Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report BK635636736_BOOKING CONFIRMATION.exe

Overview

General Information

Sample Name:BK635636736_BOOKING CONFIRMATION.exe
Analysis ID:482251
MD5:da33aac5f666cb19e32c78e1e8ddfeef
SHA1:7a1c547f1c38b9fe7b3a651787c863d490d294cc
SHA256:2217f0ae6d8b681ae360e36dd03619b29c17bae98dbca0db4a9723ca0a386d37
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
GuLoader behavior detected
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: BK635636736_BOOKING CONFIRMATION.exeVirustotal: Detection: 26%Perma Link
Source: BK635636736_BOOKING CONFIRMATION.exeReversingLabs: Detection: 18%
Source: BK635636736_BOOKING CONFIRMATION.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
Source: unknownDNS traffic detected: queries for: jenniferscarscda.com
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461454488.000000000069A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: BK635636736_BOOKING CONFIRMATION.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461748038.0000000002B70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefluor.exeFE2XKareo vs BK635636736_BOOKING CONFIRMATION.exe
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461353171.0000000000449000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefluor.exe vs BK635636736_BOOKING CONFIRMATION.exe
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000000.460434910.0000000000449000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefluor.exe vs BK635636736_BOOKING CONFIRMATION.exe
Source: BK635636736_BOOKING CONFIRMATION.exeBinary or memory string: OriginalFilenamefluor.exe vs BK635636736_BOOKING CONFIRMATION.exe
Source: BK635636736_BOOKING CONFIRMATION.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BK635636736_BOOKING CONFIRMATION.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02330F23
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233AFFE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02330CBA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233189E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02330583
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023399FB
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A232
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340E33
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332A38
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233663F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331E3E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233963C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339226
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339E28
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332211
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331614
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233421F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338E7A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233167E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339A7C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339263
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332662
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02341267
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335A66
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233566F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233AE57
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02334255
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233765F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338A43
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233BE44
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338A4D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023312B6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023342B5
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340EB2
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023362BA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338ABA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338EBD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023396BD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02334E91
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233BE90
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339E97
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331E94
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02333A9A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02336686
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02337686
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332A8A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331EF7
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335EF6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023432FE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332AFE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339AE6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023356EE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023312EC
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023322D3
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023366D3
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023326D0
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335ADE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023376DE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023312CE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335ECD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338F20
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332326
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338B2B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335328
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233132E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233632E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233BF10
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233671A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335776
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233837A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233137D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338F62
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335367
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335F6A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332B6E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02337756
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331358
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A342
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233FF42
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023323B2
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331FB1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233BFB9
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02341BBA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023363A2
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338BA7
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023357A6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023397AE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340FAA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02336792
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02343398
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339F9F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02330B9C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339382
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023383E7
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023313EB
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340BEF
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339BD0
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02330BDB
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332BDE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335FDE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023377CA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023327C8
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B03A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339023
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338C20
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332C26
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339826
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233202F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233241A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233641A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233580E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233987B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339466
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233C86D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331455
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339C43
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332842
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335C42
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02337846
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233604E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335CB2
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339CB4
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023320A1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023390A0
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023328A6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332C96
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0234109A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02337481
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335886
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332484
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338C8F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233648E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023304FA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023358FA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023398FF
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331CE7
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A0DA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340CC3
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023314C8
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02337D33
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331530
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02336136
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233AD36
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338939
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A126
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233912B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339D1E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331102
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0234110E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233290E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338D0C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332577
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332976
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233657A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0234117E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233757E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338567
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339968
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233955B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339DB1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023361BE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A1A1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023391A4
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02330F23 NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233189E NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023431BA NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02330583 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023399FB NtWriteVirtualMemory,TerminateProcess,CreateFileA,NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A232 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233963C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339226 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339E28 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B62D NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233421F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338E7A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339A7C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339263 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338A43 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338A4D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338ABA NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338EBD NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023396BD NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339E97 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B69E NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339AE6 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A2C2 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338F20 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338B2B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338F62 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A342 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233FF42 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338BA7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023397AE NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339F9F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339382 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B784 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B7F9 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340BEF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339BD0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339023 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338C20 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339826 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B876 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233987B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339466 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339C43 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339CB4 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023390A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338C8F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023398FF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A0DA NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B532 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B530 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338939 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A126 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233912B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339D1E NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338D0C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B574 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339968 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233955B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339DB1 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A1A1 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023391A4 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess Stats: CPU usage > 98%
Source: BK635636736_BOOKING CONFIRMATION.exeVirustotal: Detection: 26%
Source: BK635636736_BOOKING CONFIRMATION.exeReversingLabs: Detection: 18%
Source: BK635636736_BOOKING CONFIRMATION.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: unknownProcess created: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe 'C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe'
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess created: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe 'C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe'
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess created: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe 'C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe'
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
Source: classification engineClassification label: mal68.troj.evad.winEXE@3/0@1/1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: BK635636736_BOOKING CONFIRMATION.exeStatic PE information: real checksum: 0x7532e should be: 0x7b7a8
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_00403A25 push cs; iretd
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_004076EE push ebp; retf
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00561C44 push es; retn 0056h
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00561815 push ds; iretd
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_0056342A push edi; ret
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_0056708B push FFFFFF97h; ret
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_0056211A push 94F7E348h; ret
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00563904 push edx; ret
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_005641C2 push esi; ret
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00563DB0 push esp; retn 0056h
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00567A44 push ebp; retn 0056h
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00561E2F push ds; iretd
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_005636CC push edx; ret
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_005662E6 push ebx; ret
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00567ABC push ebp; retn 0056h
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00565F74 push esi; iretd
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00562F73 push edi; ret
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00564F6B push edx; ret
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_005637C6 push edx; ret
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00562B8F push edx; ret
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect Any.runShow sources
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeFile opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeFile opened: C:\Program Files\qga\qga.exe
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461755682.0000000002C70000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461454488.000000000069A000.00000004.00000020.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340785 rdtsc
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeSystem information queried: ModuleInformation
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461755682.0000000002C70000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461454488.000000000069A000.00000004.00000020.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeThread information set: HideFromDebugger
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeThread information set: HideFromDebugger
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233F281 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335ECD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233FF72 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233FF6D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02341BBA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02337481 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233757E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233AD4A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340785 rdtsc
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233CFB6 LdrInitializeThunk,
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess created: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe 'C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe'
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000002.745686034.0000000000E70000.00000002.00020000.sdmpBinary or memory string: Program Manager
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000002.745686034.0000000000E70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000002.745686034.0000000000E70000.00000002.00020000.sdmpBinary or memory string: Progman
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000002.745686034.0000000000E70000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeQueries volume information: C:\ VolumeInformation

Stealing of Sensitive Information:

barindex
GuLoader behavior detectedShow sources
Source: Initial fileSignature Results: GuLoader behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion21Input Capture1Security Software Discovery321Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryVirtualization/Sandbox Evasion21Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
BK635636736_BOOKING CONFIRMATION.exe26%VirustotalBrowse
BK635636736_BOOKING CONFIRMATION.exe18%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
jenniferscarscda.com
194.76.224.53
truefalse
    		unknown

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    194.76.224.53
    		jenniferscarscda.comGermany
    		42708PORTLANEwwwportlanecomSEfalse

    General Information

    Joe Sandbox Version:33.0.0 White Diamond
    Analysis ID:482251
    Start date:13.09.2021
    Start time:15:29:03
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 8m 55s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:BK635636736_BOOKING CONFIRMATION.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:31
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal68.troj.evad.winEXE@3/0@1/1
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 4% (good quality ratio 2.3%)
    • Quality average: 29.9%
    • Quality standard deviation: 27.3%
    HCA Information:
    • Successful, ratio: 76%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
    • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.82.210.154, 173.222.108.226, 173.222.108.210, 40.112.88.60, 20.49.157.6, 80.67.82.235, 80.67.82.211, 20.54.110.249
    • Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    194.76.224.53FC748478532_OCTOBER-SHIPMENT.exeGet hashmaliciousBrowse

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      jenniferscarscda.comFC748478532_OCTOBER-SHIPMENT.exeGet hashmaliciousBrowse
      • 194.76.224.53

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      PORTLANEwwwportlanecomSEFC748478532_OCTOBER-SHIPMENT.exeGet hashmaliciousBrowse
      • 194.76.224.53
      j3LQELTT0mGet hashmaliciousBrowse
      • 188.126.80.93
      4nLik56DrDGet hashmaliciousBrowse
      • 195.190.241.186
      message.htmlGet hashmaliciousBrowse
      • 185.117.88.178
      qKxXZuMvtPGet hashmaliciousBrowse
      • 5.254.217.55
      DF7049B8C4D704376BE3920232B1BA6B2C8CF2FF0F9CF.exeGet hashmaliciousBrowse
      • 46.21.100.248
      DF7049B8C4D704376BE3920232B1BA6B2C8CF2FF0F9CF.exeGet hashmaliciousBrowse
      • 46.21.100.248
      XwQCL6wkKkGet hashmaliciousBrowse
      • 188.126.80.93
      document.htm .exeGet hashmaliciousBrowse
      • 159.253.31.95
      ATTACHMENT.exeGet hashmaliciousBrowse
      • 159.253.31.95
      ihdgexm.exeGet hashmaliciousBrowse
      • 159.253.31.95
      letter.exeGet hashmaliciousBrowse
      • 159.253.31.95
      readme.exeGet hashmaliciousBrowse
      • 159.253.31.95
      ATTACHMENT.exeGet hashmaliciousBrowse
      • 159.253.31.95
      ihdgexm.exeGet hashmaliciousBrowse
      • 159.253.31.95
      letter.exeGet hashmaliciousBrowse
      • 159.253.31.95
      readme.exeGet hashmaliciousBrowse
      • 159.253.31.95
      adjunto.vbsGet hashmaliciousBrowse
      • 188.126.90.9
      document.exeGet hashmaliciousBrowse
      • 159.253.31.95
      document.exeGet hashmaliciousBrowse
      • 159.253.31.95

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):4.2376796964620915
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.15%
      • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:BK635636736_BOOKING CONFIRMATION.exe
      File size:471040
      MD5:da33aac5f666cb19e32c78e1e8ddfeef
      SHA1:7a1c547f1c38b9fe7b3a651787c863d490d294cc
      SHA256:2217f0ae6d8b681ae360e36dd03619b29c17bae98dbca0db4a9723ca0a386d37
      SHA512:5d803cc17e24157b27db6c0392399b5d1835b7c3eefecd272025a127059a6cfba5e4d8126b418e0b0a172f9f78972246f82500eb688c6a3836be84d9e089ff35
      SSDEEP:6144:xqqadRaFlGCfS/GLUCffBfRfBfBG/qFGGGGGGGG0GGGGGGGGGGGGGGGGGGLGGGGR:xdnFMnDeJDFE
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W...K...W...u...W...q...W..Rich.W..........................PE..L....E.K.................`..........H........p....@

      File Icon

      Icon Hash:70f0a235b1b2f071

      Static PE Info

      General

      Entrypoint:0x401448
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      DLL Characteristics:
      Time Stamp:0x4B8B45E6 [Mon Mar 1 04:43:18 2010 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:01b006fd37878659f6f60ca0efdc2460

      Entrypoint Preview

      Instruction
      push 00418EDCh
      call 00007F7784D845E5h
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      xor byte ptr [eax], al
      add byte ptr [eax], al
      inc eax
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add al, al
      xchg eax, ebx
      adc al, al
      mov ebx, 87493F72h
      mov eax, dword ptr [BEE05570h]
      in eax, dx
      mov ah, 00h
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [ecx], al
      add byte ptr [eax], al
      add byte ptr [eax], ah
      and byte ptr [ebx+6Ch], al
      imul esp, dword ptr [ebp+6Ch], 6C656D61h
      insb
      imul esp, dword ptr [edx+72h], 68636E61h
      add byte ptr [eax], ah
      and byte ptr [eax], al
      add byte ptr [eax], al
      add bh, bh
      int3
      xor dword ptr [eax], eax
      push cs
      lds edi, fword ptr [esp+ebx]
      imul ebp, dword ptr [eax], A0h
      dec dword ptr [ebp-41h]
      daa
      push eax
      jmp dword ptr [ebx+72h]
      insd
      inc ecx
      mov cl, F4h
      int3
      jo 00007F7784D84572h
      push edx
      adc byte ptr [edi-51h], cl
      pop esi
      and byte ptr [edx+edx*4+3A53821Dh], cl
      dec edi
      lodsd
      xor ebx, dword ptr [ecx-48EE309Ah]
      or al, 00h
      stosb
      add byte ptr [eax-2Dh], ah
      xchg eax, ebx
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      and edi, dword ptr [eax+01h]
      add bh, cl
      jne 00007F7784D845F3h
      add byte ptr [eax], al
      or al, byte ptr [eax]
      push ebx
      jbe 00007F7784D84653h
      insb
      jc 00007F7784D84662h
      outsb
      add byte ptr [4B000B01h], cl
      inc ecx
      dec ebp
      inc edx

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x45cb40x28.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x490000x2a13e.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
      IMAGE_DIRECTORY_ENTRY_IAT0x10000x134.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x451e80x46000False0.270354352679data4.80062436371IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .data0x470000x148c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
      .rsrc0x490000x2a13e0x2b000False0.162342160247data3.15700240055IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_ICON0x72bd60x568GLS_BINARY_LSB_FIRST
      RT_ICON0x7276e0x468GLS_BINARY_LSB_FIRST
      RT_ICON0x720a60x6c8data
      RT_ICON0x7171e0x988data
      RT_ICON0x70e760x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
      RT_ICON0x6fdce0x10a8data
      RT_ICON0x6ef260xea8data
      RT_ICON0x6c97e0x25a8data
      RT_ICON0x687560x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16711679, next used block 4294934272
      RT_ICON0x632ce0x5488data
      RT_ICON0x59e260x94a8data
      RT_ICON0x495fe0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
      RT_GROUP_ICON0x495500xaedata
      RT_VERSION0x493000x250dataEnglishUnited States

      Imports

      DLLImport
      MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaDateVar, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaVarCopy, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

      Version Infos

      DescriptionData
      Translation0x0409 0x04b0
      InternalNamefluor
      FileVersion1.00
      CompanyNameKareo
      CommentsKareo
      ProductNameKareo
      ProductVersion1.00
      FileDescriptionKareo
      OriginalFilenamefluor.exe

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Sep 13, 2021 15:33:52.177184105 CEST49789443192.168.2.3194.76.224.53
      Sep 13, 2021 15:33:52.177228928 CEST44349789194.76.224.53192.168.2.3
      Sep 13, 2021 15:33:52.177458048 CEST49789443192.168.2.3194.76.224.53
      Sep 13, 2021 15:33:52.206892014 CEST49789443192.168.2.3194.76.224.53
      Sep 13, 2021 15:33:52.206916094 CEST44349789194.76.224.53192.168.2.3

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Sep 13, 2021 15:30:21.033523083 CEST5020053192.168.2.38.8.8.8
      Sep 13, 2021 15:30:21.073952913 CEST53502008.8.8.8192.168.2.3
      Sep 13, 2021 15:30:25.464819908 CEST5128153192.168.2.38.8.8.8
      Sep 13, 2021 15:30:25.492264032 CEST53512818.8.8.8192.168.2.3
      Sep 13, 2021 15:30:45.091289997 CEST4919953192.168.2.38.8.8.8
      Sep 13, 2021 15:30:45.128489017 CEST53491998.8.8.8192.168.2.3
      Sep 13, 2021 15:30:51.771040916 CEST5062053192.168.2.38.8.8.8
      Sep 13, 2021 15:30:51.812335968 CEST53506208.8.8.8192.168.2.3
      Sep 13, 2021 15:31:03.013622999 CEST6493853192.168.2.38.8.8.8
      Sep 13, 2021 15:31:03.055080891 CEST53649388.8.8.8192.168.2.3
      Sep 13, 2021 15:31:07.033659935 CEST6015253192.168.2.38.8.8.8
      Sep 13, 2021 15:31:07.077682018 CEST53601528.8.8.8192.168.2.3
      Sep 13, 2021 15:31:41.544779062 CEST5754453192.168.2.38.8.8.8
      Sep 13, 2021 15:31:41.578778982 CEST53575448.8.8.8192.168.2.3
      Sep 13, 2021 15:31:44.004468918 CEST5598453192.168.2.38.8.8.8
      Sep 13, 2021 15:31:44.040186882 CEST53559848.8.8.8192.168.2.3
      Sep 13, 2021 15:32:45.668200970 CEST6418553192.168.2.38.8.8.8
      Sep 13, 2021 15:32:45.716308117 CEST53641858.8.8.8192.168.2.3
      Sep 13, 2021 15:32:47.020970106 CEST6511053192.168.2.38.8.8.8
      Sep 13, 2021 15:32:47.093579054 CEST53651108.8.8.8192.168.2.3
      Sep 13, 2021 15:32:47.607063055 CEST5836153192.168.2.38.8.8.8
      Sep 13, 2021 15:32:47.635957003 CEST53583618.8.8.8192.168.2.3
      Sep 13, 2021 15:32:47.966913939 CEST6349253192.168.2.38.8.8.8
      Sep 13, 2021 15:32:47.999408007 CEST53634928.8.8.8192.168.2.3
      Sep 13, 2021 15:32:48.498558998 CEST6083153192.168.2.38.8.8.8
      Sep 13, 2021 15:32:48.535530090 CEST53608318.8.8.8192.168.2.3
      Sep 13, 2021 15:32:48.953672886 CEST6010053192.168.2.38.8.8.8
      Sep 13, 2021 15:32:48.979888916 CEST53601008.8.8.8192.168.2.3
      Sep 13, 2021 15:32:49.566032887 CEST5319553192.168.2.38.8.8.8
      Sep 13, 2021 15:32:49.602267981 CEST53531958.8.8.8192.168.2.3
      Sep 13, 2021 15:32:50.838164091 CEST5014153192.168.2.38.8.8.8
      Sep 13, 2021 15:32:50.870492935 CEST53501418.8.8.8192.168.2.3
      Sep 13, 2021 15:32:51.715804100 CEST5302353192.168.2.38.8.8.8
      Sep 13, 2021 15:32:51.777911901 CEST53530238.8.8.8192.168.2.3
      Sep 13, 2021 15:32:52.237663984 CEST4956353192.168.2.38.8.8.8
      Sep 13, 2021 15:32:52.273391962 CEST53495638.8.8.8192.168.2.3
      Sep 13, 2021 15:33:52.093537092 CEST5135253192.168.2.38.8.8.8
      Sep 13, 2021 15:33:52.133460999 CEST53513528.8.8.8192.168.2.3

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
      Sep 13, 2021 15:33:52.093537092 CEST192.168.2.38.8.8.80x4e03Standard query (0)jenniferscarscda.comA (IP address)IN (0x0001)

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
      Sep 13, 2021 15:33:52.133460999 CEST8.8.8.8192.168.2.30x4e03No error (0)jenniferscarscda.com194.76.224.53A (IP address)IN (0x0001)

      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: BK635636736_BOOKING CONFIRMATION.exe PID: 5588 Parent PID: 5864

      General

      Start time:15:29:57
      Start date:13/09/2021
      Path:C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe'
      Imagebase:0x400000
      File size:471040 bytes
      MD5 hash:DA33AAC5F666CB19E32C78E1E8DDFEEF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Visual Basic
      Reputation:low

      Analysis Process: BK635636736_BOOKING CONFIRMATION.exe PID: 2156 Parent PID: 5588

      General

      Start time:15:31:51
      Start date:13/09/2021
      Path:C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe'
      Imagebase:0x400000
      File size:471040 bytes
      MD5 hash:DA33AAC5F666CB19E32C78E1E8DDFEEF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Disassembly

      Code Analysis

      Reset < >