Loading ...

Play interactive tourEdit tour

Analysis Report FACTURA Y ALBARANES (2).exe

Overview

General Information

Sample Name:FACTURA Y ALBARANES (2).exe
Analysis ID:430638
MD5:0a2ce5a915bf643953baf2fcf3b25a5e
SHA1:21a26264df4f615da898b38ef9332ff66d24b505
SHA256:5a5428877719d24368bc14761dee49adf676fd883abd3a8c30b84c0b0c7e13f5
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • FACTURA Y ALBARANES (2).exe (PID: 6124 cmdline: 'C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exe' MD5: 0A2CE5A915BF643953BAF2FCF3B25A5E)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=10cWvVkUqjSi-M-x6hHokSklVF3h_YX3c"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
FACTURA Y ALBARANES (2).exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: FACTURA Y ALBARANES (2).exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=10cWvVkUqjSi-M-x6hHokSklVF3h_YX3c"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: FACTURA Y ALBARANES (2).exeVirustotal: Detection: 27%Perma Link
    Source: FACTURA Y ALBARANES (2).exeReversingLabs: Detection: 19%
    Source: FACTURA Y ALBARANES (2).exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=10cWvVkUqjSi-M-x6hHokSklVF3h_YX3c

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A440 NtAllocateVirtualMemory,1_2_02B6A440
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A496 NtAllocateVirtualMemory,1_2_02B6A496
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A6FC NtAllocateVirtualMemory,1_2_02B6A6FC
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A434 NtAllocateVirtualMemory,1_2_02B6A434
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A653 NtAllocateVirtualMemory,1_2_02B6A653
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A44E NtAllocateVirtualMemory,1_2_02B6A44E
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A7C7 NtAllocateVirtualMemory,1_2_02B6A7C7
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A5C9 NtAllocateVirtualMemory,1_2_02B6A5C9
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A52C NtAllocateVirtualMemory,1_2_02B6A52C
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A75E NtAllocateVirtualMemory,1_2_02B6A75E
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A4401_2_02B6A440
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67EB91_2_02B67EB9
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B66EA01_2_02B66EA0
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B648A11_2_02B648A1
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B680961_2_02B68096
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A4961_2_02B6A496
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6529A1_2_02B6529A
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B64A801_2_02B64A80
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6708A1_2_02B6708A
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B69EF11_2_02B69EF1
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B678E51_2_02B678E5
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B676EE1_2_02B676EE
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67AEA1_2_02B67AEA
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B650D51_2_02B650D5
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67CDB1_2_02B67CDB
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B716CD1_2_02B716CD
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A4341_2_02B6A434
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67C321_2_02B67C32
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67A311_2_02B67A31
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67E1C1_2_02B67E1C
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B648061_2_02B64806
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B66E021_2_02B66E02
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B652081_2_02B65208
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6E07D1_2_02B6E07D
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6746D1_2_02B6746D
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B676561_2_02B67656
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B650461_2_02B65046
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B678401_2_02B67840
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A44E1_2_02B6A44E
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B64C4A1_2_02B64C4A
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B631BD1_2_02B631BD
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B64BBD1_2_02B64BBD
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B675A81_2_02B675A8
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B677961_2_02B67796
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B64F971_2_02B64F97
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67D921_2_02B67D92
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6439E1_2_02B6439E
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67B9B1_2_02B67B9B
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6798C1_2_02B6798C
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B681F31_2_02B681F3
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B64FF01_2_02B64FF0
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67FFD1_2_02B67FFD
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B649E41_2_02B649E4
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B66FE81_2_02B66FE8
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B671DF1_2_02B671DF
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B673CC1_2_02B673CC
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B631C81_2_02B631C8
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B647321_2_02B64732
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6473E1_2_02B6473E
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6813E1_2_02B6813E
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B671391_2_02B67139
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B64F271_2_02B64F27
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B64F221_2_02B64F22
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B673231_2_02B67323
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B64B1F1_2_02B64B1F
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6531F1_2_02B6531F
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6E51C1_2_02B6E51C
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B675041_2_02B67504
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B675621_2_02B67562
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6516A1_2_02B6516A
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67F6A1_2_02B67F6A
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B66D571_2_02B66D57
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B66D551_2_02B66D55
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B675551_2_02B67555
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B649401_2_02B64940
    Source: FACTURA Y ALBARANES (2).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: FACTURA Y ALBARANES (2).exe, 00000001.00000002.732171971.0000000000423000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameabjections.exe vs FACTURA Y ALBARANES (2).exe
    Source: FACTURA Y ALBARANES (2).exe, 00000001.00000002.733780596.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs FACTURA Y ALBARANES (2).exe
    Source: FACTURA Y ALBARANES (2).exeBinary or memory string: OriginalFilenameabjections.exe vs FACTURA Y ALBARANES (2).exe
    Source: FACTURA Y ALBARANES (2).exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal92.rans.troj.evad.winEXE@1/0@0/0
    Source: FACTURA Y ALBARANES (2).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: FACTURA Y ALBARANES (2).exeVirustotal: Detection: 27%
    Source: FACTURA Y ALBARANES (2).exeReversingLabs: Detection: 19%

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: FACTURA Y ALBARANES (2).exe, type: SAMPLE
    Source: Yara matchFile source: 1.2.FACTURA Y ALBARANES (2).exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.0.FACTURA Y ALBARANES (2).exe.400000.0.unpack, type: UNPACKEDPE
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_0040AC0D push ebx; iretd 1_2_0040AC0E
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_0040AEB5 push ecx; iretd 1_2_0040AEBA
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_00407B26 push es; ret 1_2_00407B27
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67EB9 1_2_02B67EB9
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B66EA0 1_2_02B66EA0
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B68096 1_2_02B68096
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6828C 1_2_02B6828C
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6708A 1_2_02B6708A
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B65EF0 1_2_02B65EF0
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B678E5 1_2_02B678E5
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B676EE 1_2_02B676EE
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67AEA 1_2_02B67AEA
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B65CD6 1_2_02B65CD6
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67CDB 1_2_02B67CDB
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B65CD8 1_2_02B65CD8
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B716CD 1_2_02B716CD
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67C32 1_2_02B67C32
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67A31 1_2_02B67A31
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67E1C 1_2_02B67E1C
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6601B 1_2_02B6601B
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B66E02 1_2_02B66E02
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6E07D 1_2_02B6E07D
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6746D 1_2_02B6746D
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67656 1_2_02B67656
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B65E5B 1_2_02B65E5B
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67840 1_2_02B67840
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B675A8 1_2_02B675A8
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67796 1_2_02B67796
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67D92 1_2_02B67D92
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6439E 1_2_02B6439E
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B65F9A 1_2_02B65F9A
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B68D9A 1_2_02B68D9A
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67B9B 1_2_02B67B9B
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B68D81 1_2_02B68D81
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6798C 1_2_02B6798C
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B681F3 1_2_02B681F3
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67FFD 1_2_02B67FFD
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B66FE8 1_2_02B66FE8
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B671DF 1_2_02B671DF
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B65DD9 1_2_02B65DD9
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B673CC 1_2_02B673CC
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B65D3E 1_2_02B65D3E
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6813E 1_2_02B6813E
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67139 1_2_02B67139
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B64F22 1_2_02B64F22
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67323 1_2_02B67323
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B63B2D 1_2_02B63B2D
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6E51C 1_2_02B6E51C
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67504 1_2_02B67504
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67562 1_2_02B67562
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67F6A 1_2_02B67F6A
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B66D57 1_2_02B66D57
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B67555 1_2_02B67555
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B66145 1_2_02B66145
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B63B42 1_2_02B63B42
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B68343 1_2_02B68343
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeRDTSC instruction interceptor: First address: 0000000002B6F14D second address: 0000000002B6F14D instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeRDTSC instruction interceptor: First address: 0000000002B6F0DE second address: 0000000002B6F0DE instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add esi, 02h 0x0000000e cmp word ptr [esi], 0000h 0x00000012 jne 00007F89544D0805h 0x00000014 mov ebx, edx 0x00000016 shl edx, 05h 0x00000019 add edx, ebx 0x0000001b movzx ebx, byte ptr [esi] 0x0000001e cmp cx, dx 0x00000021 add edx, ebx 0x00000023 xor edx, 370C63DEh 0x00000029 pushad 0x0000002a lfence 0x0000002d rdtsc
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeRDTSC instruction interceptor: First address: 0000000002B6F14D second address: 0000000002B6F14D instructions:
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A440 rdtsc 1_2_02B6A440
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6A440 rdtsc 1_2_02B6A440
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6E88D mov eax, dword ptr fs:[00000030h]1_2_02B6E88D
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B65CD6 mov eax, dword ptr fs:[00000030h]1_2_02B65CD6
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B65CD8 mov eax, dword ptr fs:[00000030h]1_2_02B65CD8
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B695A4 mov eax, dword ptr fs:[00000030h]1_2_02B695A4
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B695A2 mov eax, dword ptr fs:[00000030h]1_2_02B695A2
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B64F22 mov eax, dword ptr fs:[00000030h]1_2_02B64F22
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B6EF17 mov eax, dword ptr fs:[00000030h]1_2_02B6EF17
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: FACTURA Y ALBARANES (2).exe, 00000001.00000002.733408157.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: FACTURA Y ALBARANES (2).exe, 00000001.00000002.733408157.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: FACTURA Y ALBARANES (2).exe, 00000001.00000002.733408157.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: FACTURA Y ALBARANES (2).exe, 00000001.00000002.733408157.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\FACTURA Y ALBARANES (2).exeCode function: 1_2_02B68869 cpuid 1_2_02B68869

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.