Windows Analysis Report
SecuriteInfo.com.W32.AIDetect.malware2.23037.17205

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetect.malware2.23037.17205 (renamed file extension from 17205 to exe)
Analysis ID:	634855
MD5:	be43b751bd103fe5a64b4e0aa7a30060
SHA1:	ab293504fe7636c3cfc74718973bbd1cbca05fb4
SHA256:	87eefb05fd8c133f8a0059e1bc695f652a2f7b0c297386d7a08fb37bdb76009b
Tags:	exe
Infos:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Contains capabilities to detect virtual machines

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.788288277.0000000002980000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/963535165500588126/979423160845869128/nanoexp_bWgaxBaEn43.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Virustotal: Detection: 10%

Perma Link

Source: Lib.Platform.Windows.Native.dll.0.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.0.dr
Source:	Binary string: System.Net.Http.pdb source: System.Net.Http.dll.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://cdn.discordapp.com/attachments/963535165500588126/979423160845869128/nanoexp_bWgaxBaEn43.bin

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: SourceCodePro-Medium.otf.0.dr	String found in binary or memory: http://scripts.sil.org/OFLSource
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.nero.com
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: NMDllHost.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: NMDllHost.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0D

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056DE

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameathcfg10.dll vs SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

PE file contains strange resources

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_6EE21BFF	0_2_6EE21BFF

PE / OLE file has an invalid certificate

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Static PE information: invalid certificate

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Virustotal: Detection: 10%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

0_2_0040352D

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

File created: C:\Users\user\AppData\Local\Temp\nsgF936.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

File written: C:\Users\user\AppData\Local\Temp\Bolson210.ini

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/16@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: System.Net.Http.dll.0.dr, System.Net.Http/StreamContent.cs	Task registration methods: 'CreateContentReadStreamAsync'
Source: System.Net.Http.dll.0.dr, System.Net.Http/HttpContent.cs	Task registration methods: 'CreateContentReadStreamAsync', 'CreateCompletedTask'
Source: System.Net.Http.dll.0.dr, System.Net.Http/ByteArrayContent.cs	Task registration methods: 'CreateContentReadStreamAsync'

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.0.dr
Source:	Binary string: System.Net.Http.pdb source: System.Net.Http.dll.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.788288277.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Code function: 0_2_6EE230C0 push eax; ret

0_2_6EE230EE

PE file contains sections with non-standard names

Source: NMDllHost.exe.0.dr

Static PE information: section name: .shared

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Code function: 0_2_6EE21BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6EE21BFF

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	File created: C:\Users\user\AppData\Local\Temp\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	File created: C:\Users\user\AppData\Local\Temp\athcfg20U.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	File created: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	File created: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	File created: C:\Users\user\AppData\Local\Temp\nseEF1.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

RDTSC instruction interceptor: First address: 0000000002982D17 second address: 0000000002982D17 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, ch 0x00000004 cmp eax, ecx 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F84A8A793C6h 0x0000000a test esi, 017A4494h 0x00000010 cmp cx, dx 0x00000013 inc ebp 0x00000014 cmp cx, 50A7h 0x00000019 inc ebx 0x0000001a test ebx, edx 0x0000001c rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

File opened / queried: C:\Users\user\AppData\Local\Temp\vmmemctl.inf

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\athcfg20U.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: vmmemctl.inf.0.dr	Binary or memory string: loc.Disk1 = "VMMemCtl Source Media"
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.DriverFiles]
Source: vmmemctl.inf.0.dr	Binary or memory string: DriverPackageDisplayName = %loc.VMMemCtlServiceDisplayName%
Source: vmmemctl.inf.0.dr	Binary or memory string: loc.VMMemCtlServiceDisplayName = "Memory Control Driver"
Source: vmmemctl.inf.0.dr	Binary or memory string: DelService = %VMMemCtlServiceName%,0x204
Source: vmmemctl.inf.0.dr	Binary or memory string: CatalogFile = vmmemctl.cat
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.Service]
Source: vmmemctl.inf.0.dr	Binary or memory string: vmmemctl.sys
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.AddRegistry]
Source: vmmemctl.inf.0.dr	Binary or memory string: VMwareProvider = "VMware, Inc."
Source: vmmemctl.inf.0.dr	Binary or memory string: ServiceBinary = %12%\vmmemctl.sys ;%windir%\system32\drivers\vmmemctl.sys
Source: vmmemctl.inf.0.dr	Binary or memory string: DisplayName = %loc.VMMemCtlServiceDisplayName%
Source: vmmemctl.inf.0.dr	Binary or memory string: DelFiles = VMMemCtl.DriverFiles
Source: vmmemctl.inf.0.dr	Binary or memory string: CopyFiles = VMMemCtl.DriverFiles
Source: vmmemctl.inf.0.dr	Binary or memory string: AddReg = VMMemCtl.AddRegistry
Source: vmmemctl.inf.0.dr	Binary or memory string: DelReg = VMMemCtl.DelRegistry
Source: vmmemctl.inf.0.dr	Binary or memory string: VMMemCtlServiceName = "VMMemCtl"
Source: vmmemctl.inf.0.dr	Binary or memory string: OptionDesc = %loc.VMMemCtlServiceDesc%
Source: vmmemctl.inf.0.dr	Binary or memory string: vmmemctl.sys = 1
Source: vmmemctl.inf.0.dr	Binary or memory string: loc.VMMemCtlServiceDesc = "Driver to provide enhanced memory management of this virtual machine."
Source: vmmemctl.inf.0.dr	Binary or memory string: ; Copyright (c) 1999-2019 VMware, Inc. All rights reserved.
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.DelRegistry]
Source: vmmemctl.inf.0.dr	Binary or memory string: AddService = %VMMemCtlServiceName%,0x800,VMMemCtl.Service ; SPSVCINST_STARTSERVICE
Source: vmmemctl.inf.0.dr	Binary or memory string: ; vmmemctl.inf
Source: vmmemctl.inf.0.dr	Binary or memory string: Description = %loc.VMMemCtlServiceDesc%
Source: vmmemctl.inf.0.dr	Binary or memory string: Provider = %VMwareProvider%

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Code function: 0_2_6EE21BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6EE21BFF

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

0_2_0040352D

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Found malware configuration

Source: 00000000.00000002.788288277.0000000002980000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/963535165500588126/979423160845869128/nanoexp_bWgaxBaEn43.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Virustotal: Detection: 10%

Perma Link

Source: Lib.Platform.Windows.Native.dll.0.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.0.dr
Source:	Binary string: System.Net.Http.pdb source: System.Net.Http.dll.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://cdn.discordapp.com/attachments/963535165500588126/979423160845869128/nanoexp_bWgaxBaEn43.bin

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: SourceCodePro-Medium.otf.0.dr	String found in binary or memory: http://scripts.sil.org/OFLSource
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.nero.com
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: NMDllHost.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: NMDllHost.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Lib.Platform.Windows.Native.dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0D

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

0_2_004056DE

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameathcfg10.dll vs SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

PE file contains strange resources

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

0_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_6EE21BFF	0_2_6EE21BFF

PE / OLE file has an invalid certificate

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Static PE information: invalid certificate

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Virustotal: Detection: 10%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

0_2_0040352D

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

File created: C:\Users\user\AppData\Local\Temp\nsgF936.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

File written: C:\Users\user\AppData\Local\Temp\Bolson210.ini

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/16@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: System.Net.Http.dll.0.dr, System.Net.Http/StreamContent.cs	Task registration methods: 'CreateContentReadStreamAsync'
Source: System.Net.Http.dll.0.dr, System.Net.Http/HttpContent.cs	Task registration methods: 'CreateContentReadStreamAsync', 'CreateCompletedTask'
Source: System.Net.Http.dll.0.dr, System.Net.Http/ByteArrayContent.cs	Task registration methods: 'CreateContentReadStreamAsync'

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.0.dr
Source:	Binary string: System.Net.Http.pdb source: System.Net.Http.dll.0.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.788288277.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Code function: 0_2_6EE230C0 push eax; ret

0_2_6EE230EE

PE file contains sections with non-standard names

Source: NMDllHost.exe.0.dr

Static PE information: section name: .shared

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Code function: 0_2_6EE21BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6EE21BFF

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	File created: C:\Users\user\AppData\Local\Temp\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	File created: C:\Users\user\AppData\Local\Temp\athcfg20U.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	File created: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	File created: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	File created: C:\Users\user\AppData\Local\Temp\nseEF1.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

File opened / queried: C:\Users\user\AppData\Local\Temp\vmmemctl.inf

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\athcfg20U.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: vmmemctl.inf.0.dr	Binary or memory string: loc.Disk1 = "VMMemCtl Source Media"
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.DriverFiles]
Source: vmmemctl.inf.0.dr	Binary or memory string: DriverPackageDisplayName = %loc.VMMemCtlServiceDisplayName%
Source: vmmemctl.inf.0.dr	Binary or memory string: loc.VMMemCtlServiceDisplayName = "Memory Control Driver"
Source: vmmemctl.inf.0.dr	Binary or memory string: DelService = %VMMemCtlServiceName%,0x204
Source: vmmemctl.inf.0.dr	Binary or memory string: CatalogFile = vmmemctl.cat
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.Service]
Source: vmmemctl.inf.0.dr	Binary or memory string: vmmemctl.sys
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.AddRegistry]
Source: vmmemctl.inf.0.dr	Binary or memory string: VMwareProvider = "VMware, Inc."
Source: vmmemctl.inf.0.dr	Binary or memory string: ServiceBinary = %12%\vmmemctl.sys ;%windir%\system32\drivers\vmmemctl.sys
Source: vmmemctl.inf.0.dr	Binary or memory string: DisplayName = %loc.VMMemCtlServiceDisplayName%
Source: vmmemctl.inf.0.dr	Binary or memory string: DelFiles = VMMemCtl.DriverFiles
Source: vmmemctl.inf.0.dr	Binary or memory string: CopyFiles = VMMemCtl.DriverFiles
Source: vmmemctl.inf.0.dr	Binary or memory string: AddReg = VMMemCtl.AddRegistry
Source: vmmemctl.inf.0.dr	Binary or memory string: DelReg = VMMemCtl.DelRegistry
Source: vmmemctl.inf.0.dr	Binary or memory string: VMMemCtlServiceName = "VMMemCtl"
Source: vmmemctl.inf.0.dr	Binary or memory string: OptionDesc = %loc.VMMemCtlServiceDesc%
Source: vmmemctl.inf.0.dr	Binary or memory string: vmmemctl.sys = 1
Source: vmmemctl.inf.0.dr	Binary or memory string: loc.VMMemCtlServiceDesc = "Driver to provide enhanced memory management of this virtual machine."
Source: vmmemctl.inf.0.dr	Binary or memory string: ; Copyright (c) 1999-2019 VMware, Inc. All rights reserved.
Source: vmmemctl.inf.0.dr	Binary or memory string: [VMMemCtl.DelRegistry]
Source: vmmemctl.inf.0.dr	Binary or memory string: AddService = %VMMemCtlServiceName%,0x800,VMMemCtl.Service ; SPSVCINST_STARTSERVICE
Source: vmmemctl.inf.0.dr	Binary or memory string: ; vmmemctl.inf
Source: vmmemctl.inf.0.dr	Binary or memory string: Description = %loc.VMMemCtlServiceDesc%
Source: vmmemctl.inf.0.dr	Binary or memory string: Provider = %VMwareProvider%

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Code function: 0_2_6EE21BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6EE21BFF

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

0_2_0040352D

ID:	634855
Product:	CloudBasic
Start time:	22:45:06
Start date:	26.05.2022
Sample:	SecuriteInfo.com.W32.AIDetect.malware2.23037.17205
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	be43b751bd103fe5a64b4e0aa7a30060
SHA1:	ab293504fe7636c3cfc74718973bbd1cbca05fb4
SHA256:	87eefb05fd8c133f8a0059e1bc695f652a2f7b0c297386d7a08fb37bdb76009b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Besoothe6.JOM	ASCII text, with very long lines, with no line terminators	E143614EC3566CC0867C1A4EAE6E985E	0CA1B86A24D7014849351E6241C398CCC38A9650	442D64BCDD603EF97BB1A122EEAB49940B3C2BC151F9661B60BEC5F2D16710A9
C:\Users\user\AppData\Local\Temp\Bolson210.ini	ASCII text, with CRLF line terminators	D5E9EF9561789A05AFB528A1E6C7D9B7	B2C92096EE4103A58B41A0754F2E1F1BB823392C	8D2AE334DCB01E0A5EE1F9CA0689E68743E851B96E48A75ED5E20515D03D7FF5
C:\Users\user\AppData\Local\Temp\Efterkommelserne.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide	44F7C2AD51604A8769FFA4A6B0039EA2	7333C6D0B7BB245BAA1022434CFAA23171D020FA	E4B126946EDB0CC4E4C446D65932B0753730FD81A139801D3411B3CCCBE3B726
C:\Users\user\AppData\Local\Temp\GooCanvas-3.0.typelib	HTML document, ASCII text, with CRLF line terminators	5343C1A8B203C162A3BF3870D9F50FD4	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	232371076A23379753EB776CF06FBE5D	6A5EA5D44E555AD392725E5AC3D80AF0137386E9	5940F9D18B9439ECBFCD6EDC60563D6F56623D03F09EAFA786C436185EF156BB
C:\Users\user\AppData\Local\Temp\NMDllHost.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DBF787BD6E5CE77FB34FF281A144EB96	50B7799ECCA566BE35429828245D44CB04AD8885	CCBACEEA04837229C95C08274C747ABE069279AFB990DDD89EC743C42ADC0AD9
C:\Users\user\AppData\Local\Temp\SourceCodePro-Medium.otf	OpenType font data	75D305F30919530A2C49AC362D2E2D34	B9EE4ACF9AC299FCADC4A074AEA0C0FD7888AA1D	CF5676ADA0FF425860EE60E3EE7AC4091C568D9FD9E3562D4BC7F06D5A78AD15
C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	DA9015DF320DCC2EDDEE493E20F639BA	5732E5722D2CB5A668ABC19AED6434852D0A4FC8	2294EBB89E749E7145628164913251B563EA6641A6CD1AE03FBCE55DA43F9B17
C:\Users\user\AppData\Local\Temp\athcfg20U.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	96CF937BBA21CB4D3203E15246837AE9	08B9BF57F8942CA98077B62BB0DBA0BD0AF2C952	398185CE130D689D5D2B2C3F179F540715F030D91246C876675E84456F1BA488
C:\Users\user\AppData\Local\Temp\audio-volume-high.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	5CE69BDF1125A922B6ED1FE28DCAF92B	10C925FAD32D7071A3D96608FD1A04ECDA1B4820	0537CF9335394EA509ED23021DAA44F781D380FEAA3947B9DD31C290BE706E1A
C:\Users\user\AppData\Local\Temp\battery-level-10-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	EBBCB008023C6C1B4EFAB0774A4BB19E	7C657C976D7D728E9D6D8F6A603F50B42D86C321	5FD17A236AF8B520DB2E34E44E71C3634CB8221E0A27617E522ECB8D0FF8EFF8
C:\Users\user\AppData\Local\Temp\edit-clear-rtl.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	0D948AEE5693D469DA3F0DCC0FCC009D	61A9DA78E129B3A98855E54F837025CA20DF8017	85D3314527708E953C393ABE52AD6A7AD63BDA7A31353CE0380CC775AA781A6F
C:\Users\user\AppData\Local\Temp\network-wireless-hotspot-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	D8FFE7BA5669DE024607E64126DDFFEC	D1993BB12041E4C3F7CF45AFB2DBCFB74A544C0D	2A6FD48DE810DE4BD61BD26DDAECCB6C6C9204CB4D213EBE1ACB560054911CDD
C:\Users\user\AppData\Local\Temp\nseEF1.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\subpleural.BLG	data	ED3D19D00DB707AB5E556BE6E3F7E7ED	89B973BF2F6961DD736FA420E6506BCB665103E0	F1DCEA81AFBB3752B920E586A7C19927BB6D3C9051D133B863D5B5801E4098CD
C:\Users\user\AppData\Local\Temp\vmmemctl.inf	ASCII text, with CRLF line terminators	4BCE488F7C4E00ED71170C7D0A593663	F49F1FD072D650A8A5DD1F026E003CEE85420BC8	17365C633230CD05375125AA6C710B76900E2B93D87D14E1F9F2338C3B3BEA1A

Windows Analysis Report
SecuriteInfo.com.W32.AIDetect.malware2.23037.17205

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware2.23037.17205

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.W32.AIDetect.malware2.23037.17205