{"Payload URL": "https://drive.google.com/uc?export=download&id="}
Source: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id="} |
Source: FACTURAS.exe | ReversingLabs: Detection: 15% |
Source: FACTURAS.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: https://drive.google.com/uc?export=download&id= |
Source: FACTURAS.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020DDD75 NtAllocateVirtualMemory, |
Source: FACTURAS.exe, 00000000.00000000.294184122.0000000000421000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameGILDER.exe vs FACTURAS.exe |
Source: FACTURAS.exe | Binary or memory string: OriginalFilenameGILDER.exe vs FACTURAS.exe |
Source: C:\Users\user\Desktop\FACTURAS.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_004036BD |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_00401538 |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_00401774 |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_00401727 |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020E6E65 |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020DDD75 |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020D924D |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020D924F |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020D9331 |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020E5138 |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020D9691 |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020DD7F6 |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020D94E5 |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020D95CD |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020E45C5 |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020E3A47 |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020DCFA2 |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020E4CA7 |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020E4DD5 |
Source: FACTURAS.exe | ReversingLabs: Detection: 15% |
Source: C:\Users\user\Desktop\FACTURAS.exe | File created: C:\Users\user\AppData\Local\Temp\~DF26AA5308F7227456.TMP | Jump to behavior |
Source: FACTURAS.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\FACTURAS.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\FACTURAS.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: classification engine | Classification label: mal72.troj.evad.winEXE@1/1@0/0 |
Source: Yara match | File source: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_004013B4 push FFFFFFCDh; iretd |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_0040204F push FFFFFFCDh; iretd |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_004111C3 push ebp; ret |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_004051D5 push 0340104Fh; iretd |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_00403A4A push esi; retf |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_00402B0E push FFFFFFCDh; iretd |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_00404C1F push eax; ret |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_0040BCD6 push 3CF881B8h; ret |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_00413574 push 00000039h; iretd |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_0040A61E push D9EC50BBh; retf |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_0040A739 push cs; iretd |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020DE3B0 pushad ; retf |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020D17FB push cs; ret |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020D4AE0 push ebp; retf |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020D5860 push esp; retn 0004h |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020D0E32 pushfd ; iretd |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020D5F76 push eax; iretd |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020D5FC1 push eax; iretd |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020D4C41 push ebp; ret |
Source: C:\Users\user\Desktop\FACTURAS.exe | Process information set: NOOPENFILEERRORBOX |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_0041724F rdtsc |
Source: C:\Users\user\Desktop\FACTURAS.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020E5138 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020E3589 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020D8A51 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020DC9F2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020E2C97 mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_0041724F rdtsc |
Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 0_2_020E6E65 RtlAddVectoredExceptionHandler, |
Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.