Source: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1AoRiyDm8nMjHX"} |
Source: FACTURA.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: https://drive.google.com/uc?export=download&id=1AoRiyDm8nMjHX |
Source: FACTURA.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D7298 NtAllocateVirtualMemory, | 0_2_021D7298 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D7614 NtAllocateVirtualMemory, | 0_2_021D7614 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D763B NtAllocateVirtualMemory, | 0_2_021D763B |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D727C NtAllocateVirtualMemory, | 0_2_021D727C |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D72B5 NtAllocateVirtualMemory, | 0_2_021D72B5 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D775D NtAllocateVirtualMemory, | 0_2_021D775D |
Source: FACTURA.exe, 00000000.00000000.676817252.0000000000416000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameHippa6.exe vs FACTURA.exe |
Source: FACTURA.exe | Binary or memory string: OriginalFilenameHippa6.exe vs FACTURA.exe |
Source: C:\Users\user\Desktop\FACTURA.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_00401440 | 0_2_00401440 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_0040167C | 0_2_0040167C |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_0040162F | 0_2_0040162F |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_00404D2C | 0_2_00404D2C |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D7298 | 0_2_021D7298 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DB9D6 | 0_2_021DB9D6 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D7614 | 0_2_021D7614 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBA08 | 0_2_021DBA08 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D5207 | 0_2_021D5207 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D763B | 0_2_021D763B |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DAA32 | 0_2_021DAA32 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DAE44 | 0_2_021DAE44 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D727C | 0_2_021D727C |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DA26F | 0_2_021DA26F |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D566A | 0_2_021D566A |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBA65 | 0_2_021DBA65 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DAABB | 0_2_021DAABB |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D72B5 | 0_2_021D72B5 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBAD8 | 0_2_021DBAD8 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D5AE0 | 0_2_021D5AE0 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D5F15 | 0_2_021D5F15 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D5B2B | 0_2_021D5B2B |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D7B4E | 0_2_021D7B4E |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D9F4A | 0_2_021D9F4A |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBB47 | 0_2_021DBB47 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D5F40 | 0_2_021D5F40 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D9F6A | 0_2_021D9F6A |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DAB61 | 0_2_021DAB61 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DB386 | 0_2_021DB386 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D57B4 | 0_2_021D57B4 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D7BB3 | 0_2_021D7BB3 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBBAF | 0_2_021DBBAF |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D8FDA | 0_2_021D8FDA |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DA013 | 0_2_021DA013 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D8400 | 0_2_021D8400 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DAC2D | 0_2_021DAC2D |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D742B | 0_2_021D742B |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D5C51 | 0_2_021D5C51 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBC4D | 0_2_021DBC4D |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D6066 | 0_2_021D6066 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D58A1 | 0_2_021D58A1 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D7CC5 | 0_2_021D7CC5 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D54EB | 0_2_021D54EB |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DA11F | 0_2_021DA11F |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DAD09 | 0_2_021DAD09 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DB138 | 0_2_021DB138 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D5557 | 0_2_021D5557 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D516C | 0_2_021D516C |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D5D9D | 0_2_021D5D9D |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBDBA | 0_2_021DBDBA |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D59DD | 0_2_021D59DD |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D09C5 | 0_2_021D09C5 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D7DF4 | 0_2_021D7DF4 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D99F0 | 0_2_021D99F0 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D61E9 | 0_2_021D61E9 |
Source: FACTURA.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine | Classification label: mal68.troj.evad.winEXE@1/0@0/0 |
Source: Yara match | File source: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_00403F79 push ss; iretd | 0_2_00403F85 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_00404B0F push cs; retf | 0_2_00404B2B |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D338C pushad ; iretd | 0_2_021D34D5 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D3457 pushad ; iretd | 0_2_021D34D5 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D348A pushad ; iretd | 0_2_021D34D5 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D9900 push edi; ret | 0_2_021D9956 |
Source: C:\Users\user\Desktop\FACTURA.exe | RDTSC instruction interceptor: First address: 000000000040F124 second address: 000000000040F124 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 wait 0x00000006 popad 0x00000007 pushfd 0x00000008 popfd 0x00000009 wait 0x0000000a dec edi 0x0000000b lfence 0x0000000e pushfd 0x0000000f popfd 0x00000010 cmp edi, 00000000h 0x00000013 jne 00007F2F4096AF93h 0x00000015 nop 0x00000016 pushfd 0x00000017 popfd 0x00000018 pushad 0x00000019 lfence 0x0000001c cmp eax, 4Ch 0x0000001f rdtsc |
Source: C:\Users\user\Desktop\FACTURA.exe | RDTSC instruction interceptor: First address: 00000000021D6F4D second address: 00000000021D6F4D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4344BD4Eh 0x00000007 xor eax, 9523C638h 0x0000000c xor eax, 8C421A1Dh 0x00000011 sub eax, 5A25616Ah 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F2F4096DCB8h 0x0000001e lfence 0x00000021 mov edx, FAD6A590h 0x00000026 xor edx, B228D1B3h 0x0000002c xor edx, 57AF33B0h 0x00000032 xor edx, 60AF4787h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+00000182h], ebx 0x0000004b mov ebx, F34FAB69h 0x00000050 add ebx, D3E79685h 0x00000056 xor ebx, 85E85CE5h 0x0000005c sub ebx, 42DF1D0Bh 0x00000062 cmp ecx, ebx 0x00000064 mov ebx, dword ptr [ebp+00000182h] 0x0000006a jne 00007F2F4096DC70h 0x0000006c mov dword ptr [ebp+00000168h], edi 0x00000072 cmp dx, bx 0x00000075 mov edi, ecx 0x00000077 push edi 0x00000078 mov edi, dword ptr [ebp+00000168h] 0x0000007e call 00007F2F4096DD18h 0x00000083 call 00007F2F4096DCD9h 0x00000088 lfence 0x0000008b mov edx, FAD6A590h 0x00000090 xor edx, B228D1B3h 0x00000096 xor edx, 57AF33B0h 0x0000009c xor edx, 60AF4787h 0x000000a2 mov edx, dword ptr [edx] 0x000000a4 lfence 0x000000a7 ret 0x000000a8 mov esi, edx 0x000000aa pushad 0x000000ab rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\FACTURA.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DAA32 mov eax, dword ptr fs:[00000030h] | 0_2_021DAA32 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DAABB mov eax, dword ptr fs:[00000030h] | 0_2_021DAABB |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D4794 mov eax, dword ptr fs:[00000030h] | 0_2_021D4794 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D4383 mov eax, dword ptr fs:[00000030h] | 0_2_021D4383 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D97FC mov eax, dword ptr fs:[00000030h] | 0_2_021D97FC |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D97FE mov eax, dword ptr fs:[00000030h] | 0_2_021D97FE |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D98B3 mov eax, dword ptr fs:[00000030h] | 0_2_021D98B3 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D6DDC mov eax, dword ptr fs:[00000030h] | 0_2_021D6DDC |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021D9DE9 mov eax, dword ptr fs:[00000030h] | 0_2_021D9DE9 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DB9D6 RtlAddVectoredExceptionHandler, | 0_2_021DB9D6 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBA08 RtlAddVectoredExceptionHandler, | 0_2_021DBA08 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBE7C RtlAddVectoredExceptionHandler, | 0_2_021DBE7C |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBA65 RtlAddVectoredExceptionHandler, | 0_2_021DBA65 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBAD8 RtlAddVectoredExceptionHandler, | 0_2_021DBAD8 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBEF5 RtlAddVectoredExceptionHandler, | 0_2_021DBEF5 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBB47 RtlAddVectoredExceptionHandler, | 0_2_021DBB47 |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBBAF RtlAddVectoredExceptionHandler, | 0_2_021DBBAF |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBC4D RtlAddVectoredExceptionHandler, | 0_2_021DBC4D |
Source: C:\Users\user\Desktop\FACTURA.exe | Code function: 0_2_021DBDBA RtlAddVectoredExceptionHandler, | 0_2_021DBDBA |
Source: FACTURA.exe, 00000000.00000002.1202275518.0000000000C70000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: FACTURA.exe, 00000000.00000002.1202275518.0000000000C70000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: FACTURA.exe, 00000000.00000002.1202275518.0000000000C70000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: FACTURA.exe, 00000000.00000002.1202275518.0000000000C70000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.