Source: lpSbvoEkD6.exe |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://theater.expodium.net/wp-content/plugins/m/Host_AvQmpG228.bin, https://meatflesh.com/b/Host_AvQmpG228.bin"} |
Source: lpSbvoEkD6.exe |
Virustotal: Detection: 29% |
Perma Link |
Source: lpSbvoEkD6.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: http://theater.expodium.net/wp-content/plugins/m/Host_AvQmpG228.bin, https://meatflesh.com/b/Host_AvQmpG228.bin |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Code function: 0_2_00405720 |
0_2_00405720 |
Source: lpSbvoEkD6.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: lpSbvoEkD6.exe, 00000000.00000002.576799654.0000000002300000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs lpSbvoEkD6.exe |
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameCHELEM.exeFE2X0 vs lpSbvoEkD6.exe |
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameCHELEM.exeFE2X vs lpSbvoEkD6.exe |
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameCHELEM.exeFE2X^ vs lpSbvoEkD6.exe |
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameCHELEM.exeFE2X3 vs lpSbvoEkD6.exe |
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameCHELEM.exeFE2Xu vs lpSbvoEkD6.exe |
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameCHELEM.exeFE2XV vs lpSbvoEkD6.exe |
Source: lpSbvoEkD6.exe, 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameCHELEM.exe vs lpSbvoEkD6.exe |
Source: lpSbvoEkD6.exe |
Binary or memory string: OriginalFilenameCHELEM.exe vs lpSbvoEkD6.exe |
Source: lpSbvoEkD6.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0 |
Source: lpSbvoEkD6.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: lpSbvoEkD6.exe |
Virustotal: Detection: 29% |
Source: Yara match |
File source: lpSbvoEkD6.exe, type: SAMPLE |
Source: Yara match |
File source: 00000000.00000000.216224466.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.2.lpSbvoEkD6.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.lpSbvoEkD6.exe.400000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Code function: 0_2_00409AF3 push ss; retf |
0_2_00409AFB |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Code function: 0_2_00406141 push 5A7B4F15h; ret |
0_2_0040614C |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Code function: 0_2_00406D6B push eax; ret |
0_2_00406D6D |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Code function: 0_2_00402F03 push dword ptr [ebp-1Ch]; ret |
0_2_0041B0E4 |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Code function: 0_2_00406BCA pushfd ; ret |
0_2_00406BD1 |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Code function: 0_2_00407D85 pushad ; iretd |
0_2_00407DA1 |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
RDTSC instruction interceptor: First address: 0000000002C32B24 second address: 0000000002C32B24 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 9E07C293h 0x00000007 add eax, 10CAA39Fh 0x0000000c xor eax, 3308A0D8h 0x00000011 sub eax, 9DDAC6E9h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F99AC4F37A1h 0x0000001e lfence 0x00000021 mov edx, 25CCE66Fh 0x00000026 xor edx, BC263FA9h 0x0000002c xor edx, 19DA13DCh 0x00000032 xor edx, FFCECA0Eh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e jmp 00007F99AC4F3796h 0x00000040 test dx, dx 0x00000043 sub edx, esi 0x00000045 ret 0x00000046 pop ecx 0x00000047 add edi, edx 0x00000049 dec ecx 0x0000004a cmp ecx, 00000000h 0x0000004d jne 00007F99AC4F3743h 0x0000004f mov dword ptr [ebp+0000021Bh], edx 0x00000055 mov edx, ecx 0x00000057 test edx, ecx 0x00000059 push edx 0x0000005a mov edx, dword ptr [ebp+0000021Bh] 0x00000060 call 00007F99AC4F377Bh 0x00000065 call 00007F99AC4F37C2h 0x0000006a lfence 0x0000006d mov edx, 25CCE66Fh 0x00000072 xor edx, BC263FA9h 0x00000078 xor edx, 19DA13DCh 0x0000007e xor edx, FFCECA0Eh 0x00000084 mov edx, dword ptr [edx] 0x00000086 lfence 0x00000089 ret 0x0000008a mov esi, edx 0x0000008c pushad 0x0000008d rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: lpSbvoEkD6.exe, 00000000.00000002.576734773.0000000000DC0000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: lpSbvoEkD6.exe, 00000000.00000002.576734773.0000000000DC0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: lpSbvoEkD6.exe, 00000000.00000002.576734773.0000000000DC0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: lpSbvoEkD6.exe, 00000000.00000002.576734773.0000000000DC0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |