Windows Analysis Report
EPAYMENT.COM

Overview

General Information

Sample Name:	EPAYMENT.COM (renamed file extension from COM to exe)
Analysis ID:	624181
MD5:	9811d64e29ef53e107f9379526cfd338
SHA1:	b6e84580f902a0c3d3f77748a2a027c9fe42db68
SHA256:	e94bcf64e3affd0a755df05fc1f8c7fba1fb98303e433edff4d98f75d1e4fdf8
Tags:	exe
Infos:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

Tries to detect virtualization through RDTSC time measurements

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

PE / OLE file has an invalid certificate

PE file contains more sections than normal

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.772889154.000000000329F000.00000040.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exe"}

Multi AV Scanner detection for submitted file

Source: EPAYMENT.exe

ReversingLabs: Detection: 17%

Uses 32bit PE files

Source: EPAYMENT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: EPAYMENT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\_GC3\SC\GC3.Service\GC3.Service.AppServiceBridge\GC3.Service.AppServiceBridge\obj\Release\ArmouryCrate.AppServiceBridge.pdb source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr
Source:	Binary string: C:\Builds\78\N2\HO_NBR_g_2016_r_2016\Sources\NeroCMD\src\Release\NeroCmd.pdb source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr

Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exe

Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: audio-x-generic.png.0.dr	String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: EPAYMENT.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: EPAYMENT.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: EPAYMENT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: EPAYMENT.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://s.symcd.com06
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: NeroCmd.exe.0.dr	String found in binary or memory: http://www.nero.com
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: NeroCmd.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: EPAYMENT.exe	String found in binary or memory: https://sectigo.com/CPS0D
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405809

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: EPAYMENT.exe

Executable has a suspicious name (potential lure to open the executable)

Source: EPAYMENT.exe

Static file information: Suspicious name

Uses 32bit PE files

Source: EPAYMENT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArmouryCrate.AppServiceBridge.exeZ vs EPAYMENT.exe
Source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNeroCMD.exe vs EPAYMENT.exe

PE file contains strange resources

Source: EPAYMENT.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403640

Detected potential crypto function

Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 0_2_00406D5F		0_2_00406D5F
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 0_2_6DC81BFF		0_2_6DC81BFF

PE / OLE file has an invalid certificate

Source: EPAYMENT.exe

Static PE information: invalid certificate

PE file contains more sections than normal

Source: libtclsqlite3.dll.0.dr

Static PE information: Number of sections : 19 > 10

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\EPAYMENT.exe

Process Stats: CPU usage > 98%

Source: EPAYMENT.exe

ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\EPAYMENT.exe

File read: C:\Users\user\Desktop\EPAYMENT.exe

Jump to behavior

Source: EPAYMENT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EPAYMENT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\EPAYMENT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\EPAYMENT.exe

0_2_00403640

Source: C:\Users\user\Desktop\EPAYMENT.exe

File created: C:\Users\user\AppData\Local\Temp\nslA01.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/9@0/0

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\EPAYMENT.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404AB5

Source: EPAYMENT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\_GC3\SC\GC3.Service\GC3.Service.AppServiceBridge\GC3.Service.AppServiceBridge\obj\Release\ArmouryCrate.AppServiceBridge.pdb source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.0.dr
Source:	Binary string: C:\Builds\78\N2\HO_NBR_g_2016_r_2016\Sources\NeroCMD\src\Release\NeroCmd.pdb source: EPAYMENT.exe, 00000000.00000002.772633935.000000000299F000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.772889154.000000000329F000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 0_2_6DC830C0 push eax; ret

0_2_6DC830EE

PE file contains sections with non-standard names

Source: NeroCmd.exe.0.dr	Static PE information: section name: .shared
Source: libtclsqlite3.dll.0.dr	Static PE information: section name: .xdata
Source: libtclsqlite3.dll.0.dr	Static PE information: section name: /4
Source: libtclsqlite3.dll.0.dr	Static PE information: section name: /19
Source: libtclsqlite3.dll.0.dr	Static PE information: section name: /31
Source: libtclsqlite3.dll.0.dr	Static PE information: section name: /45
Source: libtclsqlite3.dll.0.dr	Static PE information: section name: /57
Source: libtclsqlite3.dll.0.dr	Static PE information: section name: /70
Source: libtclsqlite3.dll.0.dr	Static PE information: section name: /81
Source: libtclsqlite3.dll.0.dr	Static PE information: section name: /92

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 0_2_6DC81BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6DC81BFF

Drops PE files

Source: C:\Users\user\Desktop\EPAYMENT.exe	File created: C:\Users\user\AppData\Local\Temp\libtclsqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe	File created: C:\Users\user\AppData\Local\Temp\nsfA31.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe	File created: C:\Users\user\AppData\Local\Temp\nsfA31.tmp\LangDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe	File created: C:\Users\user\AppData\Local\Temp\ArmouryCrate.AppServiceBridge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe	File created: C:\Users\user\AppData\Local\Temp\NeroCmd.exe	Jump to dropped file

Source: C:\Users\user\Desktop\EPAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EPAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EPAYMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\EPAYMENT.exe

RDTSC instruction interceptor: First address: 000000000329FC9C second address: 000000000329FC9C instructions: 0x00000000 rdtsc 0x00000002 cmp ch, 0000000Ch 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F7B30D53845h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b cmp ecx, ebx 0x0000000d rdtsc

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\EPAYMENT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libtclsqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ArmouryCrate.AppServiceBridge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NeroCmd.exe	Jump to dropped file

Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\EPAYMENT.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\EPAYMENT.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\EPAYMENT.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 0_2_6DC81BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6DC81BFF

Source: C:\Users\user\Desktop\EPAYMENT.exe

0_2_00403640

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exe	false		high

ID:	624181
Product:	CloudBasic
Start time:	10:16:05
Start date:	11.05.2022
Sample:	EPAYMENT.COM
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9811d64e29ef53e107f9379526cfd338
SHA1:	b6e84580f902a0c3d3f77748a2a027c9fe42db68
SHA256:	e94bcf64e3affd0a755df05fc1f8c7fba1fb98303e433edff4d98f75d1e4fdf8
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\ArmouryCrate.AppServiceBridge.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	19E44C0A8284EFB1E82BD1BB2ACC8EB1	1321814D12BA3FB035071BFB036F762E14824A85	80F180CEC8BB6E524E7A3D5B9858020AF99869EDABFAD1F594A62DD246F1194E
C:\Users\user\AppData\Local\Temp\NeroCmd.exe	PE32 executable (console) Intel 80386, for MS Windows	D74AB8F08D67A289D01DEFC064BFCDA9	FD407C22AE7E90CA599A5B6150AD2E256750400F	FC26BCD62EDF699C82D67A354F223430F9CD9844189A0933D3402A2BAC4C2005
C:\Users\user\AppData\Local\Temp\Nysene7.Bru4	data	BA4672E4475BDC8152DBD5DF6605682C	A808B14BC9935E47495E721B75B0241E84084769	73C68FE84E10437CEF3CB3E7159CB81913E622FCAA04A3D5A8751DEBAF70881B
C:\Users\user\AppData\Local\Temp\audio-x-generic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	CA015E7C4B05BD9FB87AF3772AD92E5C	E31B3BF7D29D3185FCE5A5E36D54DD804FB74564	F7C132E53160C6A7CC9A79CB74DCCC3762C4A96BB4987B6E1A8755A270905976
C:\Users\user\AppData\Local\Temp\camera-photo.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	649C9AB161501E1AA88B3D32C4F71023	A916E4161B6A0F11F0DA539EEEF4513E5FB08FE2	D69CFE54FF9E3249DA241654FFA768D23E52297E7459FE61662C4129850D16AF
C:\Users\user\AppData\Local\Temp\libtclsqlite3.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	97F6D21CE726247E03A03D7F03D0A847	4D94D170078B3422E410D5E6DE3DCA74CB7E6457	9E81CE570879BC87D332989561234AD5BB8BDA62D30A320A76A4373863BF6012
C:\Users\user\AppData\Local\Temp\list-drag-handle-symbolic.svg	SVG Scalable Vector Graphics image	1BA333F3E126D8A83CA3C6FCFB71FBC8	D54F87C1937D6A08455C903B4E60F6B390A9C583	7DEC55F99B6FA48395B801EDE687C47330E79C4045F48B7AF673FB259F29FF32
C:\Users\user\AppData\Local\Temp\nsfA31.tmp\LangDLL.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	68B287F4067BA013E34A1339AFDB1EA8	45AD585B3CC8E5A6AF7B68F5D8269C97992130B3	18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026
C:\Users\user\AppData\Local\Temp\nsfA31.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8

Windows Analysis Report
EPAYMENT.COM

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report EPAYMENT.COM

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
EPAYMENT.COM