Source: 00000000.00000002.825566947.0000000002AD0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id="} |
Source: FACTURA.exe |
Virustotal: Detection: 24% |
Perma Link |
Source: FACTURA.exe |
ReversingLabs: Detection: 26% |
Source: FACTURA.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id= |
Source: FACTURA.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: FACTURA.exe, 00000000.00000002.824965821.0000000000415000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameexposure.exe vs FACTURA.exe |
Source: FACTURA.exe |
Binary or memory string: OriginalFilenameexposure.exe vs FACTURA.exe |
Source: FACTURA.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_004088D4 |
0_2_004088D4 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02ADBE11 |
0_2_02ADBE11 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD7A42 |
0_2_02AD7A42 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD62B9 |
0_2_02AD62B9 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD7AB5 |
0_2_02AD7AB5 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD04B7 |
0_2_02AD04B7 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD6085 |
0_2_02AD6085 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02ADAC9F |
0_2_02ADAC9F |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD042D |
0_2_02AD042D |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD6438 |
0_2_02AD6438 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD5E73 |
0_2_02AD5E73 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD7A40 |
0_2_02AD7A40 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD77AC |
0_2_02AD77AC |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD61A5 |
0_2_02AD61A5 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD65B1 |
0_2_02AD65B1 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD579C |
0_2_02AD579C |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD5FEF |
0_2_02AD5FEF |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD5F12 |
0_2_02AD5F12 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD9F6C |
0_2_02AD9F6C |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02ADA97E |
0_2_02ADA97E |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD6540 |
0_2_02AD6540 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD735A |
0_2_02AD735A |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD7A42 NtAllocateVirtualMemory, |
0_2_02AD7A42 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD7AB5 NtAllocateVirtualMemory, |
0_2_02AD7AB5 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD7A40 NtAllocateVirtualMemory, |
0_2_02AD7A40 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD7BC1 NtAllocateVirtualMemory, |
0_2_02AD7BC1 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process Stats: CPU usage > 98% |
Source: FACTURA.exe |
Virustotal: Detection: 24% |
Source: FACTURA.exe |
ReversingLabs: Detection: 26% |
Source: FACTURA.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\FACTURA.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFC7F0E2A53F7EEA66.TMP |
Jump to behavior |
Source: classification engine |
Classification label: mal76.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.825566947.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_00404C45 push ds; retf |
0_2_00404C50 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_00404CEF push es; retf |
0_2_00404CF5 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_00402EAF push edi; ret |
0_2_00402EB0 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_0040710A push ebp; iretd |
0_2_0040710B |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_00407328 push edx; ret |
0_2_0040732B |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD8AC9 push ebp; iretd |
0_2_02AD8AFE |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD4E7A push B48F7408h; retf |
0_2_02AD4E7F |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD3B19 push 89000002h; ret |
0_2_02AD3B1F |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
RDTSC instruction interceptor: First address: 000000000040ED87 second address: 000000000040ED87 instructions: 0x00000000 rdtsc 0x00000002 mfence 0x00000005 nop 0x00000006 popad 0x00000007 cmp ecx, 7Dh 0x0000000a mfence 0x0000000d dec edi 0x0000000e mfence 0x00000011 wait 0x00000012 cmp edi, 00000000h 0x00000015 jne 00007FC810A3F940h 0x00000017 mfence 0x0000001a cmp eax, 32h 0x0000001d pushad 0x0000001e wait 0x0000001f lfence 0x00000022 rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD72A1 rdtsc |
0_2_02AD72A1 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD70C9 mov eax, dword ptr fs:[00000030h] |
0_2_02AD70C9 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD9C78 mov eax, dword ptr fs:[00000030h] |
0_2_02AD9C78 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02ADA199 mov eax, dword ptr fs:[00000030h] |
0_2_02ADA199 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD4929 mov eax, dword ptr fs:[00000030h] |
0_2_02AD4929 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02AD72A1 rdtsc |
0_2_02AD72A1 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_02ADBE11 RtlAddVectoredExceptionHandler, |
0_2_02ADBE11 |
Source: FACTURA.exe, 00000000.00000002.825239169.0000000000D70000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: FACTURA.exe, 00000000.00000002.825239169.0000000000D70000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: FACTURA.exe, 00000000.00000002.825239169.0000000000D70000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: FACTURA.exe, 00000000.00000002.825239169.0000000000D70000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |