Source: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo8"} |
Source: DHL Express shipment notification.exe |
Virustotal: Detection: 25% |
Perma Link |
Source: DHL Express shipment notification.exe |
ReversingLabs: Detection: 11% |
Source: DHL Express shipment notification.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=downlo8 |
Source: DHL Express shipment notification.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: DHL Express shipment notification.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: DHL Express shipment notification.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: DHL Express shipment notification.exe |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: DHL Express shipment notification.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: DHL Express shipment notification.exe |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: DHL Express shipment notification.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: DHL Express shipment notification.exe |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: DHL Express shipment notification.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: DHL Express shipment notification.exe |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: DHL Express shipment notification.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: DHL Express shipment notification.exe, 00000000.00000002.778676915.00000000020D0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameSlesk8.exeFE2XW vs DHL Express shipment notification.exe |
Source: DHL Express shipment notification.exe, 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe |
Source: DHL Express shipment notification.exe |
Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe |
Source: DHL Express shipment notification.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_021E6860 |
0_2_021E6860 |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_021DAA34 |
0_2_021DAA34 |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_021DDFFD |
0_2_021DDFFD |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_021E39E4 |
0_2_021E39E4 |
Source: DHL Express shipment notification.exe |
Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Process Stats: CPU usage > 98% |
Source: DHL Express shipment notification.exe |
Virustotal: Detection: 25% |
Source: DHL Express shipment notification.exe |
ReversingLabs: Detection: 11% |
Source: DHL Express shipment notification.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
File created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372 |
Jump to behavior |
Source: classification engine |
Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_00406464 push edx; iretd |
0_2_0040647C |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_0040A07F push ds; iretd |
0_2_0040A095 |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_004070A2 push 3E0AA415h; retf |
0_2_004070B7 |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_00403976 pushfd ; ret |
0_2_0040398B |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_021D26FB push eax; iretd |
0_2_021D26FC |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_021D4C6D push eax; iretd |
0_2_021D4C6F |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
RDTSC instruction interceptor: First address: 00000000021E3495 second address: 00000000021E3495 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 36E14280h 0x00000007 xor eax, 7FA3071Ah 0x0000000c sub eax, F9689012h 0x00000011 sub eax, 4FD9B587h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F51E8F968F7h 0x0000001e lfence 0x00000021 mov edx, E407433Dh 0x00000026 add edx, 04D23EBAh 0x0000002c add edx, 3E86FD7Bh 0x00000032 xor edx, 589E7F66h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d jmp 00007F51E8F968DDh 0x00000042 test cl, al 0x00000044 cmp al, 3Fh 0x00000046 test ch, ah 0x00000048 ret 0x00000049 jmp 00007F51E8F968E9h 0x0000004e test ebx, 2244023Eh 0x00000054 sub edx, esi 0x00000056 ret 0x00000057 add edi, edx 0x00000059 dec dword ptr [ebp+000000F8h] 0x0000005f test ecx, ebx 0x00000061 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000068 jne 00007F51E8F967FAh 0x0000006a call 00007F51E8F96861h 0x0000006f call 00007F51E8F96918h 0x00000074 lfence 0x00000077 mov edx, E407433Dh 0x0000007c add edx, 04D23EBAh 0x00000082 add edx, 3E86FD7Bh 0x00000088 xor edx, 589E7F66h 0x0000008e mov edx, dword ptr [edx] 0x00000090 lfence 0x00000093 jmp 00007F51E8F968DDh 0x00000098 test cl, al 0x0000009a cmp al, 3Fh 0x0000009c test ch, ah 0x0000009e ret 0x0000009f mov esi, edx 0x000000a1 pushad 0x000000a2 rdtsc |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_021E3692 rdtsc |
0_2_021E3692 |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_021E1E86 mov eax, dword ptr fs:[00000030h] |
0_2_021E1E86 |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_021E2A85 mov eax, dword ptr fs:[00000030h] |
0_2_021E2A85 |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_021DCF89 mov eax, dword ptr fs:[00000030h] |
0_2_021DCF89 |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_021E3692 rdtsc |
0_2_021E3692 |
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe |
Code function: 0_2_021E6860 RtlAddVectoredExceptionHandler, |
0_2_021E6860 |
Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp |
Binary or memory string: SProgram Managerl |
Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |