Play interactive tour

Edit tour

Windows Analysis Report 41609787.exe

Overview

General Information

Sample Name:	41609787.exe
Analysis ID:	452431
MD5:	242fb5498503fdae24861ca26f762745
SHA1:	e45e4180137ea7c9d81f127fac0af48cf3b4e8d7
SHA256:	7984d85806d611e8d7e3ec5640186ebce9b1daccbd07a4bbda0fc6e0e5666299
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for domain / URL

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Installs a global keyboard hook

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

41609787.exe (PID: 4548 cmdline: 'C:\Users\user\Desktop\41609787.exe' MD5: 242FB5498503FDAE24861CA26F762745)

ieinstal.exe (PID: 2120 cmdline: 'C:\Users\user\Desktop\41609787.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

cmd.exe (PID: 4608 cmdline: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 5776 cmdline: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://smokeadmsend.online/loade"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://smokeadmsend.online/loade"}

Multi AV Scanner detection for domain / URL

Show sources

Source: databasepropersonombrecomercialideasearchwords.services

Virustotal: Detection: 11%

Perma Link

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

Source: 41609787.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 198.54.115.48:443 -> 192.168.2.3:49752 version: TLS 1.2

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://smokeadmsend.online/loade

Source: global traffic

TCP traffic: 192.168.2.3:49753 -> 186.169.69.166:2508

Source: Joe Sandbox View	ASN Name: COLOMBIATELECOMUNICACIONESSAESPCO COLOMBIATELECOMUNICACIONESSAESPCO
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: smokeadmsend.online

Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	String found in binary or memory: https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.bin
Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	String found in binary or memory: https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.binwininet.dllMozilla/5.0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443

Source: unknown

HTTPS traffic detected: 198.54.115.48:443 -> 192.168.2.3:49752 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\internet explorer\ieinstal.exe

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\41609787.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021107A1 NtSetInformationThread,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021013C1 NtWriteVirtualMemory,TerminateProcess,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02110176 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107E15 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02108607 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210720B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210762B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210825E NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02108677 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107A95 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210669A NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210829B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210728B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107EA3 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021076E5 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02108703 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107305 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02105F21 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02108324 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107F2C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107B2D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107381 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107FB3 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021083B7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107BC0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021077EF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210741B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107801 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210843F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210802F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107C4F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107879 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210749C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021070AF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021084D1 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021080C7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107CE5 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210711D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107903 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02103D32 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210813C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107529 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210794C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107D6B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107191 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210799F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107DB4 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021081A7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021075A9 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107DF5 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021081FF NtWriteVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_03011587 LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_030116CC NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_0301156F LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_03011687 NtProtectVirtualMemory,NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_0301174E NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_030116D3 NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_030117D3 NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_030115E3 LdrInitializeThunk,NtProtectVirtualMemory,

Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_004014F0
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210EB03
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021107A1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021013C1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02109130
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107E15
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02106A1F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210720B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101E3A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101629
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210362A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210222A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210762B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101A2F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02104651
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02102259
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210825E
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02100E47
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107A95
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210169A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210669A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210829B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210728B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101AB7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107EA3
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02104AAD
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02100EDB
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021022DF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101EC4
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021046FB
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021076E5
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101715
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02108703
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107305
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02104730
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101B37
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101F3F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02105F21
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02108324
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107F2C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107B2D
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210032F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02102359
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02100F79
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101F93
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210179F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107381
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101387
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107FB3
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021083B7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101BBD
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02109BD1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107BC0
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02106BC7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101FF6
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021023EA
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02100FEF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021077EF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101819
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210741B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107801
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02104802
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210D404
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02106C0F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101C37
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02106C37
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210843F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210EC2A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210802F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02103053
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02102043
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107C4F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02106472
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107879
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210107F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210146D
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101890
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210749C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02104880
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021024A7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021064AF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021070AF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021084D1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021080C7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021060CB
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02106CE1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107CE5
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02104914
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101918
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210451B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210711D
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101503
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107903
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02103D32
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101934
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210813C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107529
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210794C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210B962
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107D6B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101591
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107191
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210699F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210799F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02106D85
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107DB4
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101DB7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210D5B8
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210F9A3
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021081A7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021075A9
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021055AB
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021019AF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021069D9
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021021DF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210B1C3
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02100DF1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107DF5
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021081FF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_0301136D

Source: 41609787.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 41609787.exe, 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameImpennate7.exe vs 41609787.exe
Source: 41609787.exe	Binary or memory string: OriginalFilenameImpennate7.exe vs 41609787.exe

Source: 41609787.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@3/2

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Roaming\Runtime2021

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Mutant created: \Sessions\1\BaseNamedObjects\RemcosLEG-0OFGX3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_01

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Local\Temp\posekiggerne

Jump to behavior

Source: 41609787.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\41609787.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\41609787.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\41609787.exe 'C:\Users\user\Desktop\41609787.exe'
Source: C:\Users\user\Desktop\41609787.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\41609787.exe'
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Users\user\Desktop\41609787.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\41609787.exe'
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02061774 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02064205 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02062A05 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02061205 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02065A03 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02066214 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02064A13 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02063213 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02061A13 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02060218 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02063A24 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02062224 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02060A24 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02066A24 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02065225 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02064233 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02062A33 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02061233 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02065A33 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02064A44 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02063244 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02061A44 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02066244 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02060248 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02063A54 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02062254 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02066A54 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02065253 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02060A58 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02065A64 push edx; ret
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02064263 push edx; ret

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SPINTOS			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SPINTOS			Jump to behavior

Source: C:\Users\user\Desktop\41609787.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021013C1 NtWriteVirtualMemory,TerminateProcess,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107E15 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210720B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210222A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210762B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02104651
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02102259 TerminateProcess,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107A95 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210669A NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210728B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107EA3 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021022DF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021076E5 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107305 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02105F21 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107F2C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107B2D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210032F LdrInitializeThunk,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02102359
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107381 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107FB3 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107BC0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021023EA
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021077EF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210741B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107801 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107C4F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107879 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210749C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021024A7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021070AF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107CE5 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210451B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210711D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107903 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02103D32 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107529 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210794C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107D6B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107191 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210799F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107DB4 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021075A9 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021021DF TerminateProcess,
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107DF5 NtWriteVirtualMemory,

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\41609787.exe

RDTSC instruction interceptor: First address: 000000000210047C second address: 000000000210047C instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\41609787.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\41609787.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32MSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp, ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32MSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\OPTRNER.EXE\POSEKIGGERNESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSPINTOSHTTPS://SMOKEADMSEND.ONLINE/LOADER/1ARMADANAC1COPIA_YCUSOPUSF143.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\41609787.exe	RDTSC instruction interceptor: First address: 000000000210047C second address: 000000000210047C instructions:
Source: C:\Users\user\Desktop\41609787.exe	RDTSC instruction interceptor: First address: 000000000210DA09 second address: 000000000210DA09 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add esi, 02h 0x00000006 mov word ptr [ebp+00000176h], ax 0x0000000d mov ax, word ptr [esi] 0x00000010 cmp ax, 0000h 0x00000014 mov ax, word ptr [ebp+00000176h] 0x0000001b jne 00007F5CC09CC9EFh 0x0000001d mov ebx, edx 0x0000001f shl edx, 05h 0x00000022 add edx, ebx 0x00000024 movzx ebx, byte ptr [esi] 0x00000027 add edx, ebx 0x00000029 xor edx, 19974490h 0x0000002f jmp 00007F5CC09CCA9Eh 0x00000031 pushad 0x00000032 mov edx, 0000000Dh 0x00000037 rdtsc

Source: C:\Users\user\Desktop\41609787.exe

Code function: 0_2_021107A1 rdtsc

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Window / User API: threadDelayed 1353

Source: C:\Users\user\Desktop\41609787.exe

API coverage: 9.9 %

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 1936

Thread sleep count: 1353 > 30

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread sleep count: Count: 1353 delay: -5

Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32Msi.dllPublishershell32advapi32TEMP=\optrner.exe\posekiggerneSoftware\Microsoft\Windows\CurrentVersion\RunSPINTOShttps://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32Msi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp, ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\41609787.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\41609787.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\41609787.exe

Code function: 0_2_021107A1 rdtsc

Source: C:\Users\user\Desktop\41609787.exe

Code function: 0_2_0210A907 LdrInitializeThunk,

Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210EB03 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210CE1B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02105F21 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210943A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210D822 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021055AB mov eax, dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\41609787.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3000000

Source: C:\Users\user\Desktop\41609787.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\41609787.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: xlogs201.dat.27.dr	Binary or memory string: [ Program Manager ]
Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Registry Run Keys / Startup Folder1	Process Injection112	Masquerading1	Input Capture11	Security Software Discovery621	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Modify Registry1	LSASS Memory	Virtualization/Sandbox Evasion23	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion23	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery311	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
databasepropersonombrecomercialideasearchwords.services	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.bin	0%	Avira URL Cloud	safe
https://smokeadmsend.online/loade	0%	Avira URL Cloud	safe
https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.binwininet.dllMozilla/5.0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smokeadmsend.online	198.54.115.48	true	true		unknown
databasepropersonombrecomercialideasearchwords.services	186.169.69.166	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://smokeadmsend.online/loade	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.bin	ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.binwininet.dllMozilla/5.0	ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
186.169.69.166	databasepropersonombrecomercialideasearchwords.services	Colombia		3816	COLOMBIATELECOMUNICACIONESSAESPCO	true
198.54.115.48	smokeadmsend.online	United States		22612	NAMECHEAP-NETUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452431
Start date:	22.07.2021
Start time:	10:40:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	41609787.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@3/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 1.6% (good quality ratio 0.1%) Quality average: 4.8% Quality standard deviation: 11.9%
HCA Information:	Successful, ratio: 68% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.255.188.83, 23.211.6.115, 104.43.193.48, 20.82.210.154, 23.211.4.86, 173.222.108.226, 173.222.108.210, 51.103.5.186, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.82.209.183, 20.54.110.249 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:45:06	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SPINTOS C:\Users\user\AppData\Local\Temp\posekiggerne\optrner.exe
10:45:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SPINTOS C:\Users\user\AppData\Local\Temp\posekiggerne\optrner.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.54.115.48	75PO9981.exe	Get hash	malicious	Browse	www.ownfiles.info/fl/
198.54.115.48	21PO7513.exe	Get hash	malicious	Browse	www.ownfiles.info/fl/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
databasepropersonombrecomercialideasearchwords.services	75030908.exe	Get hash	malicious	Browse	186.169.42.8
	76947851729_.exe	Get hash	malicious	Browse	181.235.3.85
	166691_pdf.exe	Get hash	malicious	Browse	181.235.4.212
	Factura Serfinanza051053709735077235764653194.exe	Get hash	malicious	Browse	186.169.43.144
	056373_pdf.exe	Get hash	malicious	Browse	186.169.43.144
	Factura Serfinanza023854786775241209783648129.exe	Get hash	malicious	Browse	186.169.43.144
	Factura Serfinanza085399218111227761873550570.exe	Get hash	malicious	Browse	186.169.43.144
	Factura Serfinanza038612482397383420891150743.exe	Get hash	malicious	Browse	186.169.43.144
	Factura Serfinanza106109596363318359608727771.exe	Get hash	malicious	Browse	186.169.72.174
	Factura Serfinanza050288227788749652817960744.exe	Get hash	malicious	Browse	186.169.72.174
	Factura Serfinanza049997609832517851274630184.exe	Get hash	malicious	Browse	186.169.72.174
	EXTRACTOSERFINANZA718365418101786154346661555.exe	Get hash	malicious	Browse	190.255.84.57
	EXTRACTOSERFINANZA989543704031499704092798964.exe	Get hash	malicious	Browse	190.255.84.57
	32657046_pdf.exe	Get hash	malicious	Browse	190.255.84.57
	6565426875_p.exe	Get hash	malicious	Browse	186.169.38.241
	4831902122_p.exe	Get hash	malicious	Browse	186.169.38.241
	8992538102_p.exe	Get hash	malicious	Browse	186.169.38.241
	9604_pdf.exe	Get hash	malicious	Browse	186.169.38.241
	Factura Serfinanza089768553548090985869814228.exe	Get hash	malicious	Browse	186.169.38.241
	EXTRACTOSERFINANZA894978636268808051252452885.exe	Get hash	malicious	Browse	186.169.38.241

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
COLOMBIATELECOMUNICACIONESSAESPCO	U1R7Ed7940	Get hash	malicious	Browse	186.113.206.66
	oEF7GAiRIg	Get hash	malicious	Browse	186.113.131.237
	BTNNG17tlh	Get hash	malicious	Browse	190.255.99.57
	MD5OxTSc6i	Get hash	malicious	Browse	190.252.136.167
	SUpODCSauS	Get hash	malicious	Browse	191.109.106.145
	TFG18FA4eD	Get hash	malicious	Browse	152.205.93.205
	eAtDhymLzp	Get hash	malicious	Browse	181.235.115.105
	ehn0f1d63M	Get hash	malicious	Browse	186.116.212.222
	zWumjXhWWz	Get hash	malicious	Browse	190.254.50.129
	e4qhQIKEim	Get hash	malicious	Browse	179.48.76.227
	YazlX01sZD	Get hash	malicious	Browse	186.116.154.100
	7Pvt6Jni6p	Get hash	malicious	Browse	167.65.244.226
	a1sMR3Vj8o	Get hash	malicious	Browse	167.2.131.28
	471u0A1FPw	Get hash	malicious	Browse	190.255.75.41
	395d6gwkWK	Get hash	malicious	Browse	152.205.93.229
	YXYFqHRx2m	Get hash	malicious	Browse	167.13.146.158
	XfKsLIPLUu	Get hash	malicious	Browse	190.67.85.74
	Z7bNxhhS7y	Get hash	malicious	Browse	190.67.85.63
	lq2609LxT8	Get hash	malicious	Browse	190.254.187.199
	khGshuibcr	Get hash	malicious	Browse	186.116.212.225
NAMECHEAP-NETUS	ORDER . 4500028602 .doc	Get hash	malicious	Browse	198.54.122.60
	Payment_invoice.exe	Get hash	malicious	Browse	198.54.117.212
	SUpODCSauS	Get hash	malicious	Browse	198.54.114.130
	0ZZqw52a6S.exe	Get hash	malicious	Browse	199.193.7.228
	nZdwtTEYoW.exe	Get hash	malicious	Browse	198.54.122.60
	CORRECT BANK DETAILS FORM.doc	Get hash	malicious	Browse	198.54.122.60
	Shipping Documents .doc	Get hash	malicious	Browse	198.54.122.60
	QxnlprRUTx.exe	Get hash	malicious	Browse	199.188.200.230
	0Lh7eA2VUZ.exe	Get hash	malicious	Browse	198.54.122.60
	REQUEST FOR QUOTATIO 158930165.doc	Get hash	malicious	Browse	198.54.122.60
	Statement.xlsx	Get hash	malicious	Browse	162.0.237.9
	Inv PKF312021.doc	Get hash	malicious	Browse	198.54.122.60
	RFQ- ROTO Fittings- 19072021.doc	Get hash	malicious	Browse	198.54.122.60
	INVOICE.exe	Get hash	malicious	Browse	198.54.117.211
	Order.exe	Get hash	malicious	Browse	198.54.117.215
	SOA.exe	Get hash	malicious	Browse	198.54.122.60
	Inv_7623980.exe	Get hash	malicious	Browse	63.250.34.223
	xBMx9OBP97.exe	Get hash	malicious	Browse	198.54.114.131
	CSyG3zNcwS.exe	Get hash	malicious	Browse	198.54.114.131
	BrCi5pJr8J.exe	Get hash	malicious	Browse	198.54.114.131

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	B5xK9XEvzO.exe	Get hash	malicious	Browse	198.54.115.48
	RsEvjI1iTt.exe	Get hash	malicious	Browse	198.54.115.48
	ORD.ppt	Get hash	malicious	Browse	198.54.115.48
	39pfFwU3Ns.exe	Get hash	malicious	Browse	198.54.115.48
	47a8af.exe.exe	Get hash	malicious	Browse	198.54.115.48
	Comprobante1.vbs	Get hash	malicious	Browse	198.54.115.48
	ZlvFNj.dll	Get hash	malicious	Browse	198.54.115.48
	QT2kxM315B.exe	Get hash	malicious	Browse	198.54.115.48
	4QKHQR82Xt.exe	Get hash	malicious	Browse	198.54.115.48
	Convert HEX uit phishing mail.htm	Get hash	malicious	Browse	198.54.115.48
	#U2706_#U260e_Play _to _Listen.htm	Get hash	malicious	Browse	198.54.115.48
	192-3216-Us.gt.com.html	Get hash	malicious	Browse	198.54.115.48
	N41101255652.vbs	Get hash	malicious	Browse	198.54.115.48
	FILE_2932NH_9923.exe	Get hash	malicious	Browse	198.54.115.48
	RDlkHCLRxE.exe	Get hash	malicious	Browse	198.54.115.48
	#U2706_#U260e_Play _to _Listen.htm	Get hash	malicious	Browse	198.54.115.48
	Swift_Fattura_0093320128_.exe	Get hash	malicious	Browse	198.54.115.48
	SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Get hash	malicious	Browse	198.54.115.48
	IPVrDRKfYj.exe	Get hash	malicious	Browse	198.54.115.48
	11.docx	Get hash	malicious	Browse	198.54.115.48

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\posekiggerne\optrner.exe Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	data
Category:	dropped
Size (bytes):	192513
Entropy (8bit):	5.613557039365368
Encrypted:	false
SSDEEP:	3072:2+ogFpSWSqqbZ0ZEuwGE5pwFGHiG1InFGHiPZEuwGE5pi:2+7AtqqbZFfGE5pakipkiufGE5pi
MD5:	873CC0BFAAB852FD58C0EB4B8D29026D
SHA1:	07C871EC1385B80D314A9EA0B047CC85D24CEE24
SHA-256:	9E6B7578CAE3E4CC0354AD9912EA36F7E3D0968DE07D30C4F3C60C1183D919C6
SHA-512:	A7609B36561ACD7AACAD21ABF085489C86A72103FCE5F32501B2B660644C6DF1AC5A4A201E39DF67F21D6F3E5C519EC3C51A633E99D8FED07D425497E84997F3
Malicious:	false
Reputation:	low
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+O.E..E..E.X.K..E...L..E..H..E.Rich.E.................PE..L.....1M.................@...................P....@.................................c........................................E..(....p......................................................................0... .......D............................text....;.......@.................. ..`.data...$....P.......P..............@....rsrc........p.......`..............@..@..^............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Runtime2021\xlogs201.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	data
Category:	dropped
Size (bytes):	182
Entropy (8bit):	3.366956781623735
Encrypted:	false
SSDEEP:	3:rklKlVnGlNWKUel5JWRal2Jl+7R0DAlBG4J+Rf3GLilXIknNQblovDl9il:IlK/yN+65YcIeeDAlgRf2e56bW/G
MD5:	CBD9A222C0C0CB1C08C8DC24D7C02F86
SHA1:	40FCA05C695340804995E29FDD5D11A488D8CAEA
SHA-256:	A59E7F82238F3158F2F86EFEFA0A8FB20ACEA309AD84DD61683639197D01A01C
SHA-512:	485877FC044D8046B408C5157BCB29FB3DC06B7DB10695F5886474398217B54EE8A2607527B292D3B179E37904C31FB186FB140ECBA375D7AAE360E6DBDFF44C
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.1./.0.7./.2.2. .1.0.:.4.5.:.1.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .R.u.n. .].....[.W.i.n.].r.....[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.613575589393616
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	41609787.exe
File size:	192512
MD5:	242fb5498503fdae24861ca26f762745
SHA1:	e45e4180137ea7c9d81f127fac0af48cf3b4e8d7
SHA256:	7984d85806d611e8d7e3ec5640186ebce9b1daccbd07a4bbda0fc6e0e5666299
SHA512:	5717a9d38ff151384fe522b5b55f7a4882bcb897d65d1c9fbd0b155f05138cc698db39805d34150daf5260906d8e09d6d752190e7d681eb181eb3569378a48fd
SSDEEP:	3072:F+ogFpSWSqqbZ0ZEuwGE5pwFGHiG1InFGHiPZEuwGE5p:F+7AtqqbZFfGE5pakipkiufGE5p
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+O..E...E...E.X.K...E...L...E...H...E.Rich..E.................PE..L.....1M.................@...................P....@........

File Icon


Icon Hash:	734c5974650d010d

Static PE Info

General
Entrypoint:	0x4014f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4D31AB09 [Sat Jan 15 14:11:21 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a70b1f0c9f8eea03c5b5d32861bccaa9

Entrypoint Preview

Instruction
push 00401F04h
call 00007F5CC0966285h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx+43347C7Eh], bh
dec ebx
inc edi
dec ebp
mov cl, E1h
mov ss, word ptr [906A07DAh]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jo 00007F5CC09662F3h
jo 00007F5CC09662FBh
jc 00007F5CC0966305h
je 00007F5CC0966304h
jc 00007F5CC09662F7h
insb
jnc 00007F5CC09662F7h
jc 00007F5CC0966305h
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
sbb byte ptr [edx], bl
xor eax, B1E56B83h
das
inc ebx
mov es, bp
test al, 9Eh
push ss
add al, B3h
call far 2631h : D68942F0h
inc edx
dec esp
mov eax, 79EDC0D1h
push eax
xor dl, byte ptr [ecx+33AD4F3Ah]
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax+eax], al
add byte ptr [ebx+00h], cl
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [ecx+62h], dh
insb
imul esi, dword ptr [ecx+00h], 000B010Dh
jnbe 00007F5CC09662FAh
jc 00007F5CC09662F8h
je 00007F5CC0966301h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x245a4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27000	0x8ac0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x144	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23b04	0x24000	False	0.399773491753	data	5.92220108342	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x25000	0x1a24	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x27000	0x8ac0	0x9000	False	0.329942491319	data	4.39398480347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2f218	0x8a8	data
RT_ICON	0x2aff0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
RT_ICON	0x28a48	0x25a8	data
RT_ICON	0x279a0	0x10a8	data
RT_ICON	0x27538	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x274ec	0x4c	data
RT_VERSION	0x271b0	0x33c	data	Kazakh	Kazakhstan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaVarForInit, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, _CItan, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x043f 0x04b0
LegalCopyright	@P.I.C Program
InternalName	Impennate7
FileVersion	7.00
CompanyName	@Broadcom@
LegalTrademarks	@P.I.C Program
Comments	@P.I.C Program
ProductName	@P.I.C Program
ProductVersion	7.00
FileDescription	@P.I.C Program
OriginalFilename	Impennate7.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Kazakh	Kazakhstan

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/22/21-10:45:13.302249	ICMP	399	ICMP Destination Unreachable Host Unreachable			186.169.69.166	192.168.2.3
07/22/21-10:45:44.235836	ICMP	399	ICMP Destination Unreachable Host Unreachable			186.169.69.166	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 10:45:09.966116905 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.156882048 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.157150030 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.185319901 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.376385927 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.376420021 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.376436949 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.376451969 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.376671076 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.378618956 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.378905058 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.509068012 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.699985981 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.700149059 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.717775106 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.914993048 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915028095 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915045023 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915060043 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915080070 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915102959 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915141106 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915144920 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.915163040 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915163040 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.915183067 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915195942 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.915205002 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915226936 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.915251017 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.105845928 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.105910063 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.105947018 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.105963945 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.105966091 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.105999947 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106010914 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106046915 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106066942 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106101990 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106205940 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106257915 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106267929 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106309891 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106308937 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106343985 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106368065 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106403112 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106408119 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106445074 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106450081 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106482983 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106484890 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106533051 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106539011 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106575012 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297169924 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297302008 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297312021 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297343016 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297368050 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297369957 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297404051 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297425985 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297425985 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297449112 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297472954 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297481060 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297499895 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297518015 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297524929 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297548056 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297555923 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297573090 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297596931 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297597885 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297621012 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297621012 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297646999 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297662973 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297671080 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297698975 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297703028 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297724962 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297734022 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297749996 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297759056 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297774076 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297795057 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297796965 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297821045 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297833920 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297846079 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297868967 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297869921 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297897100 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297902107 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297923088 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297944069 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297972918 CEST	49752	443	192.168.2.3	198.54.115.48

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 10:41:28.855549097 CEST	57544	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:28.913228035 CEST	53	57544	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:29.627794027 CEST	55984	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:29.681444883 CEST	53	55984	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:30.439649105 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:30.491682053 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:30.696984053 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:30.756556034 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:32.226253033 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:32.286098003 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:33.432280064 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:33.485963106 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:34.687273979 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:34.738322973 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:35.702337027 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:35.753923893 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:36.631591082 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:36.680809975 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:39.727713108 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:39.777374029 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:40.709177017 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:40.762366056 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:41.704982042 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:41.757411003 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:42.597750902 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:42.658118963 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:46.766100883 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:46.819855928 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:48.145740032 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:48.198137999 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:49.517611980 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:49.569657087 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:56.434962988 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:56.487602949 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:57.219800949 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:57.270225048 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:59.087013960 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:59.136548042 CEST	53	54366	8.8.8.8	192.168.2.3
Jul 22, 2021 10:42:05.132457018 CEST	53034	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:42:05.190510988 CEST	53	53034	8.8.8.8	192.168.2.3
Jul 22, 2021 10:42:05.638375044 CEST	57762	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:42:05.697576046 CEST	53	57762	8.8.8.8	192.168.2.3
Jul 22, 2021 10:42:22.473356009 CEST	55435	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:42:22.533193111 CEST	53	55435	8.8.8.8	192.168.2.3
Jul 22, 2021 10:42:24.855288982 CEST	50713	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:42:24.914053917 CEST	53	50713	8.8.8.8	192.168.2.3
Jul 22, 2021 10:42:36.374967098 CEST	56132	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:42:36.452851057 CEST	53	56132	8.8.8.8	192.168.2.3
Jul 22, 2021 10:42:37.046250105 CEST	58987	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:42:37.104217052 CEST	53	58987	8.8.8.8	192.168.2.3
Jul 22, 2021 10:43:08.455636978 CEST	56579	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:43:08.523492098 CEST	53	56579	8.8.8.8	192.168.2.3
Jul 22, 2021 10:43:09.006038904 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:43:09.074167013 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 22, 2021 10:43:25.719934940 CEST	61292	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:43:25.792639017 CEST	53	61292	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:23.550378084 CEST	63619	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:23.641876936 CEST	53	63619	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:25.413438082 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:25.543364048 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:26.391135931 CEST	61946	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:26.450129032 CEST	53	61946	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:26.938622952 CEST	64910	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:26.998559952 CEST	53	64910	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:27.642832994 CEST	52123	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:27.702327967 CEST	53	52123	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:28.215982914 CEST	56130	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:28.274662018 CEST	53	56130	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:28.861097097 CEST	56338	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:28.913039923 CEST	53	56338	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:29.772561073 CEST	59420	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:29.832505941 CEST	53	59420	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:30.739958048 CEST	58784	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:30.797008991 CEST	53	58784	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:31.252382040 CEST	63978	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:31.315813065 CEST	53	63978	8.8.8.8	192.168.2.3
Jul 22, 2021 10:45:09.855098009 CEST	62938	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:45:09.919981956 CEST	53	62938	8.8.8.8	192.168.2.3
Jul 22, 2021 10:45:12.766573906 CEST	55708	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:45:12.826633930 CEST	53	55708	8.8.8.8	192.168.2.3
Jul 22, 2021 10:45:34.928658009 CEST	56803	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:45:34.986488104 CEST	53	56803	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jul 22, 2021 10:45:13.302248955 CEST	186.169.69.166	192.168.2.3	c020	(Host unreachable)	Destination Unreachable
Jul 22, 2021 10:45:44.235836029 CEST	186.169.69.166	192.168.2.3	c020	(Host unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 22, 2021 10:45:09.855098009 CEST	192.168.2.3	8.8.8.8	0x18f2	Standard query (0)	smokeadmsend.online	A (IP address)	IN (0x0001)
Jul 22, 2021 10:45:12.766573906 CEST	192.168.2.3	8.8.8.8	0xfec1	Standard query (0)	databasepropersonombrecomercialideasearchwords.services	A (IP address)	IN (0x0001)
Jul 22, 2021 10:45:34.928658009 CEST	192.168.2.3	8.8.8.8	0xf13	Standard query (0)	databasepropersonombrecomercialideasearchwords.services	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jul 22, 2021 10:45:09.919981956 CEST	8.8.8.8	192.168.2.3	0x18f2	No error (0)	smokeadmsend.online	198.54.115.48	A (IP address)	IN (0x0001)
Jul 22, 2021 10:45:12.826633930 CEST	8.8.8.8	192.168.2.3	0xfec1	No error (0)	databasepropersonombrecomercialideasearchwords.services	186.169.69.166	A (IP address)	IN (0x0001)
Jul 22, 2021 10:45:34.986488104 CEST	8.8.8.8	192.168.2.3	0xf13	No error (0)	databasepropersonombrecomercialideasearchwords.services	186.169.69.166	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jul 22, 2021 10:45:10.378618956 CEST	198.54.115.48	443	192.168.2.3	49752	CN=smokeadmsend.online CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jun 17 02:00:00 CEST 2021 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019	Sat Jun 18 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: 41609787.exe PID: 4548 Parent PID: 5784

General

Start time:	10:41:34
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\41609787.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\41609787.exe'
Imagebase:	0x400000
File size:	192512 bytes
MD5 hash:	242FB5498503FDAE24861CA26F762745
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: ieinstal.exe PID: 2120 Parent PID: 4548

General

Start time:	10:44:29
Start date:	22/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\41609787.exe'
Imagebase:	0xbb0000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: cmd.exe PID: 4608 Parent PID: 2120

General

Start time:	10:45:11
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5156 Parent PID: 4608

General

Start time:	10:45:12
Start date:	22/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: reg.exe PID: 5776 Parent PID: 4608

General

Start time:	10:45:12
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Imagebase:	0x1380000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 41609787.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries