{"Payload URL": "https://atseasonals.com/GHrtt/bin_k"}
Source: 00000001.00000002.804770184.0000000002A60000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://atseasonals.com/GHrtt/bin_k"} |
Source: Zr26f1rL6r.exe | Virustotal: Detection: 40% | Perma Link |
Source: Zr26f1rL6r.exe | ReversingLabs: Detection: 20% |
Source: Zr26f1rL6r.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: https://atseasonals.com/GHrtt/bin_k |
Source: Zr26f1rL6r.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: Zr26f1rL6r.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: Zr26f1rL6r.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: Zr26f1rL6r.exe | String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: Zr26f1rL6r.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: Zr26f1rL6r.exe | String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: Zr26f1rL6r.exe | String found in binary or memory: http://ocsp.digicert.com0C |
Source: Zr26f1rL6r.exe | String found in binary or memory: http://ocsp.digicert.com0O |
Source: Zr26f1rL6r.exe | String found in binary or memory: http://www.digicert.com/CPS0 |
Source: Zr26f1rL6r.exe | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: Zr26f1rL6r.exe, 00000001.00000002.804004031.000000000071A000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
Source: Zr26f1rL6r.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Zr26f1rL6r.exe, 00000001.00000000.279454201.0000000000422000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameUNDERWR.exe vs Zr26f1rL6r.exe |
Source: Zr26f1rL6r.exe | Binary or memory string: OriginalFilenameUNDERWR.exe vs Zr26f1rL6r.exe |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_00401772 |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_00401725 |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_00401536 |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A6523E |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A65814 |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A6FFED |
Source: Zr26f1rL6r.exe | Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Process Stats: CPU usage > 98% |
Source: Zr26f1rL6r.exe | Virustotal: Detection: 40% |
Source: Zr26f1rL6r.exe | ReversingLabs: Detection: 20% |
Source: Zr26f1rL6r.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | File created: C:\Users\user\AppData\Local\Temp\~DFD789DA64D34966AA.TMP | Jump to behavior |
Source: classification engine | Classification label: mal76.troj.evad.winEXE@1/1@0/0 |
Source: Yara match | File source: 00000001.00000002.804770184.0000000002A60000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_004093B3 push ebx; ret |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A62286 push esi; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A638B3 push 4674B5B4h; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A6388E push 4674B5B4h; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A660C4 pushfd ; iretd |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A638CA push 4674B5B4h; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A658DF pushfd ; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A63800 push 4674B5B4h; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A65814 pushfd ; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A65814 push ebx; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A60047 push ds; ret |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A60047 push ds; ret |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A63841 push 4674B5B4h; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A659A2 push ebx; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A659AE push ebx; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A6598A push ebx; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A65996 push ebx; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A6590E pushfd ; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A6010F push ds; ret |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A61918 push esi; ret |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A65919 push ebx; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A6597F push ebx; retf |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A62954 pushad ; ret |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A64DAC push ecx; ret |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | RDTSC instruction interceptor: First address: 0000000002A70462 second address: 0000000002A70462 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 6DE2EF76h 0x00000007 xor eax, 3DB09C71h 0x0000000c sub eax, 5442A7C9h 0x00000011 xor eax, FC0FCB3Fh 0x00000016 cpuid 0x00000018 jmp 00007FA49CC56E26h 0x0000001a cmp cx, bx 0x0000001d popad 0x0000001e cmp esi, 4B3AFD05h 0x00000024 call 00007FA49CC56DECh 0x00000029 lfence 0x0000002c mov edx, 710EE3C3h 0x00000031 xor edx, C84DA636h 0x00000037 xor edx, 5FA736A0h 0x0000003d xor edx, 991A7341h 0x00000043 mov edx, dword ptr [edx] 0x00000045 lfence 0x00000048 jmp 00007FA49CC56E1Ah 0x0000004a cmp ecx, C21290E3h 0x00000050 cmp cx, B483h 0x00000055 ret 0x00000056 sub edx, esi 0x00000058 ret 0x00000059 cmp cl, dl 0x0000005b jmp 00007FA49CC56E26h 0x0000005d cmp cx, bx 0x00000060 cmp esi, 7ED3C2E3h 0x00000066 add edi, edx 0x00000068 dec dword ptr [ebp+000000F8h] 0x0000006e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000075 jne 00007FA49CC56D73h 0x00000077 cmp edx, ecx 0x00000079 cmp ebx, 1CFC15CDh 0x0000007f call 00007FA49CC56E8Bh 0x00000084 call 00007FA49CC56E5Ch 0x00000089 lfence 0x0000008c mov edx, 710EE3C3h 0x00000091 xor edx, C84DA636h 0x00000097 xor edx, 5FA736A0h 0x0000009d xor edx, 991A7341h 0x000000a3 mov edx, dword ptr [edx] 0x000000a5 lfence 0x000000a8 jmp 00007FA49CC56E1Ah 0x000000aa cmp ecx, C21290E3h 0x000000b0 cmp cx, B483h 0x000000b5 ret 0x000000b6 mov esi, edx 0x000000b8 pushad 0x000000b9 rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A7045A rdtsc |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A6F3CA mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A6FCC1 mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe | Code function: 1_2_02A7045A rdtsc |
Source: Zr26f1rL6r.exe, 00000001.00000002.804242856.0000000000CA0000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: Zr26f1rL6r.exe, 00000001.00000002.804242856.0000000000CA0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: Zr26f1rL6r.exe, 00000001.00000002.804242856.0000000000CA0000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: Zr26f1rL6r.exe, 00000001.00000002.804242856.0000000000CA0000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.