Source: Facturas Pagadas Al Vencimiento.exe |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1j7lPzKHjaJ361TpkvK1-2kTy_ducVUTL"} |
Source: Facturas Pagadas Al Vencimiento.exe |
Virustotal: Detection: 52% |
Perma Link |
Source: Facturas Pagadas Al Vencimiento.exe |
ReversingLabs: Detection: 30% |
Source: Facturas Pagadas Al Vencimiento.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=1j7lPzKHjaJ361TpkvK1-2kTy_ducVUTL |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C4A6F |
0_2_024C4A6F |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C3425 |
0_2_024C3425 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C3423 |
0_2_024C3423 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C4C23 |
0_2_024C4C23 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C4C35 |
0_2_024C4C35 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C40EA |
0_2_024C40EA |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C349D |
0_2_024C349D |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024CA555 |
0_2_024CA555 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C4B0E |
0_2_024C4B0E |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C4930 |
0_2_024C4930 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C49C8 |
0_2_024C49C8 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024D0D8D |
0_2_024D0D8D |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C4983 |
0_2_024C4983 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C4B9A |
0_2_024C4B9A |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C4BA2 |
0_2_024C4BA2 |
Source: Facturas Pagadas Al Vencimiento.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.646223178.0000000000424000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameKoordineredes.exe vs Facturas Pagadas Al Vencimiento.exe |
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168544909.00000000022C0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs Facturas Pagadas Al Vencimiento.exe |
Source: Facturas Pagadas Al Vencimiento.exe |
Binary or memory string: OriginalFilenameKoordineredes.exe vs Facturas Pagadas Al Vencimiento.exe |
Source: Facturas Pagadas Al Vencimiento.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal92.rans.troj.evad.winEXE@1/0@0/0 |
Source: Facturas Pagadas Al Vencimiento.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Facturas Pagadas Al Vencimiento.exe |
Virustotal: Detection: 52% |
Source: Facturas Pagadas Al Vencimiento.exe |
ReversingLabs: Detection: 30% |
Source: Yara match |
File source: Facturas Pagadas Al Vencimiento.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Facturas Pagadas Al Vencimiento.exe.400000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040C88E push esi; iretd |
0_2_0040C890 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_00409C9A pushfd ; retf |
0_2_00409C9E |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040C4A6 pushfd ; retf |
0_2_0040C4A9 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_004050B3 push edi; iretd |
0_2_00405165 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040CE7A pushfd ; ret |
0_2_0040CE85 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040CADE push esi; iretd |
0_2_0040CAE8 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040CAE9 push esi; iretd |
0_2_0040CB08 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040A2F6 push esi; iretd |
0_2_0040A300 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040CE86 push esp; ret |
0_2_0040CE89 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040A356 push esi; iretd |
0_2_0040A358 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040C7F8 push cs; ret |
0_2_0040C88D |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_004087FB push ebp; iretd |
0_2_004087FD |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C08EC push edi; retf |
0_2_024C08ED |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C09F6 push es; ret |
0_2_024C09F8 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024D0D8D |
0_2_024D0D8D |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
RDTSC instruction interceptor: First address: 00000000024CF386 second address: 00000000024CF386 instructions: |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
RDTSC instruction interceptor: First address: 00000000024C0A8B second address: 00000000024C0A8B instructions: |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
RDTSC instruction interceptor: First address: 00000000024CF386 second address: 00000000024CF386 instructions: |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
RDTSC instruction interceptor: First address: 00000000024C0A66 second address: 00000000024C0A8B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push 22DF60AAh 0x00000008 test dx, dx 0x0000000b push 3FAA25DDh 0x00000010 cmp ebx, B089EE68h 0x00000016 push 988351A5h 0x0000001b test ax, 00009A75h 0x0000001f push 541CB5A6h 0x00000024 pushad 0x00000025 rdtsc |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
RDTSC instruction interceptor: First address: 00000000024C0A8B second address: 00000000024C0A8B instructions: |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
RDTSC instruction interceptor: First address: 00000000024C9D4C second address: 00000000024C9D4C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 049510E3h 0x00000007 xor eax, 4F70CED7h 0x0000000c xor eax, 2D367B3Ch 0x00000011 add eax, 992C5AF9h 0x00000016 cpuid 0x00000018 jmp 00007F788CBA4ADEh 0x0000001a test dh, bh 0x0000001c popad 0x0000001d call 00007F788CBA4B14h 0x00000022 lfence 0x00000025 mov edx, D77D1D8Eh 0x0000002a add edx, 01BEBE33h 0x00000030 xor edx, A8C558E2h 0x00000036 xor edx, 0E008337h 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 ret 0x00000042 sub edx, esi 0x00000044 ret 0x00000045 test ecx, ecx 0x00000047 pop ecx 0x00000048 add edi, edx 0x0000004a dec ecx 0x0000004b cmp ecx, 00000000h 0x0000004e jne 00007F788CBA4A62h 0x00000050 test ebx, ecx 0x00000052 mov dword ptr [ebp+000001F7h], esi 0x00000058 mov esi, ecx 0x0000005a pushad 0x0000005b mov cl, 3Fh 0x0000005d cmp cl, 0000003Fh 0x00000060 jne 00007F788CBA48FDh 0x00000066 popad 0x00000067 push esi 0x00000068 mov esi, dword ptr [ebp+000001F7h] 0x0000006e cmp bh, ch 0x00000070 call 00007F788CBA4B10h 0x00000075 call 00007F788CBA4B85h 0x0000007a lfence 0x0000007d mov edx, D77D1D8Eh 0x00000082 add edx, 01BEBE33h 0x00000088 xor edx, A8C558E2h 0x0000008e xor edx, 0E008337h 0x00000094 mov edx, dword ptr [edx] 0x00000096 lfence 0x00000099 ret 0x0000009a mov esi, edx 0x0000009c pushad 0x0000009d rdtsc |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C4058 rdtsc |
0_2_024C4058 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C4058 rdtsc |
0_2_024C4058 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024CF080 mov eax, dword ptr fs:[00000030h] |
0_2_024CF080 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024C9ABD mov eax, dword ptr fs:[00000030h] |
0_2_024C9ABD |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024CF7E2 mov eax, dword ptr fs:[00000030h] |
0_2_024CF7E2 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_024D0D8D mov eax, dword ptr fs:[00000030h] |
0_2_024D0D8D |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |