Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://tebogodigital.co.za/frim/build_mmHXva107.bin, https://tebogodigital.co.za/frib/build_mmHXva107.bin"} |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Virustotal: Detection: 71% |
Perma Link |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Metadefender: Detection: 28% |
Perma Link |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
ReversingLabs: Detection: 72% |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://tebogodigital.co.za/frim/build_mmHXva107.bin, https://tebogodigital.co.za/frib/build_mmHXva107.bin |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD88D0 NtProtectVirtualMemory, |
0_2_02BD88D0 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7037 NtAllocateVirtualMemory, |
0_2_02BD7037 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7280 NtAllocateVirtualMemory, |
0_2_02BD7280 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD722F NtAllocateVirtualMemory, |
0_2_02BD722F |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7094 NtAllocateVirtualMemory, |
0_2_02BD7094 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD70C8 NtAllocateVirtualMemory, |
0_2_02BD70C8 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7001 NtAllocateVirtualMemory, |
0_2_02BD7001 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD71BE NtAllocateVirtualMemory, |
0_2_02BD71BE |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD890F NtProtectVirtualMemory, |
0_2_02BD890F |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD717E NtAllocateVirtualMemory, |
0_2_02BD717E |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7159 NtAllocateVirtualMemory, |
0_2_02BD7159 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_00401664 |
0_2_00401664 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_00403EC9 |
0_2_00403EC9 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7EA4 |
0_2_02BD7EA4 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7EF9 |
0_2_02BD7EF9 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD32E8 |
0_2_02BD32E8 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD3270 |
0_2_02BD3270 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD2A5F |
0_2_02BD2A5F |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7E48 |
0_2_02BD7E48 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD33AC |
0_2_02BD33AC |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7FEC |
0_2_02BD7FEC |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7FE5 |
0_2_02BD7FE5 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7BC3 |
0_2_02BD7BC3 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7F38 |
0_2_02BD7F38 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7B33 |
0_2_02BD7B33 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7B77 |
0_2_02BD7B77 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7F6F |
0_2_02BD7F6F |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD3364 |
0_2_02BD3364 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD8088 |
0_2_02BD8088 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7CE8 |
0_2_02BD7CE8 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD5825 |
0_2_02BD5825 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD341E |
0_2_02BD341E |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7C04 |
0_2_02BD7C04 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7C48 |
0_2_02BD7C48 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD8042 |
0_2_02BD8042 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7DBA |
0_2_02BD7DBA |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD31B4 |
0_2_02BD31B4 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD319D |
0_2_02BD319D |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD8198 |
0_2_02BD8198 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD31FD |
0_2_02BD31FD |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7DFD |
0_2_02BD7DFD |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD2134 |
0_2_02BD2134 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7D36 |
0_2_02BD7D36 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD810C |
0_2_02BD810C |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD8154 |
0_2_02BD8154 |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000000.204331251.0000000000419000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameMuslingernes.exe vs New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730698816.00000000021D0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Binary or memory string: OriginalFilenameMuslingernes.exe vs New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal96.rans.troj.evad.winEXE@1/0@0/0 |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Virustotal: Detection: 71% |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Metadefender: Detection: 28% |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
ReversingLabs: Detection: 72% |
Source: Yara match |
File source: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, type: SAMPLE |
Source: Yara match |
File source: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.204310575.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.0.New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe.400000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_004068DF push ecx; ret |
0_2_004068E1 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_00402D66 push dword ptr [ebp-44h]; ret |
0_2_00413024 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_00408972 push esi; iretd |
0_2_00408976 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD837B push eax; ret |
0_2_02BD83B2 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD3F7A push ss; retf |
0_2_02BD3F84 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD3F53 push ss; retf |
0_2_02BD3F5D |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
RDTSC instruction interceptor: First address: 0000000002BD849A second address: 0000000002BD849A instructions: |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
RDTSC instruction interceptor: First address: 0000000002BD849A second address: 0000000002BD849A instructions: |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
RDTSC instruction interceptor: First address: 0000000002BD1B35 second address: 0000000002BD1B35 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 0008B41Ah 0x00000007 sub eax, FFF0F724h 0x0000000c add eax, FFF6636Fh 0x00000011 sub eax, 000E2064h 0x00000016 cpuid 0x00000018 jmp 00007FF648847D52h 0x0000001a test eax, edx 0x0000001c popad 0x0000001d call 00007FF648847D1Bh 0x00000022 lfence 0x00000025 mov edx, 7FFD13E2h 0x0000002a sub edx, 000005CFh 0x00000030 sub edx, FFFF6315h 0x00000036 sub edx, FFFFAAEAh 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 ret 0x00000042 sub edx, esi 0x00000044 ret 0x00000045 pop ecx 0x00000046 add edi, edx 0x00000048 dec ecx 0x00000049 jmp 00007FF648847D46h 0x0000004b test cl, FFFFFF80h 0x0000004e cmp ecx, 00000000h 0x00000051 jne 00007FF648847CCAh 0x00000053 push ecx 0x00000054 call 00007FF648847D64h 0x00000059 call 00007FF648847D80h 0x0000005e lfence 0x00000061 mov edx, 7FFD13E2h 0x00000066 sub edx, 000005CFh 0x0000006c sub edx, FFFF6315h 0x00000072 sub edx, FFFFAAEAh 0x00000078 mov edx, dword ptr [edx] 0x0000007a lfence 0x0000007d ret 0x0000007e mov esi, edx 0x00000080 pushad 0x00000081 rdtsc |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD32E8 rdtsc |
0_2_02BD32E8 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
API coverage: 6.5 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD32E8 rdtsc |
0_2_02BD32E8 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD6AAF mov eax, dword ptr fs:[00000030h] |
0_2_02BD6AAF |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD3EF4 mov eax, dword ptr fs:[00000030h] |
0_2_02BD3EF4 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD2A65 mov eax, dword ptr fs:[00000030h] |
0_2_02BD2A65 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD2A5F mov eax, dword ptr fs:[00000030h] |
0_2_02BD2A5F |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7BC3 mov eax, dword ptr fs:[00000030h] |
0_2_02BD7BC3 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7B33 mov eax, dword ptr fs:[00000030h] |
0_2_02BD7B33 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD2B00 mov eax, dword ptr fs:[00000030h] |
0_2_02BD2B00 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7B77 mov eax, dword ptr fs:[00000030h] |
0_2_02BD7B77 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7C04 mov eax, dword ptr fs:[00000030h] |
0_2_02BD7C04 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD7C48 mov eax, dword ptr fs:[00000030h] |
0_2_02BD7C48 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD2134 mov eax, dword ptr fs:[00000030h] |
0_2_02BD2134 |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD611B mov eax, dword ptr fs:[00000030h] |
0_2_02BD611B |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730562695.0000000000DC0000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730562695.0000000000DC0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730562695.0000000000DC0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730562695.0000000000DC0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe |
Code function: 0_2_02BD58FF cpuid |
0_2_02BD58FF |