Windows Analysis Report loKmeabs9V.exe

Overview

General Information

Sample Name: loKmeabs9V.exe
Analysis ID: 457916
MD5: e0d74762f123eb6603898d1482eb9752
SHA1: ee63af5c34a027ba8b8331dd678b15e7a87d26a6
SHA256: f06e4c96e86c0f36c82d38de0627c0b81995656c4dcbc136c0fedda868ed8ea0
Tags: exeRAT
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
GuLoader behavior detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe Virustotal: Detection: 20% Perma Link
Source: C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe ReversingLabs: Detection: 13%
Multi AV Scanner detection for submitted file
Source: loKmeabs9V.exe Virustotal: Detection: 20% Perma Link
Source: loKmeabs9V.exe ReversingLabs: Detection: 13%
Yara detected Remcos RAT
Source: Yara match File source: 0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmp, type: MEMORY
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: loKmeabs9V.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 22.0.loKmeabs9V.exe.400000.0.unpack Avira: Label: TR/Patched.Ren.Gen2

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData, 22_2_00404423

Compliance:

barindex
Uses 32bit PE files
Source: loKmeabs9V.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0040AE51 FindFirstFileW,FindNextFileW, 22_2_0040AE51
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 23_2_00407898
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen, 24_2_00407C87

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://101.99.94.119/WEALTH_PRUuqVZw139.bin
Uses dynamic DNS services
Source: unknown DNS query: name: wealthyrem.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49735 -> 194.5.97.128:39200
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: global traffic HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache
Source: loKmeabs9V.exe, 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: loKmeabs9V.exe, 00000016.00000003.470302046.0000000000A0D000.00000004.00000001.sdmp String found in binary or memory: ersion":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version informati equals www.facebook.com (Facebook)
Source: loKmeabs9V.exe, 00000016.00000002.473429817.0000000000B3B000.00000004.00000040.sdmp String found in binary or memory: http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginckFilterColumnsMode equals www.facebook.com (Facebook)
Source: loKmeabs9V.exe, 00000016.00000002.473429817.0000000000B3B000.00000004.00000040.sdmp String found in binary or memory: http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginckFilterColumnsMode equals www.yahoo.com (Yahoo)
Source: loKmeabs9V.exe String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: loKmeabs9V.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: loKmeabs9V.exe, 00000016.00000003.472054856.0000000000B3A000.00000004.00000001.sdmp String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginckFilterColumnsMode equals www.facebook.com (Facebook)
Source: loKmeabs9V.exe, 00000016.00000003.472054856.0000000000B3A000.00000004.00000001.sdmp String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginckFilterColumnsMode equals www.yahoo.com (Yahoo)
Source: loKmeabs9V.exe, 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: loKmeabs9V.exe, 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: wealthyrem.ddns.net
Source: loKmeabs9V.exe, 00000016.00000003.470222066.0000000000A02000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: loKmeabs9V.exe, 00000016.00000002.473021402.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: loKmeabs9V.exe String found in binary or memory: http://www.ebuddy.com
Source: loKmeabs9V.exe String found in binary or memory: http://www.imvu.com
Source: loKmeabs9V.exe, 00000017.00000002.470384906.000000000019C000.00000004.00000001.sdmp String found in binary or memory: http://www.imvu.com/.exe
Source: loKmeabs9V.exe, 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: loKmeabs9V.exe, 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.imvu.comr
Source: loKmeabs9V.exe, 00000016.00000002.472368637.0000000000193000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net
Source: loKmeabs9V.exe, loKmeabs9V.exe, 00000018.00000002.471540483.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: loKmeabs9V.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: loKmeabs9V.exe, 00000016.00000003.471770618.0000000000A18000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: loKmeabs9V.exe, 00000016.00000003.471770618.0000000000A18000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: loKmeabs9V.exe String found in binary or memory: https://www.google.com
Source: loKmeabs9V.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: loKmeabs9V.exe, 00000016.00000002.473021402.00000000006E8000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\loKmeabs9V.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\loKmeabs9V.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0041183A OpenClipboard,GetLastError,DeleteFileW, 22_2_0041183A

E-Banking Fraud:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmp, type: MEMORY

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B629C NtWriteVirtualMemory,LoadLibraryA, 0_2_022B629C
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B5971 NtAllocateVirtualMemory, 0_2_022B5971
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B9189 NtProtectVirtualMemory, 0_2_022B9189
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B4230 NtWriteVirtualMemory, 0_2_022B4230
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B7C19 NtWriteVirtualMemory, 0_2_022B7C19
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B5844 NtWriteVirtualMemory, 0_2_022B5844
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B9653 NtWriteVirtualMemory,CreateProcessInternalW, 0_2_022B9653
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B46C8 NtWriteVirtualMemory, 0_2_022B46C8
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B4CD0 NtWriteVirtualMemory, 0_2_022B4CD0
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B9122 NtProtectVirtualMemory, 0_2_022B9122
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B4352 NtWriteVirtualMemory, 0_2_022B4352
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B41B6 NtWriteVirtualMemory, 0_2_022B41B6
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B4B96 NtWriteVirtualMemory, 0_2_022B4B96
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B87E3 NtWriteVirtualMemory, 0_2_022B87E3
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 14_2_00569CF6 LdrInitializeThunk,NtProtectVirtualMemory, 14_2_00569CF6
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 14_2_00569DCF LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory, 14_2_00569DCF
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 14_2_00569CF1 LdrInitializeThunk,NtProtectVirtualMemory, 14_2_00569CF1
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 22_2_0040DD85
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00401806 NtdllDefWindowProc_W, 22_2_00401806
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_004018C0 NtdllDefWindowProc_W, 22_2_004018C0
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00402CAC NtdllDefWindowProc_A, 23_2_00402CAC
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00402D66 NtdllDefWindowProc_A, 23_2_00402D66
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_004016FC NtdllDefWindowProc_A, 24_2_004016FC
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_004017B6 NtdllDefWindowProc_A, 24_2_004017B6
Detected potential crypto function
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B962D 0_2_022B962D
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B245A 0_2_022B245A
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B8687 0_2_022B8687
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B629C 0_2_022B629C
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B5971 0_2_022B5971
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B0571 0_2_022B0571
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B0BC7 0_2_022B0BC7
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B3A2E 0_2_022B3A2E
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B8030 0_2_022B8030
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B4230 0_2_022B4230
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B7C19 0_2_022B7C19
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B084F 0_2_022B084F
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B5844 0_2_022B5844
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B9653 0_2_022B9653
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B1654 0_2_022B1654
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B0CAC 0_2_022B0CAC
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B30BC 0_2_022B30BC
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B2889 0_2_022B2889
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B8098 0_2_022B8098
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B3C9E 0_2_022B3C9E
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B149C 0_2_022B149C
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B2C93 0_2_022B2C93
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B8294 0_2_022B8294
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B3EE1 0_2_022B3EE1
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B10E0 0_2_022B10E0
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B46C8 0_2_022B46C8
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B36C3 0_2_022B36C3
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B82DC 0_2_022B82DC
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B4CD0 0_2_022B4CD0
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B8923 0_2_022B8923
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B7921 0_2_022B7921
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B8324 0_2_022B8324
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B151C 0_2_022B151C
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B1940 0_2_022B1940
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B1D5A 0_2_022B1D5A
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B4352 0_2_022B4352
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B5DAE 0_2_022B5DAE
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B41B6 0_2_022B41B6
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B4B96 0_2_022B4B96
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B87E3 0_2_022B87E3
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B41E6 0_2_022B41E6
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B5BF3 0_2_022B5BF3
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B19F4 0_2_022B19F4
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 14_3_1E99D1E7 14_3_1E99D1E7
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 14_3_1EA3B487 14_3_1EA3B487
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 14_3_1E79FBBE 14_3_1E79FBBE
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 14_3_1E80D21E 14_3_1E80D21E
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 14_3_1E8491EC 14_3_1E8491EC
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 14_3_1E7AE755 14_3_1E7AE755
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 14_3_1E7DBB8C 14_3_1E7DBB8C
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 14_3_1E81BDB5 14_3_1E81BDB5
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 14_3_1E7A064D 14_3_1E7A064D
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0044B040 22_2_0044B040
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0043610D 22_2_0043610D
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00447310 22_2_00447310
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0044A490 22_2_0044A490
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0040755A 22_2_0040755A
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0043C560 22_2_0043C560
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0044B610 22_2_0044B610
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0044D6C0 22_2_0044D6C0
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_004476F0 22_2_004476F0
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0044B870 22_2_0044B870
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0044081D 22_2_0044081D
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00414957 22_2_00414957
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_004079EE 22_2_004079EE
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00407AEB 22_2_00407AEB
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0044AA80 22_2_0044AA80
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00412AA9 22_2_00412AA9
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00404B74 22_2_00404B74
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00404B03 22_2_00404B03
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0044BBD8 22_2_0044BBD8
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00404BE5 22_2_00404BE5
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00404C76 22_2_00404C76
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00415CFE 22_2_00415CFE
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00416D72 22_2_00416D72
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00446D30 22_2_00446D30
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00446D8B 22_2_00446D8B
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00406E8F 22_2_00406E8F
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_1_00476347 22_1_00476347
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_004050C2 23_2_004050C2
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_004014AB 23_2_004014AB
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00405133 23_2_00405133
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_004051A4 23_2_004051A4
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00401246 23_2_00401246
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_0040CA46 23_2_0040CA46
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00405235 23_2_00405235
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_004032C8 23_2_004032C8
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_004222D9 23_2_004222D9
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00401689 23_2_00401689
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00402F60 23_2_00402F60
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_1_004222D9 23_1_004222D9
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_0040D044 24_2_0040D044
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_00405038 24_2_00405038
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_004050A9 24_2_004050A9
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_0040511A 24_2_0040511A
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_004051AB 24_2_004051AB
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_004382F3 24_2_004382F3
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_00430575 24_2_00430575
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_0043B671 24_2_0043B671
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_0041F6CD 24_2_0041F6CD
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_004119CF 24_2_004119CF
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_00439B11 24_2_00439B11
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_00438E54 24_2_00438E54
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_00412F67 24_2_00412F67
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_0043CF18 24_2_0043CF18
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_1_0045530B 24_1_0045530B
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: String function: 00412968 appears 78 times
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: String function: 00421A32 appears 43 times
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: String function: 00416760 appears 69 times
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: String function: 0044407A appears 37 times
PE file contains strange resources
Source: loKmeabs9V.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: loKmeabs9V.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: yourphone.exe.14.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: yourphone.exe.14.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: loKmeabs9V.exe, 00000000.00000000.205287548.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
Source: loKmeabs9V.exe Binary or memory string: OriginalFilename vs loKmeabs9V.exe
Source: loKmeabs9V.exe, 0000000E.00000003.473704439.000000001E84B000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs loKmeabs9V.exe
Source: loKmeabs9V.exe, 0000000E.00000000.334706774.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
Source: loKmeabs9V.exe, 0000000E.00000002.1292980091.000000001DEA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs loKmeabs9V.exe
Source: loKmeabs9V.exe Binary or memory string: OriginalFileName vs loKmeabs9V.exe
Source: loKmeabs9V.exe, 00000016.00000000.466532006.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
Source: loKmeabs9V.exe Binary or memory string: OriginalFilename vs loKmeabs9V.exe
Source: loKmeabs9V.exe, 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs loKmeabs9V.exe
Source: loKmeabs9V.exe, 00000017.00000000.468896528.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
Source: loKmeabs9V.exe, 00000018.00000000.470164942.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
Source: loKmeabs9V.exe Binary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
Uses 32bit PE files
Source: loKmeabs9V.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@9/4@1/3
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z, 22_2_004182CE
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification, 23_2_00410DE1
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z, 22_2_00418758
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle, 22_2_00413D4C
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy, 22_2_0040B58D
Source: C:\Users\user\Desktop\loKmeabs9V.exe File created: C:\Users\user\AppData\Roaming\remcos Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ
Source: C:\Users\user\Desktop\loKmeabs9V.exe File created: C:\Users\user\AppData\Local\Temp\~DF2A65A40B0FC83CF5.TMP Jump to behavior
Source: loKmeabs9V.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\loKmeabs9V.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: loKmeabs9V.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: loKmeabs9V.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: loKmeabs9V.exe, 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: loKmeabs9V.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: loKmeabs9V.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: loKmeabs9V.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: loKmeabs9V.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: loKmeabs9V.exe Virustotal: Detection: 20%
Source: loKmeabs9V.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\loKmeabs9V.exe File read: C:\Users\user\Desktop\loKmeabs9V.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\loKmeabs9V.exe 'C:\Users\user\Desktop\loKmeabs9V.exe'
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process created: C:\Users\user\Desktop\loKmeabs9V.exe 'C:\Users\user\Desktop\loKmeabs9V.exe'
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\syqduvyml'
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\cawvvojfhdxf'
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\fubgoguhvlpsyny'
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process created: C:\Users\user\Desktop\loKmeabs9V.exe 'C:\Users\user\Desktop\loKmeabs9V.exe' Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\syqduvyml' Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\cawvvojfhdxf' Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\fubgoguhvlpsyny' Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe File opened: C:\Users\user\Desktop\loKmeabs9V.cfg Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Unpacked PE file: 22.2.loKmeabs9V.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\loKmeabs9V.exe Unpacked PE file: 23.2.loKmeabs9V.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\loKmeabs9V.exe Unpacked PE file: 24.2.loKmeabs9V.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 22_2_004044A4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_00404DCC push edx; iretd 0_2_00404DD6
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_004059BD push F32E5D69h; retf 0_2_004059D0
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0044693D push ecx; ret 22_2_0044694D
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0044DB70 push eax; ret 22_2_0044DB84
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0044DB70 push eax; ret 22_2_0044DBAC
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00451D54 push eax; ret 22_2_00451D61
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00414060 push eax; ret 23_2_00414074
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00414060 push eax; ret 23_2_0041409C
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00414039 push ecx; ret 23_2_00414049
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_004164EB push 0000006Ah; retf 23_2_004165C4
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00416553 push 0000006Ah; retf 23_2_004165C4
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00416555 push 0000006Ah; retf 23_2_004165C4
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_00444355 push ecx; ret 24_2_00444365
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_004446D0 push eax; ret 24_2_004446E4
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_004446D0 push eax; ret 24_2_0044470C
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_0044AC84 push eax; ret 24_2_0044AC91
Source: initial sample Static PE information: section name: .text entropy: 7.07623900315
Source: initial sample Static PE information: section name: .text entropy: 7.07623900315

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\loKmeabs9V.exe File created: C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe Jump to dropped file

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.vbs Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.vbs Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_004047C6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 24_2_004047C6
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B0BC7 TerminateProcess, 0_2_022B0BC7
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B36C3 0_2_022B36C3
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B8923 0_2_022B8923
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B5DAE 0_2_022B5DAE
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B87E3 NtWriteVirtualMemory, 0_2_022B87E3
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 00000000022B88DF second address: 00000000022B88F0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub byte ptr [eax], 00000016h 0x0000000d pushad 0x0000000e lfence 0x00000011 rdtsc
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 00000000022B62EB second address: 00000000022B62EB instructions:
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 00000000022B73B0 second address: 00000000022B73B0 instructions:
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 00000000022B71DE second address: 00000000022B71DE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp bx, dx 0x0000000d jne 00007F72D4EAA1F5h 0x0000000f push dword ptr [esp+04h] 0x00000013 call 00007F72D4EAA40Bh 0x00000018 pushad 0x00000019 nop 0x0000001a nop 0x0000001b mov eax, 00000001h 0x00000020 cpuid 0x00000022 popad 0x00000023 mov ebx, dword ptr [esp+04h] 0x00000027 xor ecx, ecx 0x00000029 add ecx, 02h 0x0000002c cmp word ptr [ebx+ecx], 0000h 0x00000031 jne 00007F72D4EAA218h 0x00000033 add ecx, 02h 0x00000036 cmp word ptr [ebx+ecx], 0000h 0x0000003b jne 00007F72D4EAA218h 0x0000003d add ecx, 02h 0x00000040 cmp word ptr [ebx+ecx], 0000h 0x00000045 jne 00007F72D4EAA218h 0x00000047 add ecx, 02h 0x0000004a cmp word ptr [ebx+ecx], 0000h 0x0000004f jne 00007F72D4EAA218h 0x00000051 add ecx, 02h 0x00000054 cmp word ptr [ebx+ecx], 0000h 0x00000059 jne 00007F72D4EAA218h 0x0000005b add ecx, 02h 0x0000005e cmp word ptr [ebx+ecx], 0000h 0x00000063 jne 00007F72D4EAA218h 0x00000065 add ecx, 02h 0x00000068 cmp word ptr [ebx+ecx], 0000h 0x0000006d jne 00007F72D4EAA218h 0x0000006f retn 0004h 0x00000072 sub ecx, 02h 0x00000075 add eax, 02h 0x00000078 cmp esi, 68CDCEE6h 0x0000007e mov bx, word ptr [eax+ecx] 0x00000082 mov dx, word ptr [esi+ecx] 0x00000086 pushad 0x00000087 rdtsc
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 00000000022B2448 second address: 00000000022B2448 instructions:
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 0000000000562448 second address: 0000000000562448 instructions:
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 0000000000565FAF second address: 0000000000565FAF instructions:
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 0000000000569DDA second address: 0000000000569DDA instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\loKmeabs9V.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: loKmeabs9V.exe, 00000000.00000002.336058548.00000000022C0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL\YOURPHONE.EXE\SUBFOLDER1SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCESTARTUP KEY
Source: loKmeabs9V.exe, 00000000.00000002.336058548.00000000022C0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 00000000022B7F30 second address: 00000000022B7F30 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A494EE6Bh 0x00000007 xor eax, 6C4D1677h 0x0000000c xor eax, 6E4EF001h 0x00000011 xor eax, A697081Ch 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F72D4EAA22Ah 0x0000001e lfence 0x00000021 mov edx, 2EA7C992h 0x00000026 xor edx, 079D8C51h 0x0000002c xor edx, 2142E10Eh 0x00000032 xor edx, 7786A4D9h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp dx, ax 0x00000040 ret 0x00000041 sub edx, esi 0x00000043 ret 0x00000044 cmp cl, dl 0x00000046 add edi, edx 0x00000048 dec dword ptr [ebp+000000F8h] 0x0000004e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000055 jne 00007F72D4EAA208h 0x00000057 test eax, ebx 0x00000059 call 00007F72D4EAA26Fh 0x0000005e call 00007F72D4EAA24Bh 0x00000063 lfence 0x00000066 mov edx, 2EA7C992h 0x0000006b xor edx, 079D8C51h 0x00000071 xor edx, 2142E10Eh 0x00000077 xor edx, 7786A4D9h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 cmp dx, ax 0x00000085 ret 0x00000086 mov esi, edx 0x00000088 pushad 0x00000089 rdtsc
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 00000000022B7F7B second address: 00000000022B7F7B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 012985CBh 0x00000013 xor eax, 524C1329h 0x00000018 add eax, C04F8477h 0x0000001d sub eax, 13B51B58h 0x00000022 cpuid 0x00000024 test dx, bx 0x00000027 bt ecx, 1Fh 0x0000002b jc 00007F72D4A95E56h 0x00000031 popad 0x00000032 call 00007F72D4A958CFh 0x00000037 lfence 0x0000003a rdtsc
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 00000000022B88DF second address: 00000000022B88F0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub byte ptr [eax], 00000016h 0x0000000d pushad 0x0000000e lfence 0x00000011 rdtsc
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 00000000022B88F0 second address: 00000000022B8A77 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp eax, 6AACECEFh 0x00000010 mov eax, dword ptr [esp+1Ch] 0x00000014 mov byte ptr [eax], 00000006h 0x00000017 xor byte ptr [eax], 00000055h 0x0000001a add byte ptr [eax], 00000051h 0x0000001d sub byte ptr [eax], 0000003Ah 0x00000020 mov byte ptr [eax+01h], FFFFFFD2h 0x00000024 xor byte ptr [eax+01h], 00000000h 0x00000028 cmp ah, dh 0x0000002a xor byte ptr [eax+01h], FFFFFFEEh 0x0000002e jmp 00007F72D4A957D9h 0x00000033 cmp cl, 00000013h 0x00000036 add byte ptr [eax+01h], FFFFFFC4h 0x0000003a mov byte ptr [eax+02h], 0000007Eh 0x0000003e cmp bx, 1188h 0x00000043 xor byte ptr [eax+02h], 00000067h 0x00000047 cmp ax, 000008E1h 0x0000004b cmp ax, cx 0x0000004e xor byte ptr [eax+02h], FFFFFFD8h 0x00000052 pushad 0x00000053 mov al, 9Ah 0x00000055 cmp al, 9Ah 0x00000057 jne 00007F72D4A9693Bh 0x0000005d popad 0x0000005e sub byte ptr [eax+02h], 00000009h 0x00000062 mov edx, dword ptr [ebp+00000138h] 0x00000068 mov dword ptr [eax+03h], edx 0x0000006b pushad 0x0000006c mov eax, 000000EDh 0x00000071 cpuid 0x00000073 popad 0x00000074 mov byte ptr [eax+07h], FFFFFFE2h 0x00000078 xor byte ptr [eax+07h], 00000026h 0x0000007c sub byte ptr [eax+07h], FFFFFF9Fh 0x00000080 xor byte ptr [eax+07h], FFFFFFDAh 0x00000084 test al, al 0x00000086 test dh, ch 0x00000088 mov byte ptr [eax+08h], 0000001Dh 0x0000008c xor byte ptr [eax+08h], FFFFFFACh 0x00000090 add byte ptr [eax+08h], 00000028h 0x00000094 sub byte ptr [eax+08h], 00000009h 0x00000098 cmp dx, B8CFh 0x0000009d pushad 0x0000009e mov edx, 0000005Dh 0x000000a3 rdtsc
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 00000000022B62EB second address: 00000000022B62EB instructions:
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 00000000022B73B0 second address: 00000000022B73B0 instructions:
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 00000000022B71DE second address: 00000000022B71DE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp bx, dx 0x0000000d jne 00007F72D4EAA1F5h 0x0000000f push dword ptr [esp+04h] 0x00000013 call 00007F72D4EAA40Bh 0x00000018 pushad 0x00000019 nop 0x0000001a nop 0x0000001b mov eax, 00000001h 0x00000020 cpuid 0x00000022 popad 0x00000023 mov ebx, dword ptr [esp+04h] 0x00000027 xor ecx, ecx 0x00000029 add ecx, 02h 0x0000002c cmp word ptr [ebx+ecx], 0000h 0x00000031 jne 00007F72D4EAA218h 0x00000033 add ecx, 02h 0x00000036 cmp word ptr [ebx+ecx], 0000h 0x0000003b jne 00007F72D4EAA218h 0x0000003d add ecx, 02h 0x00000040 cmp word ptr [ebx+ecx], 0000h 0x00000045 jne 00007F72D4EAA218h 0x00000047 add ecx, 02h 0x0000004a cmp word ptr [ebx+ecx], 0000h 0x0000004f jne 00007F72D4EAA218h 0x00000051 add ecx, 02h 0x00000054 cmp word ptr [ebx+ecx], 0000h 0x00000059 jne 00007F72D4EAA218h 0x0000005b add ecx, 02h 0x0000005e cmp word ptr [ebx+ecx], 0000h 0x00000063 jne 00007F72D4EAA218h 0x00000065 add ecx, 02h 0x00000068 cmp word ptr [ebx+ecx], 0000h 0x0000006d jne 00007F72D4EAA218h 0x0000006f retn 0004h 0x00000072 sub ecx, 02h 0x00000075 add eax, 02h 0x00000078 cmp esi, 68CDCEE6h 0x0000007e mov bx, word ptr [eax+ecx] 0x00000082 mov dx, word ptr [esi+ecx] 0x00000086 pushad 0x00000087 rdtsc
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 00000000022B2448 second address: 00000000022B2448 instructions:
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 0000000000567F30 second address: 0000000000567F30 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A494EE6Bh 0x00000007 xor eax, 6C4D1677h 0x0000000c xor eax, 6E4EF001h 0x00000011 xor eax, A697081Ch 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F72D4EAA22Ah 0x0000001e lfence 0x00000021 mov edx, 2EA7C992h 0x00000026 xor edx, 079D8C51h 0x0000002c xor edx, 2142E10Eh 0x00000032 xor edx, 7786A4D9h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp dx, ax 0x00000040 ret 0x00000041 sub edx, esi 0x00000043 ret 0x00000044 cmp cl, dl 0x00000046 add edi, edx 0x00000048 dec dword ptr [ebp+000000F8h] 0x0000004e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000055 jne 00007F72D4EAA208h 0x00000057 test eax, ebx 0x00000059 call 00007F72D4EAA26Fh 0x0000005e call 00007F72D4EAA24Bh 0x00000063 lfence 0x00000066 mov edx, 2EA7C992h 0x0000006b xor edx, 079D8C51h 0x00000071 xor edx, 2142E10Eh 0x00000077 xor edx, 7786A4D9h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 cmp dx, ax 0x00000085 ret 0x00000086 mov esi, edx 0x00000088 pushad 0x00000089 rdtsc
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 0000000000567F7B second address: 0000000000567F7B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 012985CBh 0x00000013 xor eax, 524C1329h 0x00000018 add eax, C04F8477h 0x0000001d sub eax, 13B51B58h 0x00000022 cpuid 0x00000024 test dx, bx 0x00000027 bt ecx, 1Fh 0x0000002b jc 00007F72D4A95E56h 0x00000031 popad 0x00000032 call 00007F72D4A958CFh 0x00000037 lfence 0x0000003a rdtsc
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 00000000005688F0 second address: 0000000000568A77 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp eax, 6AACECEFh 0x00000010 mov eax, dword ptr [esp+1Ch] 0x00000014 mov byte ptr [eax], 00000006h 0x00000017 xor byte ptr [eax], 00000055h 0x0000001a add byte ptr [eax], 00000051h 0x0000001d sub byte ptr [eax], 0000003Ah 0x00000020 mov byte ptr [eax+01h], FFFFFFD2h 0x00000024 xor byte ptr [eax+01h], 00000000h 0x00000028 cmp ah, dh 0x0000002a xor byte ptr [eax+01h], FFFFFFEEh 0x0000002e jmp 00007F72D4EAA309h 0x00000033 cmp cl, 00000013h 0x00000036 add byte ptr [eax+01h], FFFFFFC4h 0x0000003a mov byte ptr [eax+02h], 0000007Eh 0x0000003e cmp bx, 1188h 0x00000043 xor byte ptr [eax+02h], 00000067h 0x00000047 cmp ax, 000008E1h 0x0000004b cmp ax, cx 0x0000004e xor byte ptr [eax+02h], FFFFFFD8h 0x00000052 pushad 0x00000053 mov al, 9Ah 0x00000055 cmp al, 9Ah 0x00000057 jne 00007F72D4EAB46Bh 0x0000005d popad 0x0000005e sub byte ptr [eax+02h], 00000009h 0x00000062 mov edx, dword ptr [ebp+00000138h] 0x00000068 mov dword ptr [eax+03h], edx 0x0000006b pushad 0x0000006c mov eax, 000000EDh 0x00000071 cpuid 0x00000073 popad 0x00000074 mov byte ptr [eax+07h], FFFFFFE2h 0x00000078 xor byte ptr [eax+07h], 00000026h 0x0000007c sub byte ptr [eax+07h], FFFFFF9Fh 0x00000080 xor byte ptr [eax+07h], FFFFFFDAh 0x00000084 test al, al 0x00000086 test dh, ch 0x00000088 mov byte ptr [eax+08h], 0000001Dh 0x0000008c xor byte ptr [eax+08h], FFFFFFACh 0x00000090 add byte ptr [eax+08h], 00000028h 0x00000094 sub byte ptr [eax+08h], 00000009h 0x00000098 cmp dx, B8CFh 0x0000009d pushad 0x0000009e mov edx, 0000005Dh 0x000000a3 rdtsc
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 0000000000562448 second address: 0000000000562448 instructions:
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 0000000000565FAF second address: 0000000000565FAF instructions:
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 0000000000569D77 second address: 0000000000569D95 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, B8F5A615h 0x00000010 xor eax, 6BC0978Fh 0x00000015 sub eax, FE90C053h 0x0000001a pushad 0x0000001b lfence 0x0000001e rdtsc
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 0000000000569DDA second address: 0000000000569DDA instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B962D rdtsc 0_2_022B962D
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 22_2_0040DD85
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Window / User API: threadDelayed 9093 Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Window / User API: foregroundWindowGot 536 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\loKmeabs9V.exe TID: 2000 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe TID: 5704 Thread sleep count: 9093 > 30 Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe TID: 5704 Thread sleep time: -45465s >= -30000s Jump to behavior
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Thread sleep count: Count: 9093 delay: -5 Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0040AE51 FindFirstFileW,FindNextFileW, 22_2_0040AE51
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 23_2_00407898
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 24_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen, 24_2_00407C87
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_00418981 memset,GetSystemInfo, 22_2_00418981
Source: loKmeabs9V.exe, 00000000.00000002.336058548.00000000022C0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll\yourphone.exe\subfolder1Software\Microsoft\Windows\CurrentVersion\RunOnceStartup key
Source: loKmeabs9V.exe, 00000000.00000002.336058548.00000000022C0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\loKmeabs9V.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\loKmeabs9V.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B962D rdtsc 0_2_022B962D
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B6694 LdrInitializeThunk, 0_2_022B6694
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 22_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 22_2_004044A4
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B548E mov eax, dword ptr fs:[00000030h] 0_2_022B548E
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B2C93 mov eax, dword ptr fs:[00000030h] 0_2_022B2C93
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B36C3 mov eax, dword ptr fs:[00000030h] 0_2_022B36C3
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B7B16 mov eax, dword ptr fs:[00000030h] 0_2_022B7B16
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B87E3 mov eax, dword ptr fs:[00000030h] 0_2_022B87E3
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B73F1 mov eax, dword ptr fs:[00000030h] 0_2_022B73F1
Enables debug privileges
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\loKmeabs9V.exe Memory written: C:\Users\user\Desktop\loKmeabs9V.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Memory written: C:\Users\user\Desktop\loKmeabs9V.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Memory written: C:\Users\user\Desktop\loKmeabs9V.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process created: C:\Users\user\Desktop\loKmeabs9V.exe 'C:\Users\user\Desktop\loKmeabs9V.exe' Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\syqduvyml' Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\cawvvojfhdxf' Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\fubgoguhvlpsyny' Jump to behavior
Source: loKmeabs9V.exe, 0000000E.00000002.1287036124.0000000000FB0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loKmeabs9V.exe, 0000000E.00000002.1287036124.0000000000FB0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loKmeabs9V.exe, 0000000E.00000002.1287036124.0000000000FB0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: logs.dat.14.dr Binary or memory string: [ Program Manager ]
Source: loKmeabs9V.exe, 0000000E.00000002.1287036124.0000000000FB0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 0_2_022B73AF cpuid 0_2_022B73AF
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\loKmeabs9V.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy, 22_2_0041881C
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 23_2_00407C79 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 23_2_00407C79
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 22_2_0041739B GetVersionExW, 22_2_0041739B
Source: C:\Users\user\Desktop\loKmeabs9V.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Yara detected Remcos RAT
Source: Yara match File source: 0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\loKmeabs9V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Users\user\Desktop\loKmeabs9V.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: ESMTPPassword 24_2_004033E2
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword 24_2_00402DA5
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword 24_2_00402DA5

Remote Access Functionality:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457916 Sample: loKmeabs9V.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 8 other signatures 2->39 7 loKmeabs9V.exe 1 2 2->7         started        process3 signatures4 41 Detected unpacking (changes PE section rights) 7->41 43 Tries to steal Mail credentials (via file registry) 7->43 45 Creates autostart registry keys with suspicious values (likely registry only malware) 7->45 47 5 other signatures 7->47 10 loKmeabs9V.exe 2 11 7->10         started        process5 dnsIp6 29 101.99.94.119, 49734, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 10->29 31 wealthyrem.ddns.net 194.5.97.128, 39200, 49735, 49736 DANILENKODE Netherlands 10->31 23 C:\Users\user\AppData\Local\...\yourphone.exe, PE32 10->23 dropped 25 C:\Users\user\AppData\Local\...\yourphone.vbs, ASCII 10->25 dropped 49 Tries to detect Any.run 10->49 51 Hides threads from debuggers 10->51 53 Installs a global keyboard hook 10->53 55 Injects a PE file into a foreign processes 10->55 15 loKmeabs9V.exe 1 10->15         started        18 loKmeabs9V.exe 13 10->18         started        21 loKmeabs9V.exe 1 10->21         started        file7 signatures8 process9 dnsIp10 57 Tries to steal Instant Messenger accounts or passwords 15->57 59 Tries to steal Mail credentials (via file access) 15->59 27 192.168.2.1 unknown unknown 18->27 61 Tries to harvest and steal browser information (history, passwords, etc) 18->61 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.5.97.128
 wealthyrem.ddns.net Netherlands
208476 DANILENKODE true
101.99.94.119
 unknown Malaysia
45839 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
wealthyrem.ddns.net 194.5.97.128 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://101.99.94.119/WEALTH_PRUuqVZw139.bin true
  • Avira URL Cloud: safe
 unknown