Windows Analysis Report
SecuriteInfo.com.W32.AIDetect.malware2.20966.21933

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetect.malware2.20966.21933 (renamed file extension from 21933 to exe)
Analysis ID:	634648
MD5:	64d7de9ac600402c1f3e5b9849cbd12c
SHA1:	961f113b32ce2f0958ec5fcccf5489524cf30348
SHA256:	da36f8024e0a8b325dbd71aceed611d0cc8000af85346ceea1bd2a2cf1a73eb6
Tags:	exe
Infos:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Contains capabilities to detect virtual machines

Detected potential crypto function

PE / OLE file has an invalid certificate

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.912152970.00000000028F0000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Virustotal: Detection: 7%

Perma Link

Source: Lib.Platform.Windows.Native.dll.0.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.0.dr
Source:	Binary string: System.Net.Http.pdb source: System.Net.Http.dll.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: SourceCodePro-Medium.otf.0.dr	String found in binary or memory: http://scripts.sil.org/OFLSource
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.nero.com
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: NMDllHost.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: NMDllHost.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0D

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056DE

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameathcfg10.dll vs SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

PE file contains strange resources

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_72971BFF	0_2_72971BFF

PE / OLE file has an invalid certificate

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: invalid certificate

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Virustotal: Detection: 7%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

0_2_0040352D

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File created: C:\Users\user\AppData\Local\Temp\nssBB48.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File written: C:\Users\user\AppData\Local\Temp\Bolson210.ini

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/16@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: System.Net.Http.dll.0.dr, System.Net.Http/StreamContent.cs	Task registration methods: 'CreateContentReadStreamAsync'
Source: System.Net.Http.dll.0.dr, System.Net.Http/HttpContent.cs	Task registration methods: 'CreateContentReadStreamAsync', 'CreateCompletedTask'
Source: System.Net.Http.dll.0.dr, System.Net.Http/ByteArrayContent.cs	Task registration methods: 'CreateContentReadStreamAsync'

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.0.dr
Source:	Binary string: System.Net.Http.pdb source: System.Net.Http.dll.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.912152970.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 0_2_729730C0 push eax; ret

0_2_729730EE

PE file contains sections with non-standard names

Source: NMDllHost.exe.0.dr

Static PE information: section name: .shared

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 0_2_72971BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_72971BFF

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\athcfg20U.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\nsaD009.tmp\System.dll	Jump to dropped file

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

RDTSC instruction interceptor: First address: 00000000028F2951 second address: 00000000028F2951 instructions: 0x00000000 rdtsc 0x00000002 cmp ch, 0000007Bh 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FF8E8A3AB5Fh 0x00000009 test ch, 0000000Ch 0x0000000c inc ebp 0x0000000d test dx, dx 0x00000010 inc ebx 0x00000011 test edx, ecx 0x00000013 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File opened / queried: C:\Users\user\AppData\Local\Temp\vmmemctl.inf

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\athcfg20U.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	API call chain: ExitProcess graph end node

Source: vmmemctl.inf.0.dr	Binary or memory string: loc.Disk1 = "VMMemCtl Source Media"
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.DriverFiles]
Source: vmmemctl.inf.0.dr	Binary or memory string: DriverPackageDisplayName = %loc.VMMemCtlServiceDisplayName%
Source: vmmemctl.inf.0.dr	Binary or memory string: loc.VMMemCtlServiceDisplayName = "Memory Control Driver"
Source: vmmemctl.inf.0.dr	Binary or memory string: DelService = %VMMemCtlServiceName%,0x204
Source: vmmemctl.inf.0.dr	Binary or memory string: CatalogFile = vmmemctl.cat
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.Service]
Source: vmmemctl.inf.0.dr	Binary or memory string: vmmemctl.sys
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.AddRegistry]
Source: vmmemctl.inf.0.dr	Binary or memory string: VMwareProvider = "VMware, Inc."
Source: vmmemctl.inf.0.dr	Binary or memory string: ServiceBinary = %12%\vmmemctl.sys ;%windir%\system32\drivers\vmmemctl.sys
Source: vmmemctl.inf.0.dr	Binary or memory string: DisplayName = %loc.VMMemCtlServiceDisplayName%
Source: vmmemctl.inf.0.dr	Binary or memory string: DelFiles = VMMemCtl.DriverFiles
Source: vmmemctl.inf.0.dr	Binary or memory string: CopyFiles = VMMemCtl.DriverFiles
Source: vmmemctl.inf.0.dr	Binary or memory string: AddReg = VMMemCtl.AddRegistry
Source: vmmemctl.inf.0.dr	Binary or memory string: DelReg = VMMemCtl.DelRegistry
Source: vmmemctl.inf.0.dr	Binary or memory string: VMMemCtlServiceName = "VMMemCtl"
Source: vmmemctl.inf.0.dr	Binary or memory string: OptionDesc = %loc.VMMemCtlServiceDesc%
Source: vmmemctl.inf.0.dr	Binary or memory string: vmmemctl.sys = 1
Source: vmmemctl.inf.0.dr	Binary or memory string: loc.VMMemCtlServiceDesc = "Driver to provide enhanced memory management of this virtual machine."
Source: vmmemctl.inf.0.dr	Binary or memory string: ; Copyright (c) 1999-2019 VMware, Inc. All rights reserved.
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.DelRegistry]
Source: vmmemctl.inf.0.dr	Binary or memory string: AddService = %VMMemCtlServiceName%,0x800,VMMemCtl.Service ; SPSVCINST_STARTSERVICE
Source: vmmemctl.inf.0.dr	Binary or memory string: ; vmmemctl.inf
Source: vmmemctl.inf.0.dr	Binary or memory string: Description = %loc.VMMemCtlServiceDesc%
Source: vmmemctl.inf.0.dr	Binary or memory string: Provider = %VMwareProvider%

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 0_2_72971BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_72971BFF

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

0_2_0040352D

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin	false		high

AV Detection

Found malware configuration

Source: 00000000.00000002.912152970.00000000028F0000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Virustotal: Detection: 7%

Perma Link

Source: Lib.Platform.Windows.Native.dll.0.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.0.dr
Source:	Binary string: System.Net.Http.pdb source: System.Net.Http.dll.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: SourceCodePro-Medium.otf.0.dr	String found in binary or memory: http://scripts.sil.org/OFLSource
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.nero.com
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: NMDllHost.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: NMDllHost.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0D

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

0_2_004056DE

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameathcfg10.dll vs SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

PE file contains strange resources

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

0_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_72971BFF	0_2_72971BFF

PE / OLE file has an invalid certificate

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: invalid certificate

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Virustotal: Detection: 7%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

0_2_0040352D

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File created: C:\Users\user\AppData\Local\Temp\nssBB48.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File written: C:\Users\user\AppData\Local\Temp\Bolson210.ini

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/16@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: System.Net.Http.dll.0.dr, System.Net.Http/StreamContent.cs	Task registration methods: 'CreateContentReadStreamAsync'
Source: System.Net.Http.dll.0.dr, System.Net.Http/HttpContent.cs	Task registration methods: 'CreateContentReadStreamAsync', 'CreateCompletedTask'
Source: System.Net.Http.dll.0.dr, System.Net.Http/ByteArrayContent.cs	Task registration methods: 'CreateContentReadStreamAsync'

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.0.dr
Source:	Binary string: System.Net.Http.pdb source: System.Net.Http.dll.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.912152970.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 0_2_729730C0 push eax; ret

0_2_729730EE

PE file contains sections with non-standard names

Source: NMDllHost.exe.0.dr

Static PE information: section name: .shared

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 0_2_72971BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_72971BFF

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\athcfg20U.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\nsaD009.tmp\System.dll	Jump to dropped file

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File opened / queried: C:\Users\user\AppData\Local\Temp\vmmemctl.inf

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\athcfg20U.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	API call chain: ExitProcess graph end node

Source: vmmemctl.inf.0.dr	Binary or memory string: loc.Disk1 = "VMMemCtl Source Media"
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.DriverFiles]
Source: vmmemctl.inf.0.dr	Binary or memory string: DriverPackageDisplayName = %loc.VMMemCtlServiceDisplayName%
Source: vmmemctl.inf.0.dr	Binary or memory string: loc.VMMemCtlServiceDisplayName = "Memory Control Driver"
Source: vmmemctl.inf.0.dr	Binary or memory string: DelService = %VMMemCtlServiceName%,0x204
Source: vmmemctl.inf.0.dr	Binary or memory string: CatalogFile = vmmemctl.cat
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.Service]
Source: vmmemctl.inf.0.dr	Binary or memory string: vmmemctl.sys
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.AddRegistry]
Source: vmmemctl.inf.0.dr	Binary or memory string: VMwareProvider = "VMware, Inc."
Source: vmmemctl.inf.0.dr	Binary or memory string: ServiceBinary = %12%\vmmemctl.sys ;%windir%\system32\drivers\vmmemctl.sys
Source: vmmemctl.inf.0.dr	Binary or memory string: DisplayName = %loc.VMMemCtlServiceDisplayName%
Source: vmmemctl.inf.0.dr	Binary or memory string: DelFiles = VMMemCtl.DriverFiles
Source: vmmemctl.inf.0.dr	Binary or memory string: CopyFiles = VMMemCtl.DriverFiles
Source: vmmemctl.inf.0.dr	Binary or memory string: AddReg = VMMemCtl.AddRegistry
Source: vmmemctl.inf.0.dr	Binary or memory string: DelReg = VMMemCtl.DelRegistry
Source: vmmemctl.inf.0.dr	Binary or memory string: VMMemCtlServiceName = "VMMemCtl"
Source: vmmemctl.inf.0.dr	Binary or memory string: OptionDesc = %loc.VMMemCtlServiceDesc%
Source: vmmemctl.inf.0.dr	Binary or memory string: vmmemctl.sys = 1
Source: vmmemctl.inf.0.dr	Binary or memory string: loc.VMMemCtlServiceDesc = "Driver to provide enhanced memory management of this virtual machine."
Source: vmmemctl.inf.0.dr	Binary or memory string: ; Copyright (c) 1999-2019 VMware, Inc. All rights reserved.
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.DelRegistry]
Source: vmmemctl.inf.0.dr	Binary or memory string: AddService = %VMMemCtlServiceName%,0x800,VMMemCtl.Service ; SPSVCINST_STARTSERVICE
Source: vmmemctl.inf.0.dr	Binary or memory string: ; vmmemctl.inf
Source: vmmemctl.inf.0.dr	Binary or memory string: Description = %loc.VMMemCtlServiceDesc%
Source: vmmemctl.inf.0.dr	Binary or memory string: Provider = %VMwareProvider%

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 0_2_72971BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_72971BFF

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

0_2_0040352D

ID:	634648
Product:	CloudBasic
Start time:	15:44:13
Start date:	26.05.2022
Sample:	SecuriteInfo.com.W32.AIDetect.malware2.20966.21933
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	64d7de9ac600402c1f3e5b9849cbd12c
SHA1:	961f113b32ce2f0958ec5fcccf5489524cf30348
SHA256:	da36f8024e0a8b325dbd71aceed611d0cc8000af85346ceea1bd2a2cf1a73eb6
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Bolson210.ini	ASCII text, with CRLF line terminators	D5E9EF9561789A05AFB528A1E6C7D9B7	B2C92096EE4103A58B41A0754F2E1F1BB823392C	8D2AE334DCB01E0A5EE1F9CA0689E68743E851B96E48A75ED5E20515D03D7FF5
C:\Users\user\AppData\Local\Temp\Efterkommelserne.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide	B72A15FCF169B17EF75614082A0E692F	70A6565C47FD468711002EF46D6957684299422D	6268FF1957A7EE405135802328B6A1EEA3D8152CD0596E7F30DF788152FB4D61
C:\Users\user\AppData\Local\Temp\GooCanvas-3.0.typelib	HTML document, ASCII text, with CRLF line terminators	5343C1A8B203C162A3BF3870D9F50FD4	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	232371076A23379753EB776CF06FBE5D	6A5EA5D44E555AD392725E5AC3D80AF0137386E9	5940F9D18B9439ECBFCD6EDC60563D6F56623D03F09EAFA786C436185EF156BB
C:\Users\user\AppData\Local\Temp\NMDllHost.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DBF787BD6E5CE77FB34FF281A144EB96	50B7799ECCA566BE35429828245D44CB04AD8885	CCBACEEA04837229C95C08274C747ABE069279AFB990DDD89EC743C42ADC0AD9
C:\Users\user\AppData\Local\Temp\Nonarguable.JAP	data	783896AB4BF80A78F5D6EF8CD5E67835	46C7FAB858B604A8CF50FE0F6612152A0D6743CA	49B6243080ED1C14B192FA5D7D9FC04C8A9992AD81E088C4B58B4934877F4618
C:\Users\user\AppData\Local\Temp\SourceCodePro-Medium.otf	OpenType font data	75D305F30919530A2C49AC362D2E2D34	B9EE4ACF9AC299FCADC4A074AEA0C0FD7888AA1D	CF5676ADA0FF425860EE60E3EE7AC4091C568D9FD9E3562D4BC7F06D5A78AD15
C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	DA9015DF320DCC2EDDEE493E20F639BA	5732E5722D2CB5A668ABC19AED6434852D0A4FC8	2294EBB89E749E7145628164913251B563EA6641A6CD1AE03FBCE55DA43F9B17
C:\Users\user\AppData\Local\Temp\athcfg20U.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	96CF937BBA21CB4D3203E15246837AE9	08B9BF57F8942CA98077B62BB0DBA0BD0AF2C952	398185CE130D689D5D2B2C3F179F540715F030D91246C876675E84456F1BA488
C:\Users\user\AppData\Local\Temp\audio-volume-high.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	5CE69BDF1125A922B6ED1FE28DCAF92B	10C925FAD32D7071A3D96608FD1A04ECDA1B4820	0537CF9335394EA509ED23021DAA44F781D380FEAA3947B9DD31C290BE706E1A
C:\Users\user\AppData\Local\Temp\battery-level-10-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	EBBCB008023C6C1B4EFAB0774A4BB19E	7C657C976D7D728E9D6D8F6A603F50B42D86C321	5FD17A236AF8B520DB2E34E44E71C3634CB8221E0A27617E522ECB8D0FF8EFF8
C:\Users\user\AppData\Local\Temp\edit-clear-rtl.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	0D948AEE5693D469DA3F0DCC0FCC009D	61A9DA78E129B3A98855E54F837025CA20DF8017	85D3314527708E953C393ABE52AD6A7AD63BDA7A31353CE0380CC775AA781A6F
C:\Users\user\AppData\Local\Temp\farme.Fej5	ASCII text, with very long lines, with no line terminators	B067370FD071B16223FA8E1E5A1474EE	4460E6972EE4AEC56907FC10879ED2616E10409A	57197A007044FBC9E7EE63D5C69291EF7A6241C9A71EFAC545C02D18966BFD7C
C:\Users\user\AppData\Local\Temp\network-wireless-hotspot-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	D8FFE7BA5669DE024607E64126DDFFEC	D1993BB12041E4C3F7CF45AFB2DBCFB74A544C0D	2A6FD48DE810DE4BD61BD26DDAECCB6C6C9204CB4D213EBE1ACB560054911CDD
C:\Users\user\AppData\Local\Temp\nsaD009.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\vmmemctl.inf	ASCII text, with CRLF line terminators	4BCE488F7C4E00ED71170C7D0A593663	F49F1FD072D650A8A5DD1F026E003CEE85420BC8	17365C633230CD05375125AA6C710B76900E2B93D87D14E1F9F2338C3B3BEA1A

Windows Analysis Report
SecuriteInfo.com.W32.AIDetect.malware2.20966.21933

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware2.20966.21933

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.W32.AIDetect.malware2.20966.21933