{"Payload URL": "http://101.99.94.119/WEALTHKELLS_QhOVDYr246"}
Source: 00000000.00000002.1173739995.00000000020F0000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTHKELLS_QhOVDYr246"} |
Source: ftyaXQevlQ.exe | Virustotal: Detection: 23% | Perma Link |
Source: ftyaXQevlQ.exe | ReversingLabs: Detection: 21% |
Source: ftyaXQevlQ.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: http://101.99.94.119/WEALTHKELLS_QhOVDYr246 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F58EC NtAllocateVirtualMemory, | 0_2_020F58EC |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F5A21 NtAllocateVirtualMemory, | 0_2_020F5A21 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F58E9 NtAllocateVirtualMemory, | 0_2_020F58E9 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F5953 NtAllocateVirtualMemory, | 0_2_020F5953 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F596D NtAllocateVirtualMemory, | 0_2_020F596D |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F5961 NtAllocateVirtualMemory, | 0_2_020F5961 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F5979 NtAllocateVirtualMemory, | 0_2_020F5979 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F5985 NtAllocateVirtualMemory, | 0_2_020F5985 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F599D NtAllocateVirtualMemory, | 0_2_020F599D |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F5991 NtAllocateVirtualMemory, | 0_2_020F5991 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F59A9 NtAllocateVirtualMemory, | 0_2_020F59A9 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F59B5 NtAllocateVirtualMemory, | 0_2_020F59B5 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_00401144 | 0_2_00401144 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F58EC | 0_2_020F58EC |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F5A21 | 0_2_020F5A21 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F8A36 | 0_2_020F8A36 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F2835 | 0_2_020F2835 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F0231 | 0_2_020F0231 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F4047 | 0_2_020F4047 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F2A58 | 0_2_020F2A58 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F7870 | 0_2_020F7870 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F3894 | 0_2_020F3894 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F38AB | 0_2_020F38AB |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F12C7 | 0_2_020F12C7 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F86C5 | 0_2_020F86C5 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F58E9 | 0_2_020F58E9 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F8AE2 | 0_2_020F8AE2 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F88FD | 0_2_020F88FD |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F3AF3 | 0_2_020F3AF3 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F5707 | 0_2_020F5707 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F5D2B | 0_2_020F5D2B |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F7336 | 0_2_020F7336 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F7B34 | 0_2_020F7B34 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F1F48 | 0_2_020F1F48 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F5953 | 0_2_020F5953 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F596D | 0_2_020F596D |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F5961 | 0_2_020F5961 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F59B5 | 0_2_020F59B5 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F13B2 | 0_2_020F13B2 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F09D6 | 0_2_020F09D6 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F3BE0 | 0_2_020F3BE0 |
Source: ftyaXQevlQ.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: ftyaXQevlQ.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: ftyaXQevlQ.exe, 00000000.00000000.650866555.0000000000417000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameBOETTEPAPIR.exe vs ftyaXQevlQ.exe |
Source: ftyaXQevlQ.exe, 00000000.00000002.1173563584.0000000002090000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameuser32j% vs ftyaXQevlQ.exe |
Source: ftyaXQevlQ.exe | Binary or memory string: OriginalFilenameBOETTEPAPIR.exe vs ftyaXQevlQ.exe |
Source: ftyaXQevlQ.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal84.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | File created: C:\Users\user\AppData\Local\Temp\~DF4EA5FE16BB58CFDF.TMP | Jump to behavior |
Source: ftyaXQevlQ.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll | Jump to behavior |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: ftyaXQevlQ.exe | Virustotal: Detection: 23% |
Source: ftyaXQevlQ.exe | ReversingLabs: Detection: 21% |
Source: Yara match | File source: 00000000.00000002.1173739995.00000000020F0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_00404542 push ds; retf | 0_2_0040456D |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_00405977 push dword ptr [ecx-4E013672h]; retf | 0_2_0040597F |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_004017A5 push 00000065h; ret | 0_2_004017B7 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_004061A9 push ds; retf | 0_2_004061B9 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F8465 push eax; ret | 0_2_020F8466 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F1976 push esi; ret | 0_2_020F197B |
Source: initial sample | Static PE information: section name: .text entropy: 7.06319493547 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F58EC NtAllocateVirtualMemory, | 0_2_020F58EC |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | RDTSC instruction interceptor: First address: 00000000020F7740 second address: 00000000020F7740 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub edx, 6B2AB29Ch 0x00000011 cmp byte ptr [esi], dl 0x00000013 mov edx, dword ptr [ebp+0000026Ch] 0x00000019 jnc 00007F59F8EA92B7h 0x0000001b mov ebx, eax 0x0000001d shl eax, 05h 0x00000020 add eax, ebx 0x00000022 movzx ecx, byte ptr [esi] 0x00000025 test esi, 8BF3F78Dh 0x0000002b add eax, ecx 0x0000002d xor eax, 241DED1Dh 0x00000032 inc esi 0x00000033 mov dword ptr [ebp+00000269h], eax 0x00000039 mov eax, 268AB9BAh 0x0000003e cmp bx, bx 0x00000041 xor eax, 5F75F58Ch 0x00000046 cmp dx, dx 0x00000049 xor eax, A2125650h 0x0000004e add eax, 2412E59Ah 0x00000053 cmp byte ptr [esi], al 0x00000055 mov eax, dword ptr [ebp+00000269h] 0x0000005b jne 00007F59F8EA91F8h 0x0000005d mov dword ptr [ebp+0000026Ch], edx 0x00000063 mov edx, 0CE9BEB7h 0x00000068 cmp ch, bh 0x0000006a xor edx, 565E109Eh 0x00000070 xor edx, 319D1D69h 0x00000076 pushad 0x00000077 lfence 0x0000007a rdtsc |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | RDTSC instruction interceptor: First address: 00000000020F8317 second address: 00000000020F7740 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov edi, dword ptr [ebp+00000231h] 0x00000011 mov dword ptr [ebp+00000262h], edx 0x00000017 push esi 0x00000018 jmp 00007F59F8ACA3D5h 0x0000001a call 00007F59F8ACA385h 0x0000001f pop esi 0x00000020 jmp esi 0x00000022 pop esi 0x00000023 mov edx, ecx 0x00000025 push edx 0x00000026 mov edx, dword ptr [ebp+00000262h] 0x0000002c mov dword ptr [ebp+000001BBh], edx 0x00000032 test bx, dx 0x00000035 mov edx, esi 0x00000037 push edx 0x00000038 mov edx, dword ptr [ebp+000001BBh] 0x0000003e cmp dx, ax 0x00000041 mov dword ptr [ebp+00000233h], eax 0x00000047 mov eax, esi 0x00000049 push eax 0x0000004a mov eax, dword ptr [ebp+00000233h] 0x00000050 cmp bh, dh 0x00000052 add dword ptr [esp], ecx 0x00000055 call 00007F59F8AC96F4h 0x0000005a mov esi, dword ptr [esp+04h] 0x0000005e mov eax, 552EAF50h 0x00000063 push ss 0x00000064 pop ss 0x00000065 jmp 00007F59F8ACA3B3h 0x00000067 xor eax, 8A108D49h 0x0000006c add eax, 135A661Ch 0x00000071 xor eax, F2989D30h 0x00000076 test bl, al 0x00000078 test ax, 0000508Eh 0x0000007c mov dword ptr [ebp+0000026Ch], edx 0x00000082 mov edx, 0CE9BEB7h 0x00000087 cmp ch, bh 0x00000089 xor edx, 565E109Eh 0x0000008f xor edx, 319D1D69h 0x00000095 pushad 0x00000096 lfence 0x00000099 rdtsc |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F58EC rdtsc | 0_2_020F58EC |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F58EC rdtsc | 0_2_020F58EC |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F7A47 mov eax, dword ptr fs:[00000030h] | 0_2_020F7A47 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F38AB mov eax, dword ptr fs:[00000030h] | 0_2_020F38AB |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F86C5 mov eax, dword ptr fs:[00000030h] | 0_2_020F86C5 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F5513 mov eax, dword ptr fs:[00000030h] | 0_2_020F5513 |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F7367 mov eax, dword ptr fs:[00000030h] | 0_2_020F7367 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: ftyaXQevlQ.exe, 00000000.00000002.1173506402.0000000000C40000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: ftyaXQevlQ.exe, 00000000.00000002.1173506402.0000000000C40000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: ftyaXQevlQ.exe, 00000000.00000002.1173506402.0000000000C40000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: ftyaXQevlQ.exe, 00000000.00000002.1173506402.0000000000C40000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe | Code function: 0_2_020F0231 cpuid | 0_2_020F0231 |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.