Windows Analysis Report GU#U00cdA DE CARGA...exe

Overview

General Information

Sample Name: GU#U00cdA DE CARGA...exe
Analysis ID: 491666
MD5: fcce8f5a7e5fcdf78c02d6543c1af2bd
SHA1: b2ea7197933811fc65425d46324af8ee231117f3
SHA256: 9ff6781bac4d77465a973def710d9619cfa7fc6fe16a78225b7e22d3a89d0be0
Tags: ESPexegeoSnakeKeylogger
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Telegram RAT
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "24310@24310.gr", "Password": "?_bEpvL{rN$%", "Host": "mail.24310.gr", "Port": "themainlogs@gmail.com"}
Machine Learning detection for sample
Source: GU#U00cdA DE CARGA...exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack Avira: Label: TR/Spy.Gen
Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Unpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Unpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack
Uses 32bit PE files
Source: GU#U00cdA DE CARGA...exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49741 version: TLS 1.0
Source: Binary string: wntdll.pdbUGP source: GU#U00cdA DE CARGA...exe, 00000001.00000003.265170689.000000000E9E0000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: GU#U00cdA DE CARGA...exe, 00000001.00000003.265170689.000000000E9E0000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_00405EC2 FindFirstFileA,FindClose, 1_2_00405EC2
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_004054EC
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_00402671 FindFirstFileA, 1_2_00402671
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_00404A29 FindFirstFileExW, 2_2_00404A29

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 047FE9A7h 2_2_047FE6E8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 047FE547h 2_2_047FE28B
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 047FC868h 2_2_047FBE7F
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 047FD290h 2_2_047FCE78
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 047FE0E7h 2_2_047FDE29
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 047FDC87h 2_2_047FD9C8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 047FCCC9h 2_2_047FCA0E
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 047FEE07h 2_2_047FEB4B
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 047FD290h 2_2_047FD1BE
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 2_2_047FB3A0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 047FD290h 2_2_047FCE68
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 2_2_047FB9D3
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 2_2_047FBBB4
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580A049h 2_2_05809DA0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580D469h 2_2_0580D1C0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580A4A1h 2_2_0580A1F8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580CBB9h 2_2_0580C910
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05809BF1h 2_2_05809948
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580D011h 2_2_0580CD68
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05809341h 2_2_05809098
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580C761h 2_2_0580C4B8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05809799h 2_2_058094F0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580BEB1h 2_2_0580BC08
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05808EE9h 2_2_05808C40
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580C309h 2_2_0580C060
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05808639h 2_2_05808390
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580BA59h 2_2_0580B7B0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05808A91h 2_2_058087E8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580B1A9h 2_2_0580AF00
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580B601h 2_2_0580B358
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580AD51h 2_2_0580AAA8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580D8C1h 2_2_0580D618
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580A8F9h 2_2_0580A650
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 0580DD19h 2_2_0580DA70
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05824831h 2_2_05824588
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 058236A9h 2_2_05823400
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05825991h 2_2_058256E8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 058229A1h 2_2_058226F8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 058243D9h 2_2_05824130
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05825539h 2_2_05825290
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05822549h 2_2_058222A0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05823F82h 2_2_05823CD8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05823251h 2_2_05822FA8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 058220C9h 2_2_05821E20
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 058250E1h 2_2_05824E38
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05824C89h 2_2_058249E0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05823B01h 2_2_05823858
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05825DE9h 2_2_05825B40
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 4x nop then jmp 05822DF9h 2_2_05822B50

Networking:

barindex
May check the online IP address of the machine
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe DNS query: name: checkip.dyndns.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/185.189.150.72 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 216.146.43.70 216.146.43.70
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49741 version: TLS 1.0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: GU#U00cdA DE CARGA...exe String found in binary or memory: http://checkip.dyndns.org/
Source: GU#U00cdA DE CARGA...exe, 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org4
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.orgD8
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmp String found in binary or memory: http://freegeoip.app
Source: GU#U00cdA DE CARGA...exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: GU#U00cdA DE CARGA...exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GU#U00cdA DE CARGA...exe, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app
Source: GU#U00cdA DE CARGA...exe, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp String found in binary or memory: https://freegeoip.app/xml/
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/185.189.150.72
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/185.189.150.72x
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app4
Source: unknown DNS traffic detected: queries for: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET /xml/185.189.150.72 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_00404FF1

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Uses 32bit PE files
Source: GU#U00cdA DE CARGA...exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 1_2_0040312A
Detected potential crypto function
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_00406354 1_2_00406354
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_00404802 1_2_00404802
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_00406B2B 1_2_00406B2B
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_7333BA95 1_2_7333BA95
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_7333BA86 1_2_7333BA86
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0040A2A5 2_2_0040A2A5
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047F3430 2_2_047F3430
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047F8570 2_2_047F8570
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047FE6E8 2_2_047FE6E8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047F5070 2_2_047F5070
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047FE28B 2_2_047FE28B
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047FD308 2_2_047FD308
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047FBE7F 2_2_047FBE7F
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047FDE29 2_2_047FDE29
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047FD9C8 2_2_047FD9C8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047F4A48 2_2_047F4A48
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047FCA0E 2_2_047FCA0E
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047FEB4B 2_2_047FEB4B
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047FD2FB 2_2_047FD2FB
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047FB3A0 2_2_047FB3A0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047FB390 2_2_047FB390
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05809DA0 2_2_05809DA0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580D1C0 2_2_0580D1C0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580F5C0 2_2_0580F5C0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05800DE8 2_2_05800DE8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580A1F8 2_2_0580A1F8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580C910 2_2_0580C910
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05809948 2_2_05809948
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580CD68 2_2_0580CD68
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05809098 2_2_05809098
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580C4B8 2_2_0580C4B8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_058094F0 2_2_058094F0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580BC08 2_2_0580BC08
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05808C40 2_2_05808C40
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580C060 2_2_0580C060
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05808390 2_2_05808390
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580B7B0 2_2_0580B7B0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_058087E8 2_2_058087E8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580AF00 2_2_0580AF00
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05805308 2_2_05805308
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580B358 2_2_0580B358
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580AAA8 2_2_0580AAA8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580DEC8 2_2_0580DEC8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580D618 2_2_0580D618
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580A650 2_2_0580A650
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580DA70 2_2_0580DA70
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05809D93 2_2_05809D93
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580D1B0 2_2_0580D1B0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05800DE2 2_2_05800DE2
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580A1E9 2_2_0580A1E9
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580C900 2_2_0580C900
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580F519 2_2_0580F519
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580993C 2_2_0580993C
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05804950 2_2_05804950
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580CD58 2_2_0580CD58
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05804960 2_2_05804960
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580908B 2_2_0580908B
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580C4AC 2_2_0580C4AC
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_058094E3 2_2_058094E3
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05808C30 2_2_05808C30
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580C053 2_2_0580C053
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580B7A1 2_2_0580B7A1
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_058087D9 2_2_058087D9
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580BBFC 2_2_0580BBFC
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580B34B 2_2_0580B34B
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580837F 2_2_0580837F
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580AA9B 2_2_0580AA9B
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580AEF3 2_2_0580AEF3
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580D60B 2_2_0580D60B
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580A640 2_2_0580A640
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0580DA63 2_2_0580DA63
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05824588 2_2_05824588
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05826548 2_2_05826548
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_058284C8 2_2_058284C8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05823400 2_2_05823400
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_058297B8 2_2_058297B8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_058256E8 2_2_058256E8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_058226F8 2_2_058226F8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_058271E8 2_2_058271E8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05824130 2_2_05824130
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05829168 2_2_05829168
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_058210B8 2_2_058210B8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_058203B8 2_2_058203B8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05825290 2_2_05825290
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_058222A0 2_2_058222A0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05823CD8 2_2_05823CD8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05822FA8 2_2_05822FA8
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05829E00 2_2_05829E00
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05821E20 2_2_05821E20
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05824E38 2_2_05824E38
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05827E78 2_2_05827E78
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_058249E0 2_2_058249E0
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05827830 2_2_05827830
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05823858 2_2_05823858
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05826B98 2_2_05826B98
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05828B18 2_2_05828B18
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05825B40 2_2_05825B40
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05822B50 2_2_05822B50
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_05826537 2_2_05826537
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0582457C 2_2_0582457C
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_058284B8 2_2_058284B8
Sample file is different than original file name gathered from version info
Source: GU#U00cdA DE CARGA...exe, 00000001.00000003.260420482.000000000EAFF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs GU#U00cdA DE CARGA...exe
Source: GU#U00cdA DE CARGA...exe, 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameStubV4.exeR vs GU#U00cdA DE CARGA...exe
Source: GU#U00cdA DE CARGA...exe Binary or memory string: OriginalFilename vs GU#U00cdA DE CARGA...exe
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameStubV4.exeR vs GU#U00cdA DE CARGA...exe
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.521805997.0000000000197000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs GU#U00cdA DE CARGA...exe
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe File read: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Jump to behavior
Source: GU#U00cdA DE CARGA...exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe'
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process created: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe'
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process created: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe' Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe File created: C:\Users\user\AppData\Local\Temp\nsp29F7.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@3/2
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_00402053 CoCreateInstance,MultiByteToWideChar, 1_2_00402053
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 1_2_004042C1
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, 2_2_00401489
Source: GU#U00cdA DE CARGA...exe String found in binary or memory: F-Stopw
Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, ?u07fb?ufffd?/u06e8??u0097u005e.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Binary string: wntdll.pdbUGP source: GU#U00cdA DE CARGA...exe, 00000001.00000003.265170689.000000000E9E0000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: GU#U00cdA DE CARGA...exe, 00000001.00000003.265170689.000000000E9E0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Unpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Unpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Unpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_00401F16 push ecx; ret 2_2_00401F29

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe File created: C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll Jump to dropped file
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_00405EC2 FindFirstFileA,FindClose, 1_2_00405EC2
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_004054EC
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_00402671 FindFirstFileA, 1_2_00402671
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_00404A29 FindFirstFileExW, 2_2_00404A29

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0040446F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_004067FE GetProcessHeap, 2_2_004067FE
Enables debug privileges
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_7333B472 mov eax, dword ptr fs:[00000030h] 1_2_7333B472
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_7333B737 mov eax, dword ptr fs:[00000030h] 1_2_7333B737
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_7333B776 mov eax, dword ptr fs:[00000030h] 1_2_7333B776
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_7333B7B4 mov eax, dword ptr fs:[00000030h] 1_2_7333B7B4
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_7333B686 mov eax, dword ptr fs:[00000030h] 1_2_7333B686
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h] 2_2_004035F1
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_047FD308 LdrInitializeThunk, 2_2_047FD308
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_00401E1D SetUnhandledExceptionFilter, 2_2_00401E1D
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0040446F
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00401C88
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00401F30

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, ?u060c??ufffd/?ufffdu060c??.cs Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, ufffdu061d???/B??ufffd?.cs Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Memory written: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Process created: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe' Jump to behavior
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_0040208D cpuid 2_2_0040208D
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 2_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_00401B74
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Code function: 1_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 1_2_0040312A

Stealing of Sensitive Information:

barindex
Yara detected Snake Keylogger
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 400, type: MEMORYSTR
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 2848, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Snake Keylogger
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 400, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491666 Sample: GU#U00cdA DE CARGA...exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 22 Found malware configuration 2->22 24 Malicious sample detected (through community Yara rule) 2->24 26 Detected unpacking (changes PE section rights) 2->26 28 8 other signatures 2->28 6 GU#U00cdA DE CARGA...exe 17 2->6         started        process3 file4 14 C:\Users\user\AppData\...\sbolbwplhfo.dll, PE32 6->14 dropped 30 Injects a PE file into a foreign processes 6->30 10 GU#U00cdA DE CARGA...exe 15 2 6->10         started        signatures5 process6 dnsIp7 16 checkip.dyndns.org 10->16 18 checkip.dyndns.com 216.146.43.70, 49739, 49740, 80 DYNDNSUS United States 10->18 20 freegeoip.app 104.21.19.200, 443, 49741 CLOUDFLARENETUS United States 10->20 32 Tries to steal Mail credentials (via file access) 10->32 34 Tries to harvest and steal ftp login credentials 10->34 36 Tries to harvest and steal browser information (history, passwords, etc) 10->36 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
216.146.43.70
 checkip.dyndns.com United States
33517 DYNDNSUS false
104.21.19.200
 freegeoip.app United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
freegeoip.app 104.21.19.200 true
checkip.dyndns.com 216.146.43.70 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://freegeoip.app/xml/185.189.150.72 false
  • Avira URL Cloud: safe
 unknown