Source: 00000000.00000002.696727696.0000000002180000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://theater.expodium.net/wp-content/plugins/m/agent_RgbAiUJQ186.bin, https://meatflesh.com/b/agent_RgbAiUJQ186.bin"} |
Source: fN2QHk2XYG.exe |
Virustotal: Detection: 35% |
Perma Link |
Source: fN2QHk2XYG.exe |
ReversingLabs: Detection: 23% |
Source: fN2QHk2XYG.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: http://theater.expodium.net/wp-content/plugins/m/agent_RgbAiUJQ186.bin, https://meatflesh.com/b/agent_RgbAiUJQ186.bin |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Code function: 0_2_004018A4 |
0_2_004018A4 |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Code function: 0_2_0040572D |
0_2_0040572D |
Source: fN2QHk2XYG.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: fN2QHk2XYG.exe, 00000000.00000002.700011437.0000000002A40000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameBidragssatsen.exeFE2X, vs fN2QHk2XYG.exe |
Source: fN2QHk2XYG.exe, 00000000.00000002.700011437.0000000002A40000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameBidragssatsen.exeFE2X vs fN2QHk2XYG.exe |
Source: fN2QHk2XYG.exe, 00000000.00000002.700011437.0000000002A40000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameBidragssatsen.exeFE2Xt> vs fN2QHk2XYG.exe |
Source: fN2QHk2XYG.exe, 00000000.00000002.700011437.0000000002A40000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameBidragssatsen.exeFE2Xq< vs fN2QHk2XYG.exe |
Source: fN2QHk2XYG.exe, 00000000.00000002.700011437.0000000002A40000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameBidragssatsen.exeFE2Xz: vs fN2QHk2XYG.exe |
Source: fN2QHk2XYG.exe, 00000000.00000002.695174751.0000000000424000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameBidragssatsen.exe vs fN2QHk2XYG.exe |
Source: fN2QHk2XYG.exe |
Binary or memory string: OriginalFilenameBidragssatsen.exe vs fN2QHk2XYG.exe |
Source: fN2QHk2XYG.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal92.rans.troj.evad.winEXE@1/0@0/0 |
Source: fN2QHk2XYG.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: fN2QHk2XYG.exe |
Virustotal: Detection: 35% |
Source: fN2QHk2XYG.exe |
ReversingLabs: Detection: 23% |
Source: Yara match |
File source: 00000000.00000002.696727696.0000000002180000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Code function: 0_2_004018A4 push es; retf 1207h |
0_2_00401B43 |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Code function: 0_2_0040B067 push esp; ret |
0_2_0040B066 |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Code function: 0_2_0040B011 push esp; ret |
0_2_0040B066 |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Code function: 0_2_0040C488 pushad ; ret |
0_2_0040C490 |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Code function: 0_2_0040D16E push esi; retf |
0_2_0040D183 |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Code function: 0_2_004099CC pushad ; iretd |
0_2_004099D0 |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Code function: 0_2_0040DECC push ds; iretd |
0_2_0040DF0F |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Code function: 0_2_00409EB8 push esp; ret |
0_2_00409F1A |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Code function: 0_2_00402F13 push dword ptr [ebp-1Ch]; ret |
0_2_0041B584 |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Code function: 0_2_0040B31C push esp; ret |
0_2_0040B37A |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
RDTSC instruction interceptor: First address: 0000000002182C1D second address: 0000000002182C1D instructions: 0x00000000 rdtsc 0x00000002 mov eax, A66414CFh 0x00000007 xor eax, 581F58E6h 0x0000000c sub eax, 229E4046h 0x00000011 sub eax, DBDD0BE2h 0x00000016 cpuid 0x00000018 popad 0x00000019 jmp 00007F8734D7F3D2h 0x0000001b test ebx, DCDA3E5Bh 0x00000021 call 00007F8734D7F39Ah 0x00000026 lfence 0x00000029 mov edx, 484CC6CEh 0x0000002e add edx, 19EAE7DAh 0x00000034 xor edx, 3A01ADFCh 0x0000003a xor edx, 27C80340h 0x00000040 mov edx, dword ptr [edx] 0x00000042 lfence 0x00000045 ret 0x00000046 sub edx, esi 0x00000048 ret 0x00000049 cmp edx, ecx 0x0000004b pop ecx 0x0000004c cmp bh, dh 0x0000004e add edi, edx 0x00000050 dec ecx 0x00000051 cmp ecx, 00000000h 0x00000054 jne 00007F8734D7F33Fh 0x00000056 test ecx, eax 0x00000058 mov dword ptr [ebp+00000237h], edx 0x0000005e mov edx, ecx 0x00000060 push edx 0x00000061 mov edx, dword ptr [ebp+00000237h] 0x00000067 jmp 00007F8734D7F3BEh 0x00000069 cmp al, cl 0x0000006b call 00007F8734D7F3BBh 0x00000070 call 00007F8734D7F403h 0x00000075 lfence 0x00000078 mov edx, 484CC6CEh 0x0000007d add edx, 19EAE7DAh 0x00000083 xor edx, 3A01ADFCh 0x00000089 xor edx, 27C80340h 0x0000008f mov edx, dword ptr [edx] 0x00000091 lfence 0x00000094 ret 0x00000095 mov esi, edx 0x00000097 pushad 0x00000098 rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\fN2QHk2XYG.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: fN2QHk2XYG.exe, 00000000.00000002.696430132.0000000000CA0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: fN2QHk2XYG.exe, 00000000.00000002.696430132.0000000000CA0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: fN2QHk2XYG.exe, 00000000.00000002.696430132.0000000000CA0000.00000002.00000001.sdmp |
Binary or memory string: &Program Manager |
Source: fN2QHk2XYG.exe, 00000000.00000002.696430132.0000000000CA0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |