Source: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1hKAWruhccvaKl72"} |
Source: Foreign_Bank Account Details.exe |
ReversingLabs: Detection: 33% |
Source: Foreign_Bank Account Details.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 5x nop then mov edx, edx |
0_2_004012D8 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 6x nop then mov edx, edx |
0_2_004012D8 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 4x nop then mov ecx, ecx |
0_2_004012D8 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 5x nop then mov edx, edx |
0_2_00402061 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 6x nop then mov edx, edx |
0_2_00402061 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 4x nop then mov ecx, ecx |
0_2_00402061 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 4x nop then mov ecx, ecx |
0_2_00402267 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 5x nop then mov edx, edx |
0_2_004020E7 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 6x nop then mov edx, edx |
0_2_004020E7 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 4x nop then mov ecx, ecx |
0_2_004020E7 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 4x nop then mov ecx, ecx |
0_2_004022E9 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 4x nop then mov ecx, ecx |
0_2_00402379 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 5x nop then mov edx, edx |
0_2_0040191F |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 6x nop then mov edx, edx |
0_2_0040191F |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 4x nop then mov ecx, ecx |
0_2_0040191F |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 6x nop then mov edx, edx |
0_2_004021F3 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 4x nop then mov ecx, ecx |
0_2_004021F3 |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=1hKAWruhccvaKl72 |
Source: Foreign_Bank Account Details.exe, 00000000.00000002.765735335.000000000072A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: Foreign_Bank Account Details.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Foreign_Bank Account Details.exe, 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenamefigurmrk.exe vs Foreign_Bank Account Details.exe |
Source: Foreign_Bank Account Details.exe |
Binary or memory string: OriginalFilenamefigurmrk.exe vs Foreign_Bank Account Details.exe |
Source: Foreign_Bank Account Details.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004012D8 |
0_2_004012D8 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00402061 |
0_2_00402061 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004020E7 |
0_2_004020E7 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004022E9 |
0_2_004022E9 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_0040191F |
0_2_0040191F |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020CBFDE |
0_2_020CBFDE |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C80F9 |
0_2_020C80F9 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C5E21 |
0_2_020C5E21 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C6651 |
0_2_020C6651 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C6E70 |
0_2_020C6E70 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C8698 |
0_2_020C8698 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020CA6A7 |
0_2_020CA6A7 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C6ABF |
0_2_020C6ABF |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C7AFA |
0_2_020C7AFA |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020CAEF3 |
0_2_020CAEF3 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C639E |
0_2_020C639E |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020CA3AD |
0_2_020CA3AD |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C8BBD |
0_2_020C8BBD |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C67BE |
0_2_020C67BE |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020CABE2 |
0_2_020CABE2 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C6BFC |
0_2_020C6BFC |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020CB009 |
0_2_020CB009 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C5C13 |
0_2_020C5C13 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020CAC45 |
0_2_020CAC45 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C5C54 |
0_2_020C5C54 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C5C74 |
0_2_020C5C74 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C80C2 |
0_2_020C80C2 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C4D15 |
0_2_020C4D15 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C8154 |
0_2_020C8154 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C796A |
0_2_020C796A |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C9D8F |
0_2_020C9D8F |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C8598 |
0_2_020C8598 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020CA5DF |
0_2_020CA5DF |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C85E0 |
0_2_020C85E0 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C80F9 NtAllocateVirtualMemory, |
0_2_020C80F9 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C8234 NtAllocateVirtualMemory, |
0_2_020C8234 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C8253 NtAllocateVirtualMemory, |
0_2_020C8253 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C82B3 NtAllocateVirtualMemory, |
0_2_020C82B3 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C8352 NtAllocateVirtualMemory, |
0_2_020C8352 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C8371 NtAllocateVirtualMemory, |
0_2_020C8371 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C80C2 NtAllocateVirtualMemory, |
0_2_020C80C2 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C8154 NtAllocateVirtualMemory, |
0_2_020C8154 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C819A NtAllocateVirtualMemory, |
0_2_020C819A |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Process Stats: CPU usage > 98% |
Source: Foreign_Bank Account Details.exe |
ReversingLabs: Detection: 33% |
Source: Foreign_Bank Account Details.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00414356 push eax; ret |
0_2_004147B5 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00404A4A push edx; iretd |
0_2_00404A75 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00404252 push eax; iretd |
0_2_00404251 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00404A5E push edx; iretd |
0_2_00404A75 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00402E00 push edx; iretd |
0_2_00402E01 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_0040562D push edi; iretd |
0_2_00405661 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004052C1 pushfd ; retf |
0_2_00405307 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004048C4 push edi; iretd |
0_2_004048C5 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004040D2 push es; ret |
0_2_0040416D |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004040DE push es; ret |
0_2_0040416D |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004076EF pushfd ; retf |
0_2_004076F3 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004068F0 push eax; iretd |
0_2_004068FD |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004058F6 push edx; iretd |
0_2_004058F9 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004082F9 push eax; iretd |
0_2_00408305 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00406E91 push ecx; iretd |
0_2_00406E9D |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00408298 push ebx; iretd |
0_2_00408299 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00406C9E push eax; iretd |
0_2_00406ED5 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00406EBF push eax; iretd |
0_2_00406ED5 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00403948 push ecx; iretd |
0_2_00403949 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_0040416E push es; ret |
0_2_0040416D |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00404112 push es; ret |
0_2_0040416D |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00405F20 push esi; iretd |
0_2_00405F21 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004061CE push esi; iretd |
0_2_004061E5 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004055CF push edi; iretd |
0_2_00405661 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004059E4 push edi; iretd |
0_2_004059E5 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_0040638D push 569795EEh; iretd |
0_2_004063A5 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00402F9E push esi; iretd |
0_2_00402FA1 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004059A0 push eax; iretd |
0_2_004059A1 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004041BB push eax; iretd |
0_2_00404251 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004043BB push edx; iretd |
0_2_004043C1 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C7689 push 737A652Eh; iretd |
0_2_020C9824 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C7A45 rdtsc |
0_2_020C7A45 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_004012D8 mov ebx, dword ptr fs:[00000030h] |
0_2_004012D8 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_00402061 mov ebx, dword ptr fs:[00000030h] |
0_2_00402061 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_0040191F mov ebx, dword ptr fs:[00000030h] |
0_2_0040191F |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C9EE3 mov eax, dword ptr fs:[00000030h] |
0_2_020C9EE3 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020CB009 mov eax, dword ptr fs:[00000030h] |
0_2_020CB009 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020CA450 mov eax, dword ptr fs:[00000030h] |
0_2_020CA450 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C78C4 mov eax, dword ptr fs:[00000030h] |
0_2_020C78C4 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020C7A45 rdtsc |
0_2_020C7A45 |
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe |
Code function: 0_2_020CBFDE RtlAddVectoredExceptionHandler, |
0_2_020CBFDE |
Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp |
Binary or memory string: SProgram Managerl |
Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |