{"Payload URL": "http://107.189.4.115/ncHJfummF147.bin"}
Source: DHL.exe | Malware Configuration Extractor: GuLoader {"Payload URL": "http://107.189.4.115/ncHJfummF147.bin"} |
Source: DHL.exe | Virustotal: Detection: 28% | Perma Link |
Source: DHL.exe | ReversingLabs: Detection: 11% |
Source: 1.2.DHL.exe.400000.0.unpack | Avira: Label: TR/Dropper.VB.Gen |
Source: 1.0.DHL.exe.400000.0.unpack | Avira: Label: TR/Dropper.VB.Gen |
Source: DHL.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: http://107.189.4.115/ncHJfummF147.bin |
Source: DHL.exe, 00000001.00000002.712237574.000000000071A000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> | |
Source: DHL.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: DHL.exe, 00000001.00000002.712188985.000000000041D000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameSEMIQUOTE.exe vs DHL.exe |
Source: DHL.exe | Binary or memory string: OriginalFilenameSEMIQUOTE.exe vs DHL.exe |
Source: DHL.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023B2214 | 1_2_023B2214 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023AFA47 | 1_2_023AFA47 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023ADB58 | 1_2_023ADB58 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A563C | 1_2_023A563C |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023B0034 | 1_2_023B0034 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A5628 | 1_2_023A5628 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A4017 | 1_2_023A4017 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A5846 | 1_2_023A5846 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A4EB0 | 1_2_023A4EB0 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023B00B5 | 1_2_023B00B5 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A4EAD | 1_2_023A4EAD |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A409A | 1_2_023A409A |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A4EF0 | 1_2_023A4EF0 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A58E0 | 1_2_023A58E0 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A56CA | 1_2_023A56CA |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A4933 | 1_2_023A4933 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023AF37A | 1_2_023AF37A |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A594A | 1_2_023A594A |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A574C | 1_2_023A574C |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A59A3 | 1_2_023A59A3 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A598D | 1_2_023A598D |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023B0B86 | 1_2_023B0B86 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023AEFE8 | 1_2_023AEFE8 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A59D2 | 1_2_023A59D2 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A3FC2 | 1_2_023A3FC2 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A57C3 | 1_2_023A57C3 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030E2214 | 26_2_030E2214 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D574C | 26_2_030D574C |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D57C3 | 26_2_030D57C3 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D3FC2 | 26_2_030D3FC2 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D5628 | 26_2_030D5628 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D563C | 26_2_030D563C |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D56CA | 26_2_030D56CA |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D4933 | 26_2_030D4933 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D594A | 26_2_030D594A |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D598D | 26_2_030D598D |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D59A3 | 26_2_030D59A3 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D59D2 | 26_2_030D59D2 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D4017 | 26_2_030D4017 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D5846 | 26_2_030D5846 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D409A | 26_2_030D409A |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D58E0 | 26_2_030D58E0 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023B2214 NtResumeThread, | 1_2_023B2214 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023B1C6C NtProtectVirtualMemory, | 1_2_023B1C6C |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023AFA47 NtAllocateVirtualMemory, | 1_2_023AFA47 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\DHL.exe | Process Stats: CPU usage > 98% |
Source: DHL.exe | Virustotal: Detection: 28% |
Source: DHL.exe | ReversingLabs: Detection: 11% |
Source: DHL.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\DHL.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Users\user\Desktop\DHL.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\DHL.exe 'C:\Users\user\Desktop\DHL.exe' | |
Source: C:\Users\user\Desktop\DHL.exe | Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe' | |
Source: C:\Users\user\Desktop\DHL.exe | Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe' | |
Source: C:\Users\user\Desktop\DHL.exe | Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe' | Jump to behavior |
Source: C:\Users\user\Desktop\DHL.exe | Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe' | Jump to behavior |
Source: C:\Users\user\Desktop\DHL.exe | File created: C:\Users\user~1\AppData\Local\Temp\~DFBEC8D2F5C809F532.TMP | Jump to behavior |
Source: classification engine | Classification label: mal100.troj.evad.winEXE@5/0@0/0 |
Source: Yara match | File source: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000001A.00000002.791045987.00000000030D0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_00402416 push 0040107Ch; ret | 1_2_00402433 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_00402434 push 0040107Ch; ret | 1_2_00402447 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_00408695 push 0000007Bh; iretd | 1_2_004087CD |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_004090BB push 00000054h; iretd | 1_2_004090BA |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_00404F07 push ebp; retf | 1_2_00404EFF |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_00408FD0 push 00000054h; iretd | 1_2_004090BA |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A50F2 pushfd ; retf | 1_2_023A50FE |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A155E push ebp; iretd | 1_2_023A1560 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D0763 push cs; iretd | 26_2_030D076B |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D091D push FFFFFF96h; iretd | 26_2_030D091F |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D155E push ebp; iretd | 26_2_030D1560 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030D50F1 pushfd ; retf | 26_2_030D50FE |
Source: C:\Users\user\Desktop\DHL.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\DHL.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\DHL.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\DHL.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe | Jump to behavior |
Source: C:\Users\user\Desktop\DHL.exe | File opened: C:\Program Files\qga\qga.exe | Jump to behavior |
Source: DHL.exe, 00000001.00000002.712246912.0000000000731000.00000004.00000020.sdmp | Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE-3){ |
Source: DHL.exe, 00000001.00000002.712412278.00000000023E0000.00000004.00000001.sdmp | Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL |
Source: DHL.exe, 00000001.00000002.712412278.00000000023E0000.00000004.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: DHL.exe, 00000001.00000002.712246912.0000000000731000.00000004.00000020.sdmp | Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A4E28 rdtsc | 1_2_023A4E28 |
Source: C:\Users\user\Desktop\DHL.exe | System information queried: ModuleInformation | Jump to behavior |
Source: DHL.exe, 00000001.00000002.712412278.00000000023E0000.00000004.00000001.sdmp | Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll |
Source: DHL.exe, 00000001.00000002.712246912.0000000000731000.00000004.00000020.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe-3){ |
Source: DHL.exe, 00000001.00000002.712412278.00000000023E0000.00000004.00000001.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: DHL.exe, 00000001.00000002.712246912.0000000000731000.00000004.00000020.sdmp | Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\DHL.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023B0B86 mov eax, dword ptr fs:[00000030h] | 1_2_023B0B86 |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023AEBEB mov eax, dword ptr fs:[00000030h] | 1_2_023AEBEB |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023AF5DE mov eax, dword ptr fs:[00000030h] | 1_2_023AF5DE |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030DEBEB mov eax, dword ptr fs:[00000030h] | 26_2_030DEBEB |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030DF5DE mov eax, dword ptr fs:[00000030h] | 26_2_030DF5DE |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\DHL.exe | Code function: 1_2_023A4E28 rdtsc | 1_2_023A4E28 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe | Code function: 26_2_030E2214 RtlAddVectoredExceptionHandler, | 26_2_030E2214 |
Source: C:\Users\user\Desktop\DHL.exe | Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 30D0000 | Jump to behavior |
Source: C:\Users\user\Desktop\DHL.exe | Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe' | Jump to behavior |
Source: C:\Users\user\Desktop\DHL.exe | Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe' | Jump to behavior |
Source: ieinstal.exe, 0000001A.00000002.791529522.0000000003A10000.00000002.00020000.sdmp | Binary or memory string: uProgram Manager |
Source: ieinstal.exe, 0000001A.00000002.791529522.0000000003A10000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: ieinstal.exe, 0000001A.00000002.791529522.0000000003A10000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: ieinstal.exe, 0000001A.00000002.791529522.0000000003A10000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: Initial file | Signature Results: GuLoader behavior |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.