Loading ...

Play interactive tourEdit tour

Analysis Report faktura_fk.exe

Overview

General Information

Sample Name:faktura_fk.exe
Analysis ID:394253
MD5:66fb235f133e2f690184675fe27bcc32
SHA1:12f471ad9d4f8ef90cc548d1e0eb498c12ed0230
SHA256:168ca422e4a4dc429c9fb4a65cdd1b3f1f32119475581b3d00c94ff6e4a82f77
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • faktura_fk.exe (PID: 284 cmdline: 'C:\Users\user\Desktop\faktura_fk.exe' MD5: 66FB235F133E2F690184675FE27BCC32)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1O7Zrj0oTVUPxo7h5leOqWms2QfQkCgBK", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3147398939.00000000002D0000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: faktura_fk.exe PID: 284JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: faktura_fk.exe PID: 284JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000000.00000002.3147398939.00000000002D0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1O7Zrj0oTVUPxo7h5leOqWms2QfQkCgBK", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: faktura_fk.exeVirustotal: Detection: 17%Perma Link
        Source: faktura_fk.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1O7Zrj0oTVUPxo7h5leOqWms2QfQkCgBK
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

        System Summary:

        barindex
        Potential malicious icon foundShow sources
        Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\faktura_fk.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Users\user\Desktop\faktura_fk.exeMemory allocated: 76D20000 page execute and read and write
        Source: faktura_fk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameehres.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWMPSideShowGadgetj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameonex.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsvfw32.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamethumbcache.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamelocalsec.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameUI0Detect.exe.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWLANGPUI.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSV1_0.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamehotplug.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSTI.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemmcss.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewuaueng.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameOLE32.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamew32time.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameslui.exe.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameUSERCPL.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametaskschd.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWMDM.dll.muiZ vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebthci.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSHTMLER.DLL.MUID vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenapdsnap.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameREGSVC.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesbdropj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebrserid.sys.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamecomdlg32.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSXS.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedps.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWMPNSCFG.EXE.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesdclt.exe.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWEBCHECK.DLL.MUID vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAuxiliaryDisplayCpl.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMBLCTR.EXE.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameEFSADU.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWPDMTPDR.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameNetworkItemFactory.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameaudiodev.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameaelupsvc.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamejscript.dll.muiH vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamegpedit.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSOERES.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000000.2068280402.0000000000433000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKnudepunkternes2.exe vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3147746520.00000000027E8000.00000004.00000040.sdmpBinary or memory string: OriginalFilenameKnudepunkternes2.exeFE2XeSafe SolutionseSafe Solutions vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3147383700.0000000000260000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewersvcj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbengine.exe.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepuiapi.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWfsR.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmplayer.exe.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsfltr32.acm.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameaudiosrv.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebatt.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMDMINST.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWCNCSVC.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePOWRPROF.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAUTOPLAY.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedmdskres.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamegpscript.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesdcpl.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesrchadmin.dll.mui@ vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWPDSp.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameVfWWDM32.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameUsbui.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameERCj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamecscsvc.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameehRecvr.exe.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamessdpsrv.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameRUNDLL32.EXE.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenetcfgx.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsfeedsbs.dll.muiD vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameunregmp2.exe.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWUDFSvc.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWPCCPL.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameTrustedInstaller.exe.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameUxTheme.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenetprof.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebattc.sys.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewevtsvc.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameappmgmts.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesti_ci.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamefaultrep.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewdc.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameqwavedrv.sys.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewucltux.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameunpnhost.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameappinfo.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemidimap.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemmcndmgr.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAccessibilityCpl.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSRATING.DLL.MUID vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameoleres.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmploc.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameACCTRES.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameOLEACCRC.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameIPBusEnum.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamerstrui.exe.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameieinstal.exe.muiD vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmisvc.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSRVSVC.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedeskadp.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePowerCPL.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsadp32.acm.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSRV.SYS.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameiccvid.drv.muiN vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamegpapi.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebluetooth.cpl.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewpd_ci.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameINETRES.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMFC42.DLL.MUIR vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSWPRV.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePhotoScreensaver.scr.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameATL.DLL.MUIR vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemmcbase.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamelhdfrgui.exe.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePDH.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWMPNSSCI.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamescsiport.sys.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAVIFIL32.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemmci.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametermsrv.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameBubblesj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameIE4UINIT.EXE.MUID vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameiedkcs32.dll.muiD vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWinMail.exe.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewevtutil.exe.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameTBSSVC.DLL.MUIj% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameulib.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamei8042prt.sys.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemycomput.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameparport.sys.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedsound.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamefwcfg.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameqwave.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameumrdp.dll.muij% vs faktura_fk.exe
        Source: faktura_fk.exeBinary or memory string: OriginalFilenameKnudepunkternes2.exe vs faktura_fk.exe
        Source: faktura_fk.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
        Source: classification engineClassification label: mal96.rans.troj.evad.winEXE@1/0@0/0
        Source: faktura_fk.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\faktura_fk.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
        Source: C:\Users\user\Desktop\faktura_fk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: faktura_fk.exeVirustotal: Detection: 17%

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000000.00000002.3147398939.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: faktura_fk.exe PID: 284, type: MEMORY
        Yara detected VB6 Downloader GenericShow sources
        Source: Yara matchFile source: Process Memory Space: faktura_fk.exe PID: 284, type: MEMORY
        Source: C:\Users\user\Desktop\faktura_fk.exeCode function: 0_2_00407828 push ds; ret
        Source: C:\Users\user\Desktop\faktura_fk.exeCode function: 0_2_004063F3 push 85E0C3F5h; retf
        Source: C:\Users\user\Desktop\faktura_fk.exeCode function: 0_2_00407792 push es; ret
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000002D29E9 second address: 00000000002D29E9 instructions:
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000002D29AA second address: 00000000002D29AA instructions:
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000002D284C second address: 00000000002D28CA instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [eax+1Ch] 0x0000000d test ah, ah 0x0000000f mov dword ptr [ebp+14h], ecx 0x00000012 fnop 0x00000014 mov ecx, dword ptr [eax+24h] 0x00000017 mov dword ptr [ebp+10h], ecx 0x0000001a mov esi, dword ptr [eax+20h] 0x0000001d add esi, dword ptr [ebp+04h] 0x00000020 xor ecx, ecx 0x00000022 test edx, edx 0x00000024 mov edx, dword ptr [esi] 0x00000026 test ebx, ebx 0x00000028 add edx, dword ptr [ebp+04h] 0x0000002b push ecx 0x0000002c test dh, ch 0x0000002e push esi 0x0000002f push edx 0x00000030 test bl, cl 0x00000032 call 00007F92C0FE272Bh 0x00000037 pushad 0x00000038 rdtsc
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000002D28CA second address: 00000000002D28CA instructions:
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000002D2886 second address: 00000000002D2886 instructions:
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: faktura_fk.exe, 00000000.00000002.3147398939.00000000002D0000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE9
        Source: faktura_fk.exe, 00000000.00000002.3147398939.00000000002D0000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000002D29E9 second address: 00000000002D29E9 instructions:
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000002D29AA second address: 00000000002D29AA instructions:
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000002D284C second address: 00000000002D28CA instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [eax+1Ch] 0x0000000d test ah, ah 0x0000000f mov dword ptr [ebp+14h], ecx 0x00000012 fnop 0x00000014 mov ecx, dword ptr [eax+24h] 0x00000017 mov dword ptr [ebp+10h], ecx 0x0000001a mov esi, dword ptr [eax+20h] 0x0000001d add esi, dword ptr [ebp+04h] 0x00000020 xor ecx, ecx 0x00000022 test edx, edx 0x00000024 mov edx, dword ptr [esi] 0x00000026 test ebx, ebx 0x00000028 add edx, dword ptr [ebp+04h] 0x0000002b push ecx 0x0000002c test dh, ch 0x0000002e push esi 0x0000002f push edx 0x00000030 test bl, cl 0x00000032 call 00007F92C0FE272Bh 0x00000037 pushad 0x00000038 rdtsc
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000002D28CA second address: 00000000002D28CA instructions:
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000002D2886 second address: 00000000002D2886 instructions:
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000002D187C second address: 00000000002D187C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F92C0D179FAh 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp edx, ecx 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp eax, eax 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F92C0D179DCh 0x0000002a push ecx 0x0000002b test ah, FFFFFF84h 0x0000002e call 00007F92C0D17A11h 0x00000033 call 00007F92C0D17A0Ah 0x00000038 lfence 0x0000003b mov edx, dword ptr [7FFE0014h] 0x00000041 lfence 0x00000044 ret 0x00000045 mov esi, edx 0x00000047 pushad 0x00000048 rdtsc
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: faktura_fk.exe, 00000000.00000002.3147398939.00000000002D0000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe9
        Source: faktura_fk.exe, 00000000.00000002.3147398939.00000000002D0000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

        Anti Debugging:

        barindex
        Found potential dummy code loops (likely to delay analysis)Show sources
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess Stats: CPU usage > 90% for more than 60s
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: faktura_fk.exe, 00000000.00000002.3147518081.00000000009C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: faktura_fk.exe, 00000000.00000002.3147518081.00000000009C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: faktura_fk.exe, 00000000.00000002.3147518081.00000000009C0000.00000002.00000001.sdmpBinary or memory string: !Progman

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesData from Local SystemExfiltration Over Other Network MediumApplication Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        faktura_fk.exe18%VirustotalBrowse
        faktura_fk.exe7%ReversingLabsWin32.Worm.Wbvb

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.icra.org/vocabulary/.0%URL Reputationsafe
        http://www.icra.org/vocabulary/.0%URL Reputationsafe
        http://www.icra.org/vocabulary/.0%URL Reputationsafe
        http://www.icra.org/vocabulary/.0%URL Reputationsafe
        http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
        http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
        http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
        http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkfaktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpfalse
          high
          http://www.windows.com/pctv.faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpfalse
            high
            http://investor.msn.comfaktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpfalse
              high
              http://www.msnbc.com/news/ticker.txtfaktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpfalse
                high
                http://www.icra.org/vocabulary/.faktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://windowsmedia.com/redir/services.asp?WMPFriendly=truefaktura_fk.exe, 00000000.00000002.3151745116.0000000003517000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.hotmail.com/oefaktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpfalse
                  high
                  http://investor.msn.com/faktura_fk.exe, 00000000.00000002.3151288024.0000000003330000.00000002.00000001.sdmpfalse
                    high

                    Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox Version:31.0.0 Emerald
                    Analysis ID:394253
                    Start date:21.04.2021
                    Start time:11:18:37
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 12m 49s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:faktura_fk.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:2
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal96.rans.troj.evad.winEXE@1/0@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 76% (good quality ratio 50.6%)
                    • Quality average: 35.2%
                    • Quality standard deviation: 31%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    Warnings:
                    Show All
                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                    • Exclude process from analysis (whitelisted): dllhost.exe

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    No created / dropped files found

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):5.743984981466137
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.15%
                    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:faktura_fk.exe
                    File size:208896
                    MD5:66fb235f133e2f690184675fe27bcc32
                    SHA1:12f471ad9d4f8ef90cc548d1e0eb498c12ed0230
                    SHA256:168ca422e4a4dc429c9fb4a65cdd1b3f1f32119475581b3d00c94ff6e4a82f77
                    SHA512:1dd20f688ab25131fc8b9c8a2b68d87f468e45ae7b69594e78012353aad2cbde1c3f82f9eecb605d1787e56c9b7b26dfc6f4abc2164d1b347d08516824b8aa8c
                    SSDEEP:3072:+tYMtBHA4Pid5IQrh5aAf1gaVcjQ0Rkkw7OAEvkcvdzHRe4YJv:UQjPOE1gaVBsDYEbvdLq
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...l..`.....................0....................@................

                    File Icon

                    Icon Hash:20047c7c70f0e004

                    Static PE Info

                    General

                    Entrypoint:0x401d94
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    DLL Characteristics:
                    Time Stamp:0x607FB66C [Wed Apr 21 05:21:48 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:e1435fa7344f6ab2e745b6e31d83ea55

                    Entrypoint Preview

                    Instruction
                    push 00401FF4h
                    call 00007F92C08182E5h
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    xor byte ptr [eax], al
                    add byte ptr [eax], al
                    inc eax
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [edx-7F47AE6Eh], dh
                    sar eax, cl
                    dec esp
                    call far B1A4h : AFF4E401h
                    xor al, byte ptr [eax]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [ecx], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax+49030A64h], ah
                    dec esi
                    inc esp
                    inc esp
                    dec ebx
                    dec esi
                    dec ecx
                    dec esi
                    inc edi
                    add byte ptr [ecx+00h], al
                    and byte ptr [eax], cl
                    inc ecx
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add bh, bh
                    int3
                    xor dword ptr [eax], eax
                    push es
                    pop ecx
                    jnbe 00007F92C08182F8h
                    mov dh, 2Bh
                    pop esp
                    cli
                    dec ebx
                    stosd
                    mov ebx, 4D7B8DF1h
                    retf

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2fa640x28.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x330000x958.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                    IMAGE_DIRECTORY_ENTRY_IAT0x10000x1bc.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x2f0a80x30000False0.339920043945data5.91772288462IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .data0x310000x12280x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                    .rsrc0x330000x9580x1000False0.1708984375data2.02469330583IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_ICON0x338280x130data
                    RT_ICON0x335400x2e8data
                    RT_ICON0x334180x128GLS_BINARY_LSB_FIRST
                    RT_GROUP_ICON0x333e80x30data
                    RT_VERSION0x331500x298dataChineseTaiwan

                    Imports

                    DLLImport
                    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaStrComp, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                    Version Infos

                    DescriptionData
                    Translation0x0404 0x04b0
                    InternalNameKnudepunkternes2
                    FileVersion1.00
                    CompanyNameeSafe Solutions
                    ProductNameeSafe Solutions
                    ProductVersion1.00
                    FileDescriptioneSafe Solutions
                    OriginalFilenameKnudepunkternes2.exe

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    ChineseTaiwan

                    Network Behavior

                    No network behavior found

                    Code Manipulations

                    Statistics

                    System Behavior

                    General

                    Start time:11:19:32
                    Start date:21/04/2021
                    Path:C:\Users\user\Desktop\faktura_fk.exe
                    Wow64 process (32bit):true
                    Commandline:'C:\Users\user\Desktop\faktura_fk.exe'
                    Imagebase:0x400000
                    File size:208896 bytes
                    MD5 hash:66FB235F133E2F690184675FE27BCC32
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:Visual Basic
                    Yara matches:
                    • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000000.00000002.3147398939.00000000002D0000.00000040.00000001.sdmp, Author: Joe Security
                    Reputation:low

                    Disassembly

                    Code Analysis

                    Reset < >