EE2 push 00000075h; retf
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C15107 pushfd ; iretd
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOGPFAULTERRORBOX

        Malware Analysis System Evasion:

        barindex
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeRDTSC instruction interceptor: First address: 0000000002C10D13 second address: 0000000002C10D13 instructions:
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeRDTSC instruction interceptor: First address: 0000000002C13511 second address: 0000000002C13511 instructions:
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRDTSC instruction interceptor: First address: 0000000003232B0B second address: 0000000003232B0B instructions:
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\qga\qga.exe
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: ieinstal.exeBinary or memory string: ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Source: SWIFT Payment Advise 39 430-25.exe, ieinstal.exeBinary or memory string: AM FILES\QEMU-GA\QEMU-GA.EXE
        Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.374612274.0000000002C10000.00000040.00000001.sdmp, ieinstal.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeRDTSC instruction interceptor: First address: 0000000002C13A3E second address: 0000000002C13E98 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, 40h 0x00000006 add eax, 04h 0x00000009 mov eax, dword ptr [eax] 0x0000000b ret 0x0000000c mov dword ptr [ebp+4Ch], eax 0x0000000f test dl, al 0x00000011 call 00007F8C549E36C2h 0x00000016 push dword ptr [ebp+20h] 0x00000019 jmp 00007F8C549E0616h 0x0000001b cmp si, 734Dh 0x00000020 pop dword ptr [ebp+00000128h] 0x00000026 test dl, 0000001Fh 0x00000029 mov dword ptr [ebp+68h], 00000000h 0x00000030 test bx, dx 0x00000033 jmp 00007F8C549E166Eh 0x00000038 call 00007F8C549DF537h 0x0000003d pop dword ptr [ebp+64h] 0x00000040 cmp dh, ah 0x00000042 jmp 00007F8C549E130Eh 0x00000047 call 00007F8C549DF89Bh 0x0000004c test dl, bl 0x0000004e pop dword ptr [ebp+6Ch] 0x00000051 jmp 00007F8C549E061Ah 0x00000053 test bx, ax 0x00000056 mov dword ptr [ebp+70h], 00000001h 0x0000005d mov dword ptr [ebp+74h], 00000000h 0x00000064 mov dword ptr [ebp+000000ACh], 0001A000h 0x0000006e cmp esi, 263408DCh 0x00000074 mov dword ptr [ebp+7Ch], 00000000h 0x0000007b pushad 0x0000007c mov eax, 0000004Fh 0x00000081 rdtsc
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeRDTSC instruction interceptor: First address: 0000000002C13E98 second address: 0000000002C10D13 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 test cx, cx 0x00000006 jmp 00007F8C544BC783h 0x0000000b call 00007F8C544BB2A2h 0x00000010 pop dword ptr [ebp+000000B8h] 0x00000016 cmp ecx, ebx 0x00000018 push dword ptr fs:[000000C0h] 0x0000001f pop dword ptr [ebp+48h] 0x00000022 cmp dl, dl 0x00000024 ret 0x00000025 cmp al, cl 0x00000027 cmp dx, ax 0x0000002a mov ecx, dword ptr [ebp+5Ch] 0x0000002d jmp 00007F8C544BBD56h 0x0000002f test ch, FFFFFF92h 0x00000032 test al, cl 0x00000034 mov edx, BAEF4789h 0x00000039 pushad 0x0000003a rdtsc
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeRDTSC instruction interceptor: First address: 0000000002C10D13 second address: 0000000002C10D13 instructions:
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeRDTSC instruction interceptor: First address: 0000000002C13511 second address: 0000000002C13511 instructions:
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRDTSC instruction interceptor: First address: 0000000003233A3E second address: 0000000003233E98 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, 40h 0x00000006 add eax, 04h 0x00000009 mov eax, dword ptr [eax] 0x0000000b ret 0x0000000c mov dword ptr [ebp+4Ch], eax 0x0000000f test dl, al 0x00000011 call 00007F8C549E36C2h 0x00000016 push dword ptr [ebp+20h] 0x00000019 jmp 00007F8C549E0616h 0x0000001b cmp si, 734Dh 0x00000020 pop dword ptr [ebp+00000128h] 0x00000026 test dl, 0000001Fh 0x00000029 mov dword ptr [ebp+68h], 00000000h 0x00000030 test bx, dx 0x00000033 jmp 00007F8C549E166Eh 0x00000038 call 00007F8C549DF537h 0x0000003d pop dword ptr [ebp+64h] 0x00000040 cmp dh, ah 0x00000042 jmp 00007F8C549E130Eh 0x00000047 call 00007F8C549DF89Bh 0x0000004c test dl, bl 0x0000004e pop dword ptr [ebp+6Ch] 0x00000051 jmp 00007F8C549E061Ah 0x00000053 test bx, ax 0x00000056 mov dword ptr [ebp+70h], 00000001h 0x0000005d mov dword ptr [ebp+74h], 00000000h 0x00000064 mov dword ptr [ebp+000000ACh], 0001A000h 0x0000006e cmp esi, 263408DCh 0x00000074 mov dword ptr [ebp+7Ch], 00000000h 0x0000007b pushad 0x0000007c mov eax, 0000004Fh 0x00000081 rdtsc
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRDTSC instruction interceptor: First address: 0000000003232B0B second address: 0000000003232B0B instructions:
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C172C6 rdtsc
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeWindow / User API: threadDelayed 3263
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 5384Thread sleep count: 3263 > 30
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread sleep count: Count: 3263 delay: -5
        Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.374797254.0000000002CA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: SWIFT Payment Advise 39 430-25.exe, ieinstal.exeBinary or memory string: am Files\Qemu-ga\qemu-ga.exe
        Source: ieinstal.exeBinary or memory string: rogram Files\Qemu-ga\qemu-ga.exe
        Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.374797254.0000000002CA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.374797254.0000000002CA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.374612274.0000000002C10000.00000040.00000001.sdmp, ieinstal.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.374797254.0000000002CA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

        Anti Debugging:

        barindex
        Contains functionality to hide a thread from the debuggerShow sources
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C1073E NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000020,02C12FE0,00000000,00000000,00000000
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeThread information set: HideFromDebugger
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread information set: HideFromDebugger
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeProcess queried: DebugPort
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C172C6 rdtsc
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C13F01 LdrInitializeThunk,
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C172C6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C166D1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C12696 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C126A2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C13A29 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C16CCE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C12004 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C17589 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C175BB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C17565 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C1296B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C1293D mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03237565 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_032375BB mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03237589 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_032339E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_032339E7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03236CCE mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_032366D1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 11_2_03232BC8 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3230000
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe'
        Source: ieinstal.exe, 0000000B.00000002.497857742.0000000003B20000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
        Source: ieinstal.exe, 0000000B.00000002.497857742.0000000003B20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: ieinstal.exe, 0000000B.00000002.497857742.0000000003B20000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: ieinstal.exe, 0000000B.00000002.497857742.0000000003B20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exeCode function: 0_2_02C13646 cpuid
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
        Tries to harvest and steal browser information (history, passwords, etc)Show sources
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
        Tries to harvest and steal ftp login credentialsShow sources
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
        Tries to steal Mail credentials (via file access)Show sources
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection112Masquerading1OS Credential Dumping2Security Software Discovery621Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion23Credentials in Registry1Virtualization/Sandbox Evasion23Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery213VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        SWIFT Payment Advise 39 430-25.exe27%ReversingLabsWin32.Trojan.Graftor

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        becharnise.ir
        		194.5.178.163
        		truefalse
          		unknown
          googlehosted.l.googleusercontent.com
          		216.58.215.225
          		truefalse
            		high
            doc-0s-40-docs.googleusercontent.com
            		unknown
            		unknownfalse
              		high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              216.58.215.225
              		googlehosted.l.googleusercontent.comUnited States
              		15169GOOGLEUSfalse
              194.5.178.163
              		becharnise.irIran (ISLAMIC Republic Of)
              		200406BERBIDSERVERIRfalse

              General Information

              Joe Sandbox Version:31.0.0 Emerald
              Analysis ID:385257
              Start date:12.04.2021
              Start time:09:05:53
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 6m 3s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:SWIFT Payment Advise 39 430-25.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:22
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.rans.troj.spyw.evad.winEXE@3/2@5/2
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 3.7% (good quality ratio 3.4%)
              • Quality average: 50.8%
              • Quality standard deviation: 17.3%
              HCA Information:
              • Successful, ratio: 69%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
              • TCP Packets have been reduced to 100
              • Excluded IPs from analysis (whitelisted): 104.42.151.234, 92.122.145.220, 184.30.24.56, 13.88.21.125, 13.64.90.137, 8.241.121.254, 8.253.204.120, 67.27.158.126, 8.248.131.254, 8.253.207.120, 216.58.215.238, 20.82.210.154, 104.43.139.144, 168.61.161.212, 92.122.213.194, 92.122.213.247, 20.50.102.62, 104.43.193.48, 52.155.217.156
              • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, drive.google.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/385257/sample/SWIFT Payment Advise 39 430-25.exe

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              194.5.178.163Purchase Order SC_695853.xlsxGet hashmaliciousBrowse
              • becharnise.ir/fb19/fre.php
              Required.exeGet hashmaliciousBrowse
              • fleximexi.ir/ari/Panel/fre.php

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              becharnise.irPurchase Order SC_695853.xlsxGet hashmaliciousBrowse
              • 194.5.178.163
              SMYXumaA91.exeGet hashmaliciousBrowse
              • 195.211.44.113
              4xxwII41mG.exeGet hashmaliciousBrowse
              • 195.211.44.113
              SPARE PARTS drawing.xlsxGet hashmaliciousBrowse
              • 195.211.44.113
              PROFORMA INVOICE.xlsxGet hashmaliciousBrowse
              • 195.211.44.113
              SOA#0850.exeGet hashmaliciousBrowse
              • 194.147.142.237
              RfqHongJ.exeGet hashmaliciousBrowse
              • 194.147.142.237
              Remittance slip.exeGet hashmaliciousBrowse
              • 194.147.142.237
              _ShipDoc_CI_PL_HBL_.xlsxGet hashmaliciousBrowse
              • 194.147.142.237
              r2HXquFlQa.exeGet hashmaliciousBrowse
              • 194.147.142.237
              NyBozyKqtT.exeGet hashmaliciousBrowse
              • 194.147.142.237
              WdJ1OsBhHk.exeGet hashmaliciousBrowse
              • 194.147.142.237
              FTdoFIURU7.exeGet hashmaliciousBrowse
              • 194.147.142.237
              VSLS PARTICULARS.xlsxGet hashmaliciousBrowse
              • 194.147.142.237
              VSL_MT LOYALTY_pdf.exeGet hashmaliciousBrowse
              • 194.147.142.237
              SecuriteInfo.com.W32.AIDetect.malware2.3511.exeGet hashmaliciousBrowse
              • 194.147.142.237
              aH3bqPMEP2.exeGet hashmaliciousBrowse
              • 185.208.180.121
              SecuriteInfo.com.W32.AIDetect.malware1.6066.exeGet hashmaliciousBrowse
              • 185.208.180.121
              INV 0898764_pdf.exeGet hashmaliciousBrowse
              • 185.208.180.121
              VSL_MT LOYALTY.xlsxGet hashmaliciousBrowse
              • 185.208.180.121

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              BERBIDSERVERIRPurchase Order SC_695853.xlsxGet hashmaliciousBrowse
              • 194.5.178.163
              Required.exeGet hashmaliciousBrowse
              • 194.5.178.163

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              37f463bf4616ecd445d4a1937da06e19malevolo.ps1Get hashmaliciousBrowse
              • 216.58.215.225
              shipping document.exeGet hashmaliciousBrowse
              • 216.58.215.225
              Statement-ID261179932209970.vbsGet hashmaliciousBrowse
              • 216.58.215.225
              Alexandra38.docxGet hashmaliciousBrowse
              • 216.58.215.225
              rRobw1VVRP.exeGet hashmaliciousBrowse
              • 216.58.215.225
              Tmd7W7qwQw.dllGet hashmaliciousBrowse
              • 216.58.215.225
              SecuriteInfo.com.Trojan.Agent.FFIJ.17175.exeGet hashmaliciousBrowse
              • 216.58.215.225
              documents-351331057.xlsmGet hashmaliciousBrowse
              • 216.58.215.225
              documents-1819557117.xlsmGet hashmaliciousBrowse
              • 216.58.215.225
              mail_6512365134_7863_202104108.htmlGet hashmaliciousBrowse
              • 216.58.215.225
              Copia bancaria de swift.exeGet hashmaliciousBrowse
              • 216.58.215.225
              SecuriteInfo.com.Trojan.GenericKD.36659493.29456.exeGet hashmaliciousBrowse
              • 216.58.215.225
              SecuriteInfo.com.Trojan.Siggen12.64197.30705.exeGet hashmaliciousBrowse
              • 216.58.215.225
              #Ud83d#Udcde973.htmGet hashmaliciousBrowse
              • 216.58.215.225
              3vQD6TIYA1.exeGet hashmaliciousBrowse
              • 216.58.215.225
              SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exeGet hashmaliciousBrowse
              • 216.58.215.225
              XN123gfQJQ.exeGet hashmaliciousBrowse
              • 216.58.215.225
              documento.xlsbGet hashmaliciousBrowse
              • 216.58.215.225
              securedmessage.htmGet hashmaliciousBrowse
              • 216.58.215.225

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
              Process:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:high, very likely benign file
              Preview: 1
              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a
              Process:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
              File Type:data
              Category:dropped
              Size (bytes):450
              Entropy (8bit):0.95853443959644
              Encrypted:false
              SSDEEP:3:/lvlLFlvlLFlvlLFlvlLFlvlp:LVVV3
              MD5:4C69543CC021AEC1EFB640FDF5DD2F16
              SHA1:347AA81846DD5797E1A6A85D9B1CAF9E3BF36EFF
              SHA-256:91B97E7BCC50DDC0792D5CEF438D56895955F29D5121994CE0A43E78D23CBD7E
              SHA-512:09627F4C8875300AD045B011B66A91D374581A65DEAA75FE1F95C2322BE747EE17893C5F27433B52BD7CE90412D0C08C5980F6BEB2907027F2142BFDAAABCB3B
              Malicious:false
              Reputation:low
              Preview: ........................................user...........................................................................................user...........................................................................................user...........................................................................................user...........................................................................................user.

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):5.224475355355028
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.15%
              • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:SWIFT Payment Advise 39 430-25.exe
              File size:90112
              MD5:758028b3f6c428890bf423f4bf61493f
              SHA1:f23458e2f4b1ec7b1b626892878fbc8a81bcc8d6
              SHA256:7e2f0e6ba024408d3b889101de8ab48b3592b465e7a33c95c4fbcb5a4c912fb7
              SHA512:edec88afa520fcf43119a293810b1e2eaf2ff6c8d4c860c2d2862686d8b3bafff5e76bfd5b733b60f98532209caeaa3d324cc04078959f646239cb0e3120280d
              SSDEEP:768:+M3sZY/kPxOwOJu9LydptAQe9Pjm1j+BDMlf4tgTQx5dauPDJO1SiSjwvJ:BsZY/kZOwhtydtehuj+BOfs5Od
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W...K...W...u...W...q...W..Rich.W..........................PE..L...&..P.................0...`......`........@....@

              File Icon

              Icon Hash:20047c7c70f0e004

              Static PE Info

              General

              Entrypoint:0x401460
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x50F6E326 [Wed Jan 16 17:28:06 2013 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:281390d21b787569ccc2303fd6dad5ce

              Entrypoint Preview

              Instruction
              push 00401650h
              call 00007F8C549F1C73h
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              xor byte ptr [eax], al
              add byte ptr [eax], al
              inc eax
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add al, dl
              mov ah, ch
              pop ds
              sbb ebx, dword ptr [ebx]
              mov edi, 8BCA814Ch

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x134740x28.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x9d4.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
              IMAGE_DIRECTORY_ENTRY_IAT0x10000x118.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x129480x13000False0.413522820724data5.69403723922IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .data0x140000x45d80x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .rsrc0x190000x9d40x1000False0.178466796875data2.13575147568IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x198a40x130data
              RT_ICON0x195bc0x2e8data
              RT_ICON0x194940x128GLS_BINARY_LSB_FIRST
              RT_GROUP_ICON0x194640x30data
              RT_VERSION0x191500x314data

              Imports

              DLLImport
              MSVBVM60.DLL_CIcos, _adj_fptan, __vbaAryMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaCastObj, __vbaStrMove, _allmul, _CItan, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

              Version Infos

              DescriptionData
              Translation0x0000 0x04b0
              LegalCopyrightFreak Class
              InternalNamePlateaued1
              FileVersion1.00
              CompanyNameFreak Class
              LegalTrademarksFreak Class
              CommentsFreak Class
              ProductNameFreak Class
              ProductVersion1.00
              FileDescriptionFreak Class
              OriginalFilenamePlateaued1.exe

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Apr 12, 2021 09:07:48.598371983 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:48.643932104 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:48.644054890 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:48.645006895 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:48.690490007 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:48.703102112 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:48.703159094 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:48.703186989 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:48.703210115 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:48.703232050 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:48.703274012 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:48.717717886 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:48.763536930 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:48.763689995 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:48.764540911 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:48.814651966 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.009479046 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.009500027 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.009517908 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.009535074 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.009551048 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.009659052 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.009728909 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.012581110 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.012599945 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.012690067 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.012713909 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.015794992 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.015815973 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.015875101 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.015896082 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.018996954 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.019026995 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.019085884 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.019109011 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.022227049 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.022248030 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.022308111 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.022341967 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.024789095 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.024808884 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.024858952 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.024892092 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.055063009 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.055089951 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.055161953 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.056919098 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.056942940 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.056982040 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.057019949 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.060045958 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.060075045 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.060106993 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.060146093 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.063033104 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.063064098 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.063123941 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.063155890 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.066437960 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.066462994 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.066499949 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.066641092 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.069379091 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.069436073 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.069468021 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.069503069 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.072921991 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.072949886 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.072988033 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.073013067 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.075773954 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.075797081 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.075867891 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.075896978 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.078938007 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.078963995 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.079004049 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.079030991 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.082005978 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.082027912 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.082108974 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.085016966 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.085052013 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.085094929 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.085115910 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.087999105 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.088020086 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.088079929 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.088099957 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.090986013 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.091017962 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.091087103 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.091118097 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.094185114 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.094208956 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.094254971 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.094276905 CEST49708443192.168.2.7216.58.215.225
              Apr 12, 2021 09:07:49.097011089 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.097044945 CEST44349708216.58.215.225192.168.2.7
              Apr 12, 2021 09:07:49.097079039 CEST49708443192.168.2.7216.58.215.225

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Apr 12, 2021 09:06:36.242970943 CEST6124253192.168.2.78.8.8.8
              Apr 12, 2021 09:06:36.291995049 CEST53612428.8.8.8192.168.2.7
              Apr 12, 2021 09:06:38.411036968 CEST5856253192.168.2.78.8.8.8
              Apr 12, 2021 09:06:38.469515085 CEST53585628.8.8.8192.168.2.7
              Apr 12, 2021 09:07:01.964020967 CEST5659053192.168.2.78.8.8.8
              Apr 12, 2021 09:07:02.029580116 CEST53565908.8.8.8192.168.2.7
              Apr 12, 2021 09:07:07.087543011 CEST6050153192.168.2.78.8.8.8
              Apr 12, 2021 09:07:07.136581898 CEST53605018.8.8.8192.168.2.7
              Apr 12, 2021 09:07:12.467433929 CEST5377553192.168.2.78.8.8.8
              Apr 12, 2021 09:07:12.518182993 CEST53537758.8.8.8192.168.2.7
              Apr 12, 2021 09:07:29.937313080 CEST5183753192.168.2.78.8.8.8
              Apr 12, 2021 09:07:29.988806009 CEST53518378.8.8.8192.168.2.7
              Apr 12, 2021 09:07:31.541711092 CEST5541153192.168.2.78.8.8.8
              Apr 12, 2021 09:07:31.590414047 CEST53554118.8.8.8192.168.2.7
              Apr 12, 2021 09:07:47.708326101 CEST6366853192.168.2.78.8.8.8
              Apr 12, 2021 09:07:47.773395061 CEST53636688.8.8.8192.168.2.7
              Apr 12, 2021 09:07:48.300764084 CEST5464053192.168.2.78.8.8.8
              Apr 12, 2021 09:07:48.349626064 CEST53546408.8.8.8192.168.2.7
              Apr 12, 2021 09:07:48.514470100 CEST5873953192.168.2.78.8.8.8
              Apr 12, 2021 09:07:48.592413902 CEST53587398.8.8.8192.168.2.7
              Apr 12, 2021 09:07:50.652332067 CEST6033853192.168.2.78.8.8.8
              Apr 12, 2021 09:07:50.994090080 CEST53603388.8.8.8192.168.2.7
              Apr 12, 2021 09:07:53.984365940 CEST5871753192.168.2.78.8.8.8
              Apr 12, 2021 09:07:54.035808086 CEST53587178.8.8.8192.168.2.7
              Apr 12, 2021 09:07:55.852821112 CEST5976253192.168.2.78.8.8.8
              Apr 12, 2021 09:07:55.901554108 CEST53597628.8.8.8192.168.2.7
              Apr 12, 2021 09:07:56.777328968 CEST5432953192.168.2.78.8.8.8
              Apr 12, 2021 09:07:56.826278925 CEST53543298.8.8.8192.168.2.7
              Apr 12, 2021 09:08:01.756891966 CEST5805253192.168.2.78.8.8.8
              Apr 12, 2021 09:08:01.815680027 CEST53580528.8.8.8192.168.2.7
              Apr 12, 2021 09:08:07.905358076 CEST5400853192.168.2.78.8.8.8
              Apr 12, 2021 09:08:07.954016924 CEST53540088.8.8.8192.168.2.7
              Apr 12, 2021 09:08:12.613359928 CEST5945153192.168.2.78.8.8.8
              Apr 12, 2021 09:08:12.672434092 CEST53594518.8.8.8192.168.2.7
              Apr 12, 2021 09:08:21.194430113 CEST5291453192.168.2.78.8.8.8
              Apr 12, 2021 09:08:21.245867968 CEST53529148.8.8.8192.168.2.7
              Apr 12, 2021 09:08:34.574978113 CEST6456953192.168.2.78.8.8.8
              Apr 12, 2021 09:08:34.635107994 CEST53645698.8.8.8192.168.2.7
              Apr 12, 2021 09:08:35.324676037 CEST5281653192.168.2.78.8.8.8
              Apr 12, 2021 09:08:35.373492002 CEST53528168.8.8.8192.168.2.7
              Apr 12, 2021 09:08:40.045149088 CEST5078153192.168.2.78.8.8.8
              Apr 12, 2021 09:08:40.113033056 CEST53507818.8.8.8192.168.2.7
              Apr 12, 2021 09:08:40.921453953 CEST5423053192.168.2.78.8.8.8
              Apr 12, 2021 09:08:40.970021009 CEST53542308.8.8.8192.168.2.7
              Apr 12, 2021 09:08:45.084790945 CEST5491153192.168.2.78.8.8.8
              Apr 12, 2021 09:08:45.133462906 CEST53549118.8.8.8192.168.2.7
              Apr 12, 2021 09:08:46.929852962 CEST4995853192.168.2.78.8.8.8
              Apr 12, 2021 09:08:46.982414007 CEST53499588.8.8.8192.168.2.7
              Apr 12, 2021 09:08:48.553877115 CEST5086053192.168.2.78.8.8.8
              Apr 12, 2021 09:08:48.602652073 CEST53508608.8.8.8192.168.2.7
              Apr 12, 2021 09:08:50.361248970 CEST5045253192.168.2.78.8.8.8
              Apr 12, 2021 09:08:50.418330908 CEST53504528.8.8.8192.168.2.7
              Apr 12, 2021 09:08:52.272304058 CEST5973053192.168.2.78.8.8.8
              Apr 12, 2021 09:08:52.362983942 CEST53597308.8.8.8192.168.2.7
              Apr 12, 2021 09:08:52.822804928 CEST5931053192.168.2.78.8.8.8
              Apr 12, 2021 09:08:52.885870934 CEST53593108.8.8.8192.168.2.7
              Apr 12, 2021 09:08:53.434803009 CEST5191953192.168.2.78.8.8.8
              Apr 12, 2021 09:08:53.495085955 CEST53519198.8.8.8192.168.2.7
              Apr 12, 2021 09:08:54.140201092 CEST6429653192.168.2.78.8.8.8
              Apr 12, 2021 09:08:54.250591040 CEST53642968.8.8.8192.168.2.7
              Apr 12, 2021 09:08:54.717360973 CEST5668053192.168.2.78.8.8.8
              Apr 12, 2021 09:08:54.779048920 CEST53566808.8.8.8192.168.2.7
              Apr 12, 2021 09:08:55.310853004 CEST5882053192.168.2.78.8.8.8
              Apr 12, 2021 09:08:55.369240046 CEST53588208.8.8.8192.168.2.7
              Apr 12, 2021 09:08:55.726608992 CEST6098353192.168.2.78.8.8.8
              Apr 12, 2021 09:08:55.789849043 CEST53609838.8.8.8192.168.2.7
              Apr 12, 2021 09:08:55.855614901 CEST4924753192.168.2.78.8.8.8
              Apr 12, 2021 09:08:55.912578106 CEST53492478.8.8.8192.168.2.7

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Apr 12, 2021 09:07:48.514470100 CEST192.168.2.78.8.8.80x5053Standard query (0)doc-0s-40-docs.googleusercontent.comA (IP address)IN (0x0001)
              Apr 12, 2021 09:07:50.652332067 CEST192.168.2.78.8.8.80x39ceStandard query (0)becharnise.irA (IP address)IN (0x0001)
              Apr 12, 2021 09:08:12.613359928 CEST192.168.2.78.8.8.80x4347Standard query (0)becharnise.irA (IP address)IN (0x0001)
              Apr 12, 2021 09:08:34.574978113 CEST192.168.2.78.8.8.80xe771Standard query (0)becharnise.irA (IP address)IN (0x0001)
              Apr 12, 2021 09:08:55.726608992 CEST192.168.2.78.8.8.80x5a76Standard query (0)becharnise.irA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Apr 12, 2021 09:07:48.592413902 CEST8.8.8.8192.168.2.70x5053No error (0)doc-0s-40-docs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
              Apr 12, 2021 09:07:48.592413902 CEST8.8.8.8192.168.2.70x5053No error (0)googlehosted.l.googleusercontent.com216.58.215.225A (IP address)IN (0x0001)
              Apr 12, 2021 09:07:50.994090080 CEST8.8.8.8192.168.2.70x39ceNo error (0)becharnise.ir194.5.178.163A (IP address)IN (0x0001)
              Apr 12, 2021 09:08:12.672434092 CEST8.8.8.8192.168.2.70x4347No error (0)becharnise.ir194.5.178.163A (IP address)IN (0x0001)
              Apr 12, 2021 09:08:34.635107994 CEST8.8.8.8192.168.2.70xe771No error (0)becharnise.ir194.5.178.163A (IP address)IN (0x0001)
              Apr 12, 2021 09:08:55.789849043 CEST8.8.8.8192.168.2.70x5a76No error (0)becharnise.ir194.5.178.163A (IP address)IN (0x0001)

              HTTPS Packets

              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
              Apr 12, 2021 09:07:48.703210115 CEST216.58.215.225443192.168.2.749708CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Mar 16 20:32:57 CET 2021 Thu Jun 15 02:00:42 CEST 2017Tue Jun 08 21:32:56 CEST 2021 Wed Dec 15 01:00:42 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
              CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021

              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: SWIFT Payment Advise 39 430-25.exe PID: 5960 Parent PID: 5704

              General

              Start time:09:06:42
              Start date:12/04/2021
              Path:C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe'
              Imagebase:0x400000
              File size:90112 bytes
              MD5 hash:758028B3F6C428890BF423F4BF61493F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Visual Basic
              Reputation:low

              Analysis Process: ieinstal.exe PID: 6896 Parent PID: 5960

              General

              Start time:09:07:27
              Start date:12/04/2021
              Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe'
              Imagebase:0xc70000
              File size:480256 bytes
              MD5 hash:DAD17AB737E680C47C8A44CBB95EE67E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000B.00000002.497022856.0000000003232000.00000040.00000001.sdmp, Author: Joe Security
              Reputation:moderate

              Disassembly

              Code Analysis

              Reset < >