{"Payload URL": "https://andreameixueiro.com/karin_vJoQSJCpNl6.bin"}
Source: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://andreameixueiro.com/karin_vJoQSJCpNl6.bin"} |
Source: Pedido N#U00famero 4432003039.exe | Virustotal: Detection: 50% | Perma Link |
Source: Pedido N#U00famero 4432003039.exe | Metadefender: Detection: 34% | Perma Link |
Source: Pedido N#U00famero 4432003039.exe | ReversingLabs: Detection: 62% |
Source: Pedido N#U00famero 4432003039.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: https://andreameixueiro.com/karin_vJoQSJCpNl6.bin |
Source: initial sample | Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD559D NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD55A5 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD559D |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD2EA2 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD3EBF |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD2A6A |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD0266 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD5242 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD479E |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD83F5 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD3715 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD3F63 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD4345 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD0341 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD2C89 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD7CEF |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD1CD8 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD2CDB |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD082F |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD281E |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD2819 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD9069 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD905A |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD55A5 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD51B0 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD2DB3 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD0594 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD01FC |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD29C3 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD8147 |
Source: Pedido N#U00famero 4432003039.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.764259501.0000000002950000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenamesamm.exeFE2X vs Pedido N#U00famero 4432003039.exe |
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.758690514.0000000000431000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenamesamm.exe vs Pedido N#U00famero 4432003039.exe |
Source: Pedido N#U00famero 4432003039.exe | Binary or memory string: OriginalFilenamesamm.exe vs Pedido N#U00famero 4432003039.exe |
Source: Pedido N#U00famero 4432003039.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal92.rans.troj.evad.winEXE@1/0@0/0 |
Source: Pedido N#U00famero 4432003039.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: Pedido N#U00famero 4432003039.exe | Virustotal: Detection: 50% |
Source: Pedido N#U00famero 4432003039.exe | Metadefender: Detection: 34% |
Source: Pedido N#U00famero 4432003039.exe | ReversingLabs: Detection: 62% |
Source: Yara match | File source: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_0041F015 pushfd ; iretd |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_0041F018 pushfd ; iretd |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_0041E0FA push ebx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_0041AB4F pushfd ; iretd |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_0041AB86 pushfd ; iretd |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_0041F3AC pushad ; iretd |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E15F3 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E1054 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E2854 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E4054 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E5854 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E7054 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E6844 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E0843 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E2043 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E3843 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E5043 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E0878 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E2074 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E3874 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E5074 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E6875 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E0068 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E6065 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E3063 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E1863 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E4863 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E0818 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E6814 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E3813 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_005E2013 push edx; ret |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD63BD |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD60F8 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD1CD8 |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD61DB |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | RDTSC instruction interceptor: First address: 0000000002AD92FE second address: 0000000002AD92FE instructions: |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | RDTSC instruction interceptor: First address: 0000000002AD7E11 second address: 0000000002AD7E3C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp cl, bl 0x00000005 test bh, bh 0x00000007 mov esi, 8C42B5F4h 0x0000000c xor esi, B79F116Eh 0x00000012 cmp cx, cx 0x00000015 xor esi, 85571E78h 0x0000001b cmp al, bl 0x0000001d sub esi, BE89CAE2h 0x00000023 test bl, bl 0x00000025 pushad 0x00000026 mov ecx, 000000C3h 0x0000002b rdtsc |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | RDTSC instruction interceptor: First address: 0000000002AD7E3C second address: 0000000002AD7E62 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp cl, bl 0x00000005 test bh, bh 0x00000007 add esi, 00001000h 0x0000000d cmp cx, cx 0x00000010 cmp esi, 0000F000h 0x00000016 je 00007F9DDCF52513h 0x0000001c cmp al, bl 0x0000001e test bl, bl 0x00000020 pushad 0x00000021 mov ecx, 00000009h 0x00000026 rdtsc |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | RDTSC instruction interceptor: First address: 0000000002AD7E62 second address: 0000000002AD7EA1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp esi, 7FFFF000h 0x00000009 je 00007F9DDCF771CAh 0x0000000f cmp cl, bl 0x00000011 push 764A4EDBh 0x00000016 test bh, bh 0x00000018 xor dword ptr [esp], DE964CF3h 0x0000001f xor dword ptr [esp], 78705B66h 0x00000026 cmp cx, cx 0x00000029 add dword ptr [esp], 2F53A6B2h 0x00000030 cmp al, bl 0x00000032 push 74674D7Ah 0x00000037 test bl, bl 0x00000039 pushad 0x0000003a mov ecx, 000000A7h 0x0000003f rdtsc |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | RDTSC instruction interceptor: First address: 0000000002AD92FE second address: 0000000002AD92FE instructions: |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | RDTSC instruction interceptor: First address: 0000000002AD7FDA second address: 0000000002AD802C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+00000212h], eax 0x00000009 test dl, dl 0x0000000b mov eax, ebx 0x0000000d push eax 0x0000000e cmp ah, ch 0x00000010 mov eax, dword ptr [ebp+00000212h] 0x00000016 mov dword ptr [ebp+00000231h], esi 0x0000001c cmp edx, BA999675h 0x00000022 mov esi, ecx 0x00000024 push esi 0x00000025 mov esi, dword ptr [ebp+00000231h] 0x0000002b mov dword ptr [ebp+00000243h], ecx 0x00000031 mov ecx, esi 0x00000033 test ch, 0000000Fh 0x00000036 push ecx 0x00000037 mov ecx, dword ptr [ebp+00000243h] 0x0000003d test edx, ecx 0x0000003f mov dword ptr [ebp+00000198h], eax 0x00000045 cmp bx, 5F43h 0x0000004a mov eax, esi 0x0000004c pushad 0x0000004d mov ebx, 0000006Fh 0x00000052 rdtsc |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD559D rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD559D rdtsc |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD83F5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD3715 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD2C89 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD78E5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD741C mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD517B mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD8147 mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.759701760.0000000000C60000.00000002.00000001.sdmp | Binary or memory string: uProgram Manager |
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.759701760.0000000000C60000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.759701760.0000000000C60000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.759701760.0000000000C60000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe | Code function: 0_2_02AD63BD cpuid |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.