{"Payload URL": "http://implantecapilarpereira.com/NetGen"}
Source: 00000000.00000002.1193811530.0000000004BF0000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "http://implantecapilarpereira.com/NetGen"} |
Source: mU9H96igb3.exe | Virustotal: Detection: 32% | Perma Link |
Source: mU9H96igb3.exe | Metadefender: Detection: 25% | Perma Link |
Source: mU9H96igb3.exe | ReversingLabs: Detection: 24% |
Source: mU9H96igb3.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: http://implantecapilarpereira.com/NetGen |
Source: initial sample | Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: mU9H96igb3.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: mU9H96igb3.exe, 00000000.00000000.665404546.0000000000431000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe |
Source: mU9H96igb3.exe | Binary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe |
Source: mU9H96igb3.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C0557A |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C1474A |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C000C6 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C0ECDD |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C100B4 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C0087E |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C0E400 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C07574 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04BF4AA2 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C11BCE |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C06BF6 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C04B8B |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C1130A |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C0557A NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process Stats: CPU usage > 98% |
Source: mU9H96igb3.exe | Virustotal: Detection: 32% |
Source: mU9H96igb3.exe | Metadefender: Detection: 25% |
Source: mU9H96igb3.exe | ReversingLabs: Detection: 24% |
Source: mU9H96igb3.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: classification engine | Classification label: mal88.rans.troj.evad.winEXE@1/0@0/0 |
Source: Yara match | File source: 00000000.00000002.1193811530.0000000004BF0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_0041A474 push ebp; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_0040E9CB push ecx; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_004191F0 push ecx; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_004131A3 push ecx; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_004086CE push eax; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_00411ACE push ecx; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_004132DE push ecx; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_0041729D push edx; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_0040DAAA push ecx; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_0040E6B3 push ecx; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_00417AB9 push eax; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_0040A750 push ss; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_00411B06 push ecx; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_00407B81 push esi; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C14084 push FFFFFF94h; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04BF1611 push esi; iretd |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04BF2A10 push FFFFFF94h; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04BF465A push ebx; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04BF67BC push es; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C06BF6 push FFFFFF94h; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04BF1327 push esi; iretd |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04BF1366 push esi; iretd |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | RDTSC instruction interceptor: First address: 0000000004C0F8E2 second address: 0000000004C0F8E2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 3AB33088h 0x00000007 sub eax, 03336DF3h 0x0000000c xor eax, 78D04D3Fh 0x00000011 xor eax, 4FAF8FABh 0x00000016 cpuid 0x00000018 popad 0x00000019 jmp 00007FC97CF5E8D9h 0x0000001e cmp eax, edx 0x00000020 call 00007FC97CF5E7AAh 0x00000025 lfence 0x00000028 mov edx, 337D36F1h 0x0000002d xor edx, 66E5A0A3h 0x00000033 xor edx, 9D6B538Dh 0x00000039 xor edx, B70DC5CBh 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 jmp 00007FC97CF5E8DDh 0x00000049 test cl, bl 0x0000004b ret 0x0000004c sub edx, esi 0x0000004e ret 0x0000004f add edi, edx 0x00000051 dec dword ptr [ebp+000000F8h] 0x00000057 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005e jne 00007FC97CF5E78Ch 0x00000060 call 00007FC97CF5E91Fh 0x00000065 call 00007FC97CF5E906h 0x0000006a lfence 0x0000006d mov edx, 337D36F1h 0x00000072 xor edx, 66E5A0A3h 0x00000078 xor edx, 9D6B538Dh 0x0000007e xor edx, B70DC5CBh 0x00000084 mov edx, dword ptr [edx] 0x00000086 lfence 0x00000089 jmp 00007FC97CF5E8DDh 0x0000008e test cl, bl 0x00000090 ret 0x00000091 mov esi, edx 0x00000093 pushad 0x00000094 rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C0F8DA rdtsc |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C0C054 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C0E990 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C046A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C11BCE mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C0F8DA rdtsc |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 0_2_04C1474A RtlAddVectoredExceptionHandler, |
Source: mU9H96igb3.exe, 00000000.00000002.1192442091.0000000000DC0000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: mU9H96igb3.exe, 00000000.00000002.1192442091.0000000000DC0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: mU9H96igb3.exe, 00000000.00000002.1192442091.0000000000DC0000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: mU9H96igb3.exe, 00000000.00000002.1192442091.0000000000DC0000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.