Source: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?c"} |
Source: Justificante de Pago 25112021.pdf _.exe |
ReversingLabs: Detection: 17% |
Source: Justificante de Pago 25112021.pdf _.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: |
Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\SKIBSBES.pdb source: Justificante de Pago 25112021.pdf _.exe |
Source: Malware configuration extractor |
URLs: https://onedrive.live.com/download?c |
Source: Justificante de Pago 25112021.pdf _.exe |
String found in binary or memory: http://s.symcb.com/universal-root.crl0 |
Source: Justificante de Pago 25112021.pdf _.exe |
String found in binary or memory: http://s.symcd.com06 |
Source: Justificante de Pago 25112021.pdf _.exe |
String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0( |
Source: Justificante de Pago 25112021.pdf _.exe |
String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0 |
Source: Justificante de Pago 25112021.pdf _.exe |
String found in binary or memory: http://ts-ocsp.ws.symantec.com0; |
Source: Justificante de Pago 25112021.pdf _.exe |
String found in binary or memory: https://d.symcb.com/cps0% |
Source: Justificante de Pago 25112021.pdf _.exe |
String found in binary or memory: https://d.symcb.com/rpa0 |
Source: Justificante de Pago 25112021.pdf _.exe |
String found in binary or memory: https://d.symcb.com/rpa0. |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: initial sample |
Static PE information: Filename: Justificante de Pago 25112021.pdf _.exe |
Source: Justificante de Pago 25112021.pdf _.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000000.655922327.0000000000421000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameSKIBSBES.exe vs Justificante de Pago 25112021.pdf _.exe |
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1185543904.0000000002A60000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameSKIBSBES.exeFE2X vs Justificante de Pago 25112021.pdf _.exe |
Source: Justificante de Pago 25112021.pdf _.exe |
Binary or memory string: OriginalFilenameSKIBSBES.exe vs Justificante de Pago 25112021.pdf _.exe |
Source: Justificante de Pago 25112021.pdf _.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_00401578 |
0_2_00401578 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298C889 |
0_2_0298C889 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02993C74 |
0_2_02993C74 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02992493 |
0_2_02992493 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02988C96 |
0_2_02988C96 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298C486 |
0_2_0298C486 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_029892AF |
0_2_029892AF |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_029828D2 |
0_2_029828D2 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_029824EB |
0_2_029824EB |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298061C |
0_2_0298061C |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298D010 |
0_2_0298D010 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02984608 |
0_2_02984608 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0299120B |
0_2_0299120B |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02986E3F |
0_2_02986E3F |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298B45C |
0_2_0298B45C |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0299367B |
0_2_0299367B |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298258D |
0_2_0298258D |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02980386 |
0_2_02980386 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_029801EC |
0_2_029801EC |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298BD14 |
0_2_0298BD14 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02990937 |
0_2_02990937 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02987555 |
0_2_02987555 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02986557 |
0_2_02986557 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298AF4E |
0_2_0298AF4E |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298DF79 |
0_2_0298DF79 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298657D |
0_2_0298657D |
Source: Justificante de Pago 25112021.pdf _.exe |
Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298C889 NtAllocateVirtualMemory, |
0_2_0298C889 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Process Stats: CPU usage > 98% |
Source: Justificante de Pago 25112021.pdf _.exe |
ReversingLabs: Detection: 17% |
Source: Justificante de Pago 25112021.pdf _.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0 |
Source: Justificante de Pago 25112021.pdf _.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\SKIBSBES.pdb source: Justificante de Pago 25112021.pdf _.exe |
Source: Yara match |
File source: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_00405661 push ebp; ret |
0_2_00405664 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_004066B9 push ds; ret |
0_2_004066D6 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_00403193 push ds; retf |
0_2_0040324B |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298548B push ebx; ret |
0_2_0298556C |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_029854B2 push ebx; ret |
0_2_0298556C |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02987ECB pushfd ; ret |
0_2_02987F37 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02985AFC push ds; ret |
0_2_02985B23 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_029824E3 push E2DBE6FFh; retf |
0_2_029824E9 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298422C push cs; retf |
0_2_0298429C |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02984267 push cs; retf |
0_2_0298429C |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02985FC4 pushad ; iretd |
0_2_02985FC5 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_029841E0 push cs; retf |
0_2_0298429C |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02985502 push ebx; ret |
0_2_0298556C |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02982B39 push ds; retf |
0_2_02982B50 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02980F43 push ebp; retf |
0_2_02980F44 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298BBE8 rdtsc |
0_2_0298BBE8 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02990098 mov eax, dword ptr fs:[00000030h] |
0_2_02990098 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02992493 mov eax, dword ptr fs:[00000030h] |
0_2_02992493 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02990EBD mov eax, dword ptr fs:[00000030h] |
0_2_02990EBD |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298B8DD mov eax, dword ptr fs:[00000030h] |
0_2_0298B8DD |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_0298BBE8 rdtsc |
0_2_0298BBE8 |
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe |
Code function: 0_2_02993C74 RtlAddVectoredExceptionHandler, |
0_2_02993C74 |
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |