Source: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id"} |
Source: Hesap Hareketleri 28-09-2021.exe |
ReversingLabs: Detection: 26% |
Source: Hesap Hareketleri 28-09-2021.exe |
Joe Sandbox ML: detected |
Source: Hesap Hareketleri 28-09-2021.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id |
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867529345.000000000073A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Hesap Hareketleri 28-09-2021.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000000.344162020.0000000000415000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameTOBENET.exe vs Hesap Hareketleri 28-09-2021.exe |
Source: Hesap Hareketleri 28-09-2021.exe |
Binary or memory string: OriginalFilenameTOBENET.exe vs Hesap Hareketleri 28-09-2021.exe |
Source: Hesap Hareketleri 28-09-2021.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071727D |
1_2_0071727D |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071BB62 |
1_2_0071BB62 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00715A60 |
1_2_00715A60 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071C264 |
1_2_0071C264 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071AA45 |
1_2_0071AA45 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00717447 |
1_2_00717447 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071584B |
1_2_0071584B |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071A64C |
1_2_0071A64C |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071604F |
1_2_0071604F |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00715630 |
1_2_00715630 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071743A |
1_2_0071743A |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00715625 |
1_2_00715625 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071262A |
1_2_0071262A |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071522C |
1_2_0071522C |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071561F |
1_2_0071561F |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00715E04 |
1_2_00715E04 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00713AF5 |
1_2_00713AF5 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00715CD4 |
1_2_00715CD4 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00715ADA |
1_2_00715ADA |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_007156DD |
1_2_007156DD |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_007162C4 |
1_2_007162C4 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_007176B9 |
1_2_007176B9 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_007150AA |
1_2_007150AA |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00710480 |
1_2_00710480 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00715F75 |
1_2_00715F75 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00715561 |
1_2_00715561 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071595B |
1_2_0071595B |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071A727 |
1_2_0071A727 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_007107F5 |
1_2_007107F5 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_007163E5 |
1_2_007163E5 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071ABDA |
1_2_0071ABDA |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00715BC0 |
1_2_00715BC0 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_007155B3 |
1_2_007155B3 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071079A |
1_2_0071079A |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071727D NtAllocateVirtualMemory, |
1_2_0071727D |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_007176B9 NtAllocateVirtualMemory, |
1_2_007176B9 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00717890 NtAllocateVirtualMemory, |
1_2_00717890 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00717719 NtAllocateVirtualMemory, |
1_2_00717719 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Process Stats: CPU usage > 98% |
Source: Hesap Hareketleri 28-09-2021.exe |
ReversingLabs: Detection: 26% |
Source: Hesap Hareketleri 28-09-2021.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF4ED96077179BC113.TMP |
Jump to behavior |
Source: classification engine |
Classification label: mal80.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, type: MEMORY |
Source: Hesap Hareketleri 28-09-2021.exe |
Static PE information: real checksum: 0x24c6f should be: 0x20bce |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00402AE8 push es; ret |
1_2_00402B24 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_004064F7 push 13C55635h; retf |
1_2_00406525 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0040431A pushfd ; retf |
1_2_0040431B |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00711A34 push ebp; iretd |
1_2_00711A95 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00711EFD push esi; iretd |
1_2_00711F68 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00711544 push ecx; ret |
1_2_00711545 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00711922 push esi; iretd |
1_2_00711F68 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00711927 push ebp; iretd |
1_2_00711A95 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071712B push ds; iretd |
1_2_0071712E |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00717112 push ds; iretw |
1_2_00717114 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00711915 push ebp; iretd |
1_2_00711A95 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00711915 push esi; iretd |
1_2_00711F68 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00711993 push ebp; iretd |
1_2_00711A95 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
RDTSC instruction interceptor: First address: 000000000040EB3B second address: 000000000040EB3B instructions: 0x00000000 rdtsc 0x00000002 cmp ecx, 000000A1h 0x00000008 cmp eax, 000000C9h 0x0000000d popad 0x0000000e lfence 0x00000011 lfence 0x00000014 dec edi 0x00000015 lfence 0x00000018 pushfd 0x00000019 popfd 0x0000001a cmp edi, 00000000h 0x0000001d jne 00007F72DC9E1FC6h 0x0000001f lfence 0x00000022 cmp eax, 00000089h 0x00000027 pushad 0x00000028 mfence 0x0000002b wait 0x0000002c rdtsc |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
RDTSC instruction interceptor: First address: 0000000000716F2F second address: 0000000000716F2F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8219BBE4h 0x00000007 xor eax, 75E10D96h 0x0000000c sub eax, 173DA739h 0x00000011 sub eax, E0BB0F38h 0x00000016 cpuid 0x00000018 popad 0x00000019 jmp 00007F72DCE2065Eh 0x0000001b test al, dl 0x0000001d call 00007F72DCE20618h 0x00000022 lfence 0x00000025 mov edx, C4E9AE68h 0x0000002a xor edx, 87763148h 0x00000030 xor edx, B74B9B40h 0x00000036 xor edx, 8B2A0474h 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 ret 0x00000042 sub edx, esi 0x00000044 ret 0x00000045 pop ecx 0x00000046 jmp 00007F72DCE2065Ah 0x00000048 cmp dl, bl 0x0000004a add edi, edx 0x0000004c dec ecx 0x0000004d mov dword ptr [ebp+00000182h], ecx 0x00000053 mov ecx, 9B298471h 0x00000058 xor ecx, C9916611h 0x0000005e add ecx, 132F64BEh 0x00000064 add ecx, 9A17B8E2h 0x0000006a cmp dword ptr [ebp+00000182h], ecx 0x00000070 mov ecx, dword ptr [ebp+00000182h] 0x00000076 jne 00007F72DCE20583h 0x0000007c mov dword ptr [ebp+000001D9h], esi 0x00000082 mov esi, ecx 0x00000084 push esi 0x00000085 mov esi, dword ptr [ebp+000001D9h] 0x0000008b call 00007F72DCE206C4h 0x00000090 call 00007F72DCE20689h 0x00000095 lfence 0x00000098 mov edx, C4E9AE68h 0x0000009d xor edx, 87763148h 0x000000a3 xor edx, B74B9B40h 0x000000a9 xor edx, 8B2A0474h 0x000000af mov edx, dword ptr [edx] 0x000000b1 lfence 0x000000b4 ret 0x000000b5 mov esi, edx 0x000000b7 pushad 0x000000b8 rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071726F rdtsc |
1_2_0071726F |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00719EDE mov eax, dword ptr fs:[00000030h] |
1_2_00719EDE |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00716D70 mov eax, dword ptr fs:[00000030h] |
1_2_00716D70 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_00719913 mov eax, dword ptr fs:[00000030h] |
1_2_00719913 |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071ABDA mov eax, dword ptr fs:[00000030h] |
1_2_0071ABDA |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071726F rdtsc |
1_2_0071726F |
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe |
Code function: 1_2_0071BB62 RtlAddVectoredExceptionHandler, |
1_2_0071BB62 |
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp |
Binary or memory string: &Program Manager |
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |