Source: PREVENTIVO RICHIESTO (2).exe |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin"} |
Source: PREVENTIVO RICHIESTO (2).exe |
Virustotal: Detection: 30% |
Perma Link |
Source: PREVENTIVO RICHIESTO (2).exe |
ReversingLabs: Detection: 13% |
Source: PREVENTIVO RICHIESTO (2).exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_022CDE51 |
0_2_022CDE51 |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_022CDF39 |
0_2_022CDF39 |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_022CDB35 |
0_2_022CDB35 |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_022CDB08 |
0_2_022CDB08 |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_022CCF4D |
0_2_022CCF4D |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_022CDBE9 |
0_2_022CDBE9 |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_022CDC19 |
0_2_022CDC19 |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_022CDC59 |
0_2_022CDC59 |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_022CDD55 |
0_2_022CDD55 |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_022CDDB7 |
0_2_022CDDB7 |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_022CDDD5 |
0_2_022CDDD5 |
Source: PREVENTIVO RICHIESTO (2).exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: PREVENTIVO RICHIESTO (2).exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: PREVENTIVO RICHIESTO (2).exe, 00000000.00000000.208248451.0000000000435000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameSome4.exe vs PREVENTIVO RICHIESTO (2).exe |
Source: PREVENTIVO RICHIESTO (2).exe |
Binary or memory string: OriginalFilenameSome4.exe vs PREVENTIVO RICHIESTO (2).exe |
Source: PREVENTIVO RICHIESTO (2).exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal80.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
File created: C:\Users\user\AppData\Local\Temp\~DF7595A64BA3F3C87B.TMP |
Jump to behavior |
Source: PREVENTIVO RICHIESTO (2).exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: PREVENTIVO RICHIESTO (2).exe |
Virustotal: Detection: 30% |
Source: PREVENTIVO RICHIESTO (2).exe |
ReversingLabs: Detection: 13% |
Source: Yara match |
File source: PREVENTIVO RICHIESTO (2).exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.PREVENTIVO RICHIESTO (2).exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PREVENTIVO RICHIESTO (2).exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.1236460953.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.208215258.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_00406632 push ebp; iretd |
0_2_0040663C |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
RDTSC instruction interceptor: First address: 00000000022CBF06 second address: 00000000022CBF06 instructions: |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
RDTSC instruction interceptor: First address: 00000000022CB646 second address: 00000000022CBA31 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test ebx, eax 0x0000000c call 00007F394C8F551Dh 0x00000011 test ax, ax 0x00000014 test dh, 00000034h 0x00000017 xor edi, edi 0x00000019 pushad 0x0000001a mov bx, 94B2h 0x0000001e cmp bx, 94B2h 0x00000023 jne 00007F394C8F4448h 0x00000029 popad 0x0000002a test ch, ch 0x0000002c mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000036 test ch, FFFFFFCAh 0x00000039 call 00007F394C8F5292h 0x0000003e call 00007F394C8F5265h 0x00000043 lfence 0x00000046 mov edx, C4D7E93Dh 0x0000004b xor edx, F24722A8h 0x00000051 xor edx, 65E80731h 0x00000057 xor edx, 2C86CCB0h 0x0000005d mov edx, dword ptr [edx] 0x0000005f lfence 0x00000062 jmp 00007F394C8F522Eh 0x00000064 cmp eax, BD9A57B8h 0x00000069 cmp cl, cl 0x0000006b cmp ch, ah 0x0000006d cmp ebx, ebx 0x0000006f test al, 1Ah 0x00000071 ret 0x00000072 mov esi, edx 0x00000074 pushad 0x00000075 rdtsc |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
RDTSC instruction interceptor: First address: 00000000022CB34C second address: 00000000022CB3B1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp esi, A3B0EE80h 0x00000009 mov edx, dword ptr [esp+04h] 0x0000000d test ch, ch 0x0000000f mov ecx, dword ptr [esp+08h] 0x00000013 jmp 00007F394C398152h 0x00000015 test ax, bx 0x00000018 add edx, ecx 0x0000001a neg ecx 0x0000001c test dx, cx 0x0000001f mov ebx, dword ptr [esp+0Ch] 0x00000023 mov eax, dword ptr [esp+10h] 0x00000027 cmp ecx, eax 0x00000029 add eax, ebx 0x0000002b mov esi, eax 0x0000002d neg ebx 0x0000002f pushad 0x00000030 mov esi, 0000000Eh 0x00000035 rdtsc |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
RDTSC instruction interceptor: First address: 00000000022CBF06 second address: 00000000022CBF06 instructions: |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
RDTSC instruction interceptor: First address: 00000000022CB646 second address: 00000000022CBA31 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test ebx, eax 0x0000000c call 00007F394C8F551Dh 0x00000011 test ax, ax 0x00000014 test dh, 00000034h 0x00000017 xor edi, edi 0x00000019 pushad 0x0000001a mov bx, 94B2h 0x0000001e cmp bx, 94B2h 0x00000023 jne 00007F394C8F4448h 0x00000029 popad 0x0000002a test ch, ch 0x0000002c mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000036 test ch, FFFFFFCAh 0x00000039 call 00007F394C8F5292h 0x0000003e call 00007F394C8F5265h 0x00000043 lfence 0x00000046 mov edx, C4D7E93Dh 0x0000004b xor edx, F24722A8h 0x00000051 xor edx, 65E80731h 0x00000057 xor edx, 2C86CCB0h 0x0000005d mov edx, dword ptr [edx] 0x0000005f lfence 0x00000062 jmp 00007F394C8F522Eh 0x00000064 cmp eax, BD9A57B8h 0x00000069 cmp cl, cl 0x0000006b cmp ch, ah 0x0000006d cmp ebx, ebx 0x0000006f test al, 1Ah 0x00000071 ret 0x00000072 mov esi, edx 0x00000074 pushad 0x00000075 rdtsc |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
RDTSC instruction interceptor: First address: 00000000022CBB41 second address: 00000000022CB487 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 6D96B120h 0x00000013 add eax, 9E133F54h 0x00000018 xor eax, F9EAE90Fh 0x0000001d xor eax, F243197Ah 0x00000022 cpuid 0x00000024 test al, D2h 0x00000026 bt ecx, 1Fh 0x0000002a cmp ch, dh 0x0000002c jc 00007F394CDEDCA8h 0x00000032 cmp edx, eax 0x00000034 cmp al, cl 0x00000036 push D375BB0Ch 0x0000003b pushad 0x0000003c mov di, 6000h 0x00000040 cmp di, 6000h 0x00000045 jne 00007F394CDE1A53h 0x0000004b popad 0x0000004c call 00007F394CDEC40Ch 0x00000051 mov eax, dword ptr fs:[00000030h] 0x00000057 mov eax, dword ptr [eax+0Ch] 0x0000005a cmp bh, ah 0x0000005c mov eax, dword ptr [eax+14h] 0x0000005f test cx, dx 0x00000062 mov ecx, dword ptr [eax] 0x00000064 mov eax, ecx 0x00000066 jmp 00007F394CDED2DBh 0x00000068 mov ebx, dword ptr [eax+28h] 0x0000006b mov dword ptr [ebp+000001F5h], edi 0x00000071 mov edi, E1E7AEC2h 0x00000076 cmp dl, 0000004Dh 0x00000079 xor edi, 75204E2Fh 0x0000007f pushad 0x00000080 mov edx, 0000008Ch 0x00000085 rdtsc |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_022CE707 rdtsc |
0_2_022CE707 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_022CE707 rdtsc |
0_2_022CE707 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe |
Code function: 0_2_022CCF4D cpuid |
0_2_022CCF4D |