{"Payload URL": "https://genitoriborgosatollo.it/main/client_sOcehs220.bin, http://amandaduquenoy."}
Source: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://genitoriborgosatollo.it/main/client_sOcehs220.bin, http://amandaduquenoy."} |
Source: d81yNmZHaE.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: https://genitoriborgosatollo.it/main/client_sOcehs220.bin, http://amandaduquenoy. |
Source: initial sample | Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D6827 NtAllocateVirtualMemory, | 0_2_022D6827 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D6A71 NtAllocateVirtualMemory, | 0_2_022D6A71 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D6884 NtAllocateVirtualMemory, | 0_2_022D6884 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D68C9 NtAllocateVirtualMemory, | 0_2_022D68C9 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D6911 NtAllocateVirtualMemory, | 0_2_022D6911 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D6955 NtAllocateVirtualMemory, | 0_2_022D6955 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_00401C10 | 0_2_00401C10 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_004055DB | 0_2_004055DB |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D6827 | 0_2_022D6827 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D3209 | 0_2_022D3209 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D327D | 0_2_022D327D |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D334F | 0_2_022D334F |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D33BC | 0_2_022D33BC |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D5040 | 0_2_022D5040 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D512C | 0_2_022D512C |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D31AB | 0_2_022D31AB |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D91DD | 0_2_022D91DD |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D3624 | 0_2_022D3624 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022DB46C | 0_2_022DB46C |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D36AD | 0_2_022D36AD |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D46A5 | 0_2_022D46A5 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022DA68D | 0_2_022DA68D |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D46FD | 0_2_022D46FD |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022DA6D9 | 0_2_022DA6D9 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D2702 | 0_2_022D2702 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D1765 | 0_2_022D1765 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022DA74C | 0_2_022DA74C |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D47A9 | 0_2_022D47A9 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022DA7BD | 0_2_022DA7BD |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D47CF | 0_2_022D47CF |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D346D | 0_2_022D346D |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022DB46C | 0_2_022DB46C |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D5471 | 0_2_022D5471 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D3451 | 0_2_022D3451 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D3531 | 0_2_022D3531 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D65BD | 0_2_022D65BD |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D6584 | 0_2_022D6584 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022DBA0B | 0_2_022DBA0B |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D2A4A | 0_2_022D2A4A |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D4A88 | 0_2_022D4A88 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D4AF4 | 0_2_022D4AF4 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D4B81 | 0_2_022D4B81 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D88B9 | 0_2_022D88B9 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D6884 | 0_2_022D6884 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D68C9 | 0_2_022D68C9 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D6911 | 0_2_022D6911 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D4969 | 0_2_022D4969 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D6955 | 0_2_022D6955 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D49EC | 0_2_022D49EC |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D4EC9 | 0_2_022D4EC9 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D1F7F | 0_2_022D1F7F |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D3F94 | 0_2_022D3F94 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D1FE4 | 0_2_022D1FE4 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D4C25 | 0_2_022D4C25 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D2C99 | 0_2_022D2C99 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D2D32 | 0_2_022D2D32 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D4D5C | 0_2_022D4D5C |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D2DAD | 0_2_022D2DAD |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D4DB5 | 0_2_022D4DB5 |
Source: d81yNmZHaE.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: d81yNmZHaE.exe, 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameBlver.exe vs d81yNmZHaE.exe |
Source: d81yNmZHaE.exe, 00000000.00000002.761074940.00000000021F0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameuser32j% vs d81yNmZHaE.exe |
Source: d81yNmZHaE.exe | Binary or memory string: OriginalFilenameBlver.exe vs d81yNmZHaE.exe |
Source: d81yNmZHaE.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal88.rans.troj.evad.winEXE@1/0@0/0 |
Source: d81yNmZHaE.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: d81yNmZHaE.exe | Virustotal: Detection: 33% |
Source: d81yNmZHaE.exe | ReversingLabs: Detection: 39% |
Source: Yara match | File source: d81yNmZHaE.exe, type: SAMPLE |
Source: Yara match | File source: 00000000.00000000.234240857.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0.0.d81yNmZHaE.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.d81yNmZHaE.exe.400000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_004030EE push dword ptr [ebp-44h]; ret | 0_2_0041E804 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_00408957 push ecx; retf | 0_2_00408A01 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_0040953D push es; retf | 0_2_0040953E |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D72B9 push ebx; iretd | 0_2_022D72C7 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D0041 push cs; iretd | 0_2_022D004B |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D00C0 push cs; iretd | 0_2_022D00CA |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D678D push cs; iretd | 0_2_022D678E |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D5A5A push ebp; retf | 0_2_022D5A62 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D6827 NtAllocateVirtualMemory, | 0_2_022D6827 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D31AB | 0_2_022D31AB |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D46A5 | 0_2_022D46A5 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D46FD | 0_2_022D46FD |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D2702 | 0_2_022D2702 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D47A9 | 0_2_022D47A9 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D47CF | 0_2_022D47CF |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022DBA0B | 0_2_022DBA0B |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D4A88 | 0_2_022D4A88 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D4AF4 | 0_2_022D4AF4 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D4B81 | 0_2_022D4B81 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D88B9 | 0_2_022D88B9 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D4969 | 0_2_022D4969 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D49EC | 0_2_022D49EC |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D4C25 | 0_2_022D4C25 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | RDTSC instruction interceptor: First address: 00000000022D6127 second address: 00000000022D6127 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 54424F80h 0x00000007 xor eax, BD2BBA67h 0x0000000c add eax, 30109B8Dh 0x00000011 sub eax, 197A9173h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F36F0AD3678h 0x0000001e lfence 0x00000021 mov edx, 99F040D7h 0x00000026 add edx, 65972F3Fh 0x0000002c xor edx, B7C92FC9h 0x00000032 xor edx, 37B05FCBh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 cmp ecx, 00000000h 0x00000048 jne 00007F36F0AD3655h 0x0000004a mov dword ptr [ebp+00000249h], eax 0x00000050 mov eax, ecx 0x00000052 push eax 0x00000053 mov eax, dword ptr [ebp+00000249h] 0x00000059 call 00007F36F0AD3687h 0x0000005e call 00007F36F0AD3699h 0x00000063 lfence 0x00000066 mov edx, 99F040D7h 0x0000006b add edx, 65972F3Fh 0x00000071 xor edx, B7C92FC9h 0x00000077 xor edx, 37B05FCBh 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 ret 0x00000083 mov esi, edx 0x00000085 pushad 0x00000086 rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D90E4 mov eax, dword ptr fs:[00000030h] | 0_2_022D90E4 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D31AB mov eax, dword ptr fs:[00000030h] | 0_2_022D31AB |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022DA68D mov eax, dword ptr fs:[00000030h] | 0_2_022DA68D |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022DA6D9 mov eax, dword ptr fs:[00000030h] | 0_2_022DA6D9 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D9AC5 mov eax, dword ptr fs:[00000030h] | 0_2_022D9AC5 |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D3BBC mov eax, dword ptr fs:[00000030h] | 0_2_022D3BBC |
Source: C:\Users\user\Desktop\d81yNmZHaE.exe | Code function: 0_2_022D3F94 mov eax, dword ptr fs:[00000030h] | 0_2_022D3F94 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp | Binary or memory string: SProgram Managerl |
Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd, |
Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.