Source: 00000000.00000002.1174329957.0000000002B20000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"} |
Source: Fec9qUX4at.exe |
Virustotal: Detection: 28% |
Perma Link |
Source: Fec9qUX4at.exe |
ReversingLabs: Detection: 13% |
Source: Fec9qUX4at.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B25867 NtAllocateVirtualMemory, |
0_2_02B25867 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B2586A NtAllocateVirtualMemory, |
0_2_02B2586A |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B258D5 NtAllocateVirtualMemory, |
0_2_02B258D5 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B2586A NtAllocateVirtualMemory, |
0_2_02B2586A |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_00401144 |
0_2_00401144 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B25867 |
0_2_02B25867 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B2586A |
0_2_02B2586A |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B238B9 |
0_2_02B238B9 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B27AA5 |
0_2_02B27AA5 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B22AAE |
0_2_02B22AAE |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B27EAD |
0_2_02B27EAD |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B24292 |
0_2_02B24292 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B24693 |
0_2_02B24693 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B28C9D |
0_2_02B28C9D |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B242D5 |
0_2_02B242D5 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B206D9 |
0_2_02B206D9 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B23424 |
0_2_02B23424 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B25E11 |
0_2_02B25E11 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B24C15 |
0_2_02B24C15 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B2380C |
0_2_02B2380C |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B25661 |
0_2_02B25661 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B2586A |
0_2_02B2586A |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B23051 |
0_2_02B23051 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B25C5C |
0_2_02B25C5C |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B24A41 |
0_2_02B24A41 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B2864F |
0_2_02B2864F |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B23996 |
0_2_02B23996 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B28181 |
0_2_02B28181 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B21D86 |
0_2_02B21D86 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B21D8F |
0_2_02B21D8F |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B285F7 |
0_2_02B285F7 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B213FC |
0_2_02B213FC |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B205E0 |
0_2_02B205E0 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B23FDB |
0_2_02B23FDB |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B209C7 |
0_2_02B209C7 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B277CC |
0_2_02B277CC |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B2293E |
0_2_02B2293E |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B28500 |
0_2_02B28500 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B29577 |
0_2_02B29577 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B22D7C |
0_2_02B22D7C |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B27F61 |
0_2_02B27F61 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B28355 |
0_2_02B28355 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B2475A |
0_2_02B2475A |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B22559 |
0_2_02B22559 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B28759 |
0_2_02B28759 |
Source: Fec9qUX4at.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Fec9qUX4at.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Fec9qUX4at.exe, 00000000.00000000.650669230.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe |
Source: Fec9qUX4at.exe, 00000000.00000002.1173603407.0000000002090000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs Fec9qUX4at.exe |
Source: Fec9qUX4at.exe |
Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe |
Source: Fec9qUX4at.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal88.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFCB9C324FCAA7B61E.TMP |
Jump to behavior |
Source: Fec9qUX4at.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Fec9qUX4at.exe |
Virustotal: Detection: 28% |
Source: Fec9qUX4at.exe |
ReversingLabs: Detection: 13% |
Source: Yara match |
File source: 00000000.00000002.1174329957.0000000002B20000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_00407CF7 push eax; ret |
0_2_00407CF8 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.05513425915 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B24693 |
0_2_02B24693 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B242D5 |
0_2_02B242D5 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B205E0 |
0_2_02B205E0 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000002B27394 second address: 0000000002B27394 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx], al 0x0000000c pushad 0x0000000d mov ah, 58h 0x0000000f cmp ah, 00000058h 0x00000012 jne 00007F5630B1DC8Ch 0x00000018 popad 0x00000019 inc ebx 0x0000001a inc edx 0x0000001b dec ecx 0x0000001c test ecx, ecx 0x0000001e jne 00007F5630B20D7Fh 0x00000020 mov al, byte ptr [edx] 0x00000022 pushad 0x00000023 rdtsc |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000002B27394 second address: 0000000002B27394 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx], al 0x0000000c pushad 0x0000000d mov ah, 58h 0x0000000f cmp ah, 00000058h 0x00000012 jne 00007F5630B1DC8Ch 0x00000018 popad 0x00000019 inc ebx 0x0000001a inc edx 0x0000001b dec ecx 0x0000001c test ecx, ecx 0x0000001e jne 00007F5630B20D7Fh 0x00000020 mov al, byte ptr [edx] 0x00000022 pushad 0x00000023 rdtsc |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000002B27DB5 second address: 0000000002B27DB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A7105D73h 0x00000007 xor eax, 87E90EABh 0x0000000c xor eax, 91654CB2h 0x00000011 xor eax, B19C1F6Bh 0x00000016 cpuid 0x00000018 test ecx, eax 0x0000001a popad 0x0000001b call 00007F563036823Bh 0x00000020 lfence 0x00000023 mov edx, 2543AA54h 0x00000028 xor edx, 8D843AA0h 0x0000002e xor edx, CC85E3A5h 0x00000034 xor edx, 1BBC7345h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f test bx, bx 0x00000042 cmp ch, dh 0x00000044 ret 0x00000045 sub edx, esi 0x00000047 ret 0x00000048 add edi, edx 0x0000004a dec dword ptr [ebp+000000F8h] 0x00000050 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000057 jne 00007F563036821Ch 0x00000059 call 00007F563036827Ch 0x0000005e call 00007F563036825Eh 0x00000063 lfence 0x00000066 mov edx, 2543AA54h 0x0000006b xor edx, 8D843AA0h 0x00000071 xor edx, CC85E3A5h 0x00000077 xor edx, 1BBC7345h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 test bx, bx 0x00000085 cmp ch, dh 0x00000087 ret 0x00000088 mov esi, edx 0x0000008a pushad 0x0000008b rdtsc |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B238B9 rdtsc |
0_2_02B238B9 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B238B9 rdtsc |
0_2_02B238B9 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B2380C mov eax, dword ptr fs:[00000030h] |
0_2_02B2380C |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B2546D mov eax, dword ptr fs:[00000030h] |
0_2_02B2546D |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B2864F mov eax, dword ptr fs:[00000030h] |
0_2_02B2864F |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B273B7 mov eax, dword ptr fs:[00000030h] |
0_2_02B273B7 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B285F7 mov eax, dword ptr fs:[00000030h] |
0_2_02B285F7 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B279C6 mov eax, dword ptr fs:[00000030h] |
0_2_02B279C6 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B28500 mov eax, dword ptr fs:[00000030h] |
0_2_02B28500 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B22D7C mov eax, dword ptr fs:[00000030h] |
0_2_02B22D7C |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_02B28355 mov eax, dword ptr fs:[00000030h] |
0_2_02B28355 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Fec9qUX4at.exe, 00000000.00000002.1173482148.0000000000C40000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: Fec9qUX4at.exe, 00000000.00000002.1173482148.0000000000C40000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Fec9qUX4at.exe, 00000000.00000002.1173482148.0000000000C40000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: Fec9qUX4at.exe, 00000000.00000002.1173482148.0000000000C40000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |