Source: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1V_BC3orZyo_Cje"} |
Source: Transferencia_29_11_2021 17.03.39.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=1V_BC3orZyo_Cje |
Source: Transferencia_29_11_2021 17.03.39.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: Transferencia_29_11_2021 17.03.39.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: Transferencia_29_11_2021 17.03.39.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: Transferencia_29_11_2021 17.03.39.exe |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: Transferencia_29_11_2021 17.03.39.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: Transferencia_29_11_2021 17.03.39.exe |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: Transferencia_29_11_2021 17.03.39.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: Transferencia_29_11_2021 17.03.39.exe |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: Transferencia_29_11_2021 17.03.39.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: Transferencia_29_11_2021 17.03.39.exe |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: Transferencia_29_11_2021 17.03.39.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Transferencia_29_11_2021 17.03.39.exe |
Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_020FD800 NtAllocateVirtualMemory, |
0_2_020FD800 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_020FD025 NtAllocateVirtualMemory, |
0_2_020FD025 |
Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.883074798.0000000002AA0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameoutrunner.exeFE2XU vs Transferencia_29_11_2021 17.03.39.exe |
Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000000.357361914.0000000000424000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameoutrunner.exe vs Transferencia_29_11_2021 17.03.39.exe |
Source: Transferencia_29_11_2021 17.03.39.exe |
Binary or memory string: OriginalFilenameoutrunner.exe vs Transferencia_29_11_2021 17.03.39.exe |
Source: Transferencia_29_11_2021 17.03.39.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_02106751 |
0_2_02106751 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_020FD800 |
0_2_020FD800 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_020FD2A9 |
0_2_020FD2A9 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_020F177F |
0_2_020F177F |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_02104B64 |
0_2_02104B64 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_020F97F8 |
0_2_020F97F8 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_020FD025 |
0_2_020FD025 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_021048F5 |
0_2_021048F5 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_021035B4 |
0_2_021035B4 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_020FE1A3 |
0_2_020FE1A3 |
Source: Transferencia_29_11_2021 17.03.39.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal68.rans.troj.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
File created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372 |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_00404857 push cs; ret |
0_2_00404858 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_00405D21 push E5BAE958h; ret |
0_2_00405D26 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_020FD800 push ds; iretd |
0_2_020FE17E |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_020F0A0B push es; retf 29E3h |
0_2_020FFBC8 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_020F4170 push ds; iretd |
0_2_020F4171 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_020FCF30 rdtsc |
0_2_020FCF30 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_02104B64 mov eax, dword ptr fs:[00000030h] |
0_2_02104B64 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_021027CD mov eax, dword ptr fs:[00000030h] |
0_2_021027CD |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_020FC46B mov eax, dword ptr fs:[00000030h] |
0_2_020FC46B |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_02103111 mov eax, dword ptr fs:[00000030h] |
0_2_02103111 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_020FCF30 rdtsc |
0_2_020FCF30 |
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe |
Code function: 0_2_02106751 RtlAddVectoredExceptionHandler, |
0_2_02106751 |
Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.882623015.0000000000C80000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.882623015.0000000000C80000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.882623015.0000000000C80000.00000002.00020000.sdmp |
Binary or memory string: &Program Manager |
Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.882623015.0000000000C80000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |