Source: RFQ 35465756.exe |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1tugb1Cx6PcCD1YoZNcA5MNpIX8ZFbd_s"} |
Source: RFQ 35465756.exe |
Virustotal: Detection: 34% |
Perma Link |
Source: RFQ 35465756.exe |
ReversingLabs: Detection: 71% |
Source: RFQ 35465756.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=1tugb1Cx6PcCD1YoZNcA5MNpIX8ZFbd_s |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A33F8 NtProtectVirtualMemory, |
0_2_022A33F8 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A1BF3 NtAllocateVirtualMemory, |
0_2_022A1BF3 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_00407159 |
0_2_00407159 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_00407175 |
0_2_00407175 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_00401579 |
0_2_00401579 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_004071B4 |
0_2_004071B4 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_00407262 |
0_2_00407262 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_0040720E |
0_2_0040720E |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_004072B3 |
0_2_004072B3 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_0040734A |
0_2_0040734A |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_00401768 |
0_2_00401768 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_00407368 |
0_2_00407368 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_00407304 |
0_2_00407304 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_004073E8 |
0_2_004073E8 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_00407391 |
0_2_00407391 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_004017B5 |
0_2_004017B5 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A3B0E |
0_2_022A3B0E |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A3080 |
0_2_022A3080 |
Source: RFQ 35465756.exe, 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameSilure2.exe vs RFQ 35465756.exe |
Source: RFQ 35465756.exe, 00000000.00000002.760663714.0000000002260000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs RFQ 35465756.exe |
Source: RFQ 35465756.exe, 00000000.00000002.761291141.00000000022F0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameSilure2.exeFE2X vs RFQ 35465756.exe |
Source: RFQ 35465756.exe |
Binary or memory string: OriginalFilenameSilure2.exe vs RFQ 35465756.exe |
Source: RFQ 35465756.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal92.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
File created: C:\Users\user~1\AppData\Local\Temp\~DF0971D5C732263ABC.TMP |
Jump to behavior |
Source: RFQ 35465756.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: RFQ 35465756.exe |
Virustotal: Detection: 34% |
Source: RFQ 35465756.exe |
ReversingLabs: Detection: 71% |
Source: Yara match |
File source: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: RFQ 35465756.exe, type: SAMPLE |
Source: Yara match |
File source: 00000000.00000000.235938120.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.0.RFQ 35465756.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.RFQ 35465756.exe.400000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_00405C23 pushad ; retf |
0_2_00405C2B |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_0040532B push eax; retf |
0_2_0040534F |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A17A8 push 233953B7h; iretd |
0_2_022A23A3 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A238A push 233953B7h; iretd |
0_2_022A23A3 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A0CE1 |
0_2_022A0CE1 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
RDTSC instruction interceptor: First address: 00000000022A1A08 second address: 00000000022A1A08 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6A8036D058h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test ecx, ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F6A8036D039h 0x00000028 push ecx 0x00000029 cmp dh, ah 0x0000002b cmp ebx, A3F7AFB9h 0x00000031 call 00007F6A8036D076h 0x00000036 call 00007F6A8036D068h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
RDTSC instruction interceptor: First address: 00000000022A1A08 second address: 00000000022A1A08 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6A8036D058h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test ecx, ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F6A8036D039h 0x00000028 push ecx 0x00000029 cmp dh, ah 0x0000002b cmp ebx, A3F7AFB9h 0x00000031 call 00007F6A8036D076h 0x00000036 call 00007F6A8036D068h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
RDTSC instruction interceptor: First address: 00000000022A1ADD second address: 00000000022A1ADD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F6A804AF6A9h 0x0000001d popad 0x0000001e call 00007F6A804AE244h 0x00000023 lfence 0x00000026 rdtsc |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A1ADA rdtsc |
0_2_022A1ADA |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A1ADA rdtsc |
0_2_022A1ADA |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A2AB7 mov eax, dword ptr fs:[00000030h] |
0_2_022A2AB7 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A0CE1 mov eax, dword ptr fs:[00000030h] |
0_2_022A0CE1 |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A2CCE mov eax, dword ptr fs:[00000030h] |
0_2_022A2CCE |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A196F mov eax, dword ptr fs:[00000030h] |
0_2_022A196F |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A116F mov eax, dword ptr fs:[00000030h] |
0_2_022A116F |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A3147 mov eax, dword ptr fs:[00000030h] |
0_2_022A3147 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: RFQ 35465756.exe, 00000000.00000002.760072526.0000000000D80000.00000002.00000001.sdmp |
Binary or memory string: uProgram Manager |
Source: RFQ 35465756.exe, 00000000.00000002.760072526.0000000000D80000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: RFQ 35465756.exe, 00000000.00000002.760072526.0000000000D80000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: RFQ 35465756.exe, 00000000.00000002.760072526.0000000000D80000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\RFQ 35465756.exe |
Code function: 0_2_022A295F cpuid |
0_2_022A295F |