Windows Analysis Report
SecuriteInfo.com.W32.AIDetect.malware2.5627.14109

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetect.malware2.5627.14109 (renamed file extension from 14109 to exe)
Analysis ID:	634994
MD5:	7f369d460c84146944c3c12bf83901af
SHA1:	29ea3441429d555ddfd0fd8d5973aab0f9ea2663
SHA256:	a5e095edbdf743431c5e866c01c3a592fc5a7ddf6bfb617d72f81181743adf3a
Tags:	exe
Infos:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

PE file does not import any functions

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Detected potential crypto function

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000001.00000002.898389983.0000000002BB7000.00000040.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://hustlecreate.com/a1/binned_SsGEV34.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Virustotal: Detection: 19%			Perma Link
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	ReversingLabs: Detection: 12%

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Hardheartedly12

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: System.Runtime.CompilerServices.VisualC.ni.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdbRSDS source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source:	Binary string: d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\coinstaller\Win8Release\x64\bin\vm3dc003.pdb source: vm3dc003.dll.1.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,	1_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://hustlecreate.com/a1/binned_SsGEV34.bin

Source: vm3dc003.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, uninstalla.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0L
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://sv.symcd.com0&
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://www.vmware.com/0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://www.vmware.com/0/
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: System.Runtime.CompilerServices.VisualC.dll.1.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: System.Runtime.CompilerServices.VisualC.dll.1.dr	String found in binary or memory: https://github.com/dotnet/runtimeBSJB
Source: vm3dc003.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: vm3dc003.dll.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Code function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_004056DE

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

PE file does not import any functions

Source: System.Runtime.CompilerServices.VisualC.dll.1.dr

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp

Binary or memory string: OriginalFilenamevm3dc003.dll> vs SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

PE file contains strange resources

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uninstalla.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_0040755C	1_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_00406D85	1_2_00406D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_72D91BFF	1_2_72D91BFF

PE file contains executable resources (Code or Archives)

Source: System.Runtime.CompilerServices.VisualC.dll.1.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Virustotal: Detection: 19%
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	ReversingLabs: Detection: 12%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

1_2_0040352D

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

File created: C:\Users\user\AppData\Local\Temp\nse22A8.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

File written: C:\Users\user\AppData\Local\Temp\Exolve.ini

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/11@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Code function: 1_2_004021AA CoCreateInstance,

1_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Code function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_0040498A

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Hardheartedly12

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: System.Runtime.CompilerServices.VisualC.ni.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdbRSDS source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source:	Binary string: d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\coinstaller\Win8Release\x64\bin\vm3dc003.pdb source: vm3dc003.dll.1.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.898389983.0000000002BB7000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

PE file contains an invalid checksum

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Static PE information: real checksum: 0x0 should be: 0xe7640
Source: System.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x3d68
Source: uninstalla.exe.1.dr	Static PE information: real checksum: 0x3f1bf6 should be: 0x4a8b4

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Code function: 1_2_72D930C0 push eax; ret

1_2_72D930EE

PE file contains sections with non-standard names

Source: vm3dc003.dll.1.dr	Static PE information: section name: .didat
Source: vm3dc003.dll.1.dr	Static PE information: section name: .gehcont
Source: vm3dc003.dll.1.dr	Static PE information: section name: _RDATA

Binary contains a suspicious time stamp

Source: System.Runtime.CompilerServices.VisualC.dll.1.dr

Static PE information: 0xC22B5F28 [Fri Mar 24 23:05:12 2073 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Code function: 1_2_72D91BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_72D91BFF

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	File created: C:\Users\user\AppData\Local\Temp\vm3dc003.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	File created: C:\Users\user\AppData\Local\Temp\uninstalla.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	File created: C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	File created: C:\Users\user\AppData\Local\Temp\nse4A46.tmp\System.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (31).png

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

RDTSC instruction interceptor: First address: 0000000002C0515E second address: 0000000002C0515E instructions: 0x00000000 rdtsc 0x00000002 test bl, 00000001h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F80045A4ED7h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vm3dc003.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uninstalla.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,	1_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	API call chain: ExitProcess graph end node

Source: vm3dc003.dll.1.dr	Binary or memory string: LegalCopyrightCopyright (C) 1998-2021 VMware, Inc.B
Source: vm3dc003.dll.1.dr	Binary or memory string: {4d36e968-e325-11ce-bfc1-08002be10318}SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}CoInstallers32SOFTWARE\Microsoft\Windows\CurrentVersion\RunVMware VM3DService ProcessRegDeleteValue failed (0x%lx).
Source: vm3dc003.dll.1.dr	Binary or memory string: noreply@vmware.com0
Source: vm3dc003.dll.1.dr	Binary or memory string: http://www.vmware.com/0
Source: vm3dc003.dll.1.dr	Binary or memory string: VMware, Inc.
Source: vm3dc003.dll.1.dr	Binary or memory string: dbghelp.dllSoftware\VMware, Inc.\VMware SVGADebugSearchPathBacktrace[%2d] rip=%p %s+%#x %s:%d
Source: vm3dc003.dll.1.dr	Binary or memory string: VMware, Inc.1!0
Source: vm3dc003.dll.1.dr	Binary or memory string: %s: VMToolsRegistry Not set.
Source: vm3dc003.dll.1.dr	Binary or memory string: FileDescriptionVMware SVGA 3D Coinstaller:
Source: vm3dc003.dll.1.dr	Binary or memory string: http://www.vmware.com/0/
Source: vm3dc003.dll.1.dr	Binary or memory string: Software\VMware, Inc.\VMware SVGA
Source: vm3dc003.dll.1.dr	Binary or memory string: VMware, Inc.1
Source: vm3dc003.dll.1.dr	Binary or memory string: VMware, Inc.0
Source: vm3dc003.dll.1.dr	Binary or memory string: ProductNameVMware SVGA 3D`
Source: vm3dc003.dll.1.dr	Binary or memory string: CompanyNameVMware, Inc.^

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Code function: 1_2_72D91BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_72D91BFF

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

1_2_0040352D

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://hustlecreate.com/a1/binned_SsGEV34.bin	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 00000001.00000002.898389983.0000000002BB7000.00000040.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://hustlecreate.com/a1/binned_SsGEV34.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Virustotal: Detection: 19%			Perma Link
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	ReversingLabs: Detection: 12%

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Hardheartedly12

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: System.Runtime.CompilerServices.VisualC.ni.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdbRSDS source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source:	Binary string: d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\coinstaller\Win8Release\x64\bin\vm3dc003.pdb source: vm3dc003.dll.1.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,	1_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://hustlecreate.com/a1/binned_SsGEV34.bin

Source: vm3dc003.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, uninstalla.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0L
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://sv.symcd.com0&
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: vm3dc003.dll.1.dr	String found in binary or memory: http://www.vmware.com/0
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: http://www.vmware.com/0/
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp, vm3dc003.dll.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: System.Runtime.CompilerServices.VisualC.dll.1.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: System.Runtime.CompilerServices.VisualC.dll.1.dr	String found in binary or memory: https://github.com/dotnet/runtimeBSJB
Source: vm3dc003.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: vm3dc003.dll.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

1_2_004056DE

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

PE file does not import any functions

Source: System.Runtime.CompilerServices.VisualC.dll.1.dr

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe, 00000001.00000002.897861144.000000000040A000.00000004.00000001.01000000.00000005.sdmp

Binary or memory string: OriginalFilenamevm3dc003.dll> vs SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

PE file contains strange resources

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uninstalla.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

1_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_0040755C	1_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_00406D85	1_2_00406D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_72D91BFF	1_2_72D91BFF

PE file contains executable resources (Code or Archives)

Source: System.Runtime.CompilerServices.VisualC.dll.1.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Virustotal: Detection: 19%
Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	ReversingLabs: Detection: 12%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

1_2_0040352D

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

File created: C:\Users\user\AppData\Local\Temp\nse22A8.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

File written: C:\Users\user\AppData\Local\Temp\Exolve.ini

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/11@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Code function: 1_2_004021AA CoCreateInstance,

1_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Code function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_0040498A

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Hardheartedly12

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: System.Runtime.CompilerServices.VisualC.ni.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdbRSDS source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source:	Binary string: d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\coinstaller\Win8Release\x64\bin\vm3dc003.pdb source: vm3dc003.dll.1.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.898389983.0000000002BB7000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

PE file contains an invalid checksum

Source: SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Static PE information: real checksum: 0x0 should be: 0xe7640
Source: System.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x3d68
Source: uninstalla.exe.1.dr	Static PE information: real checksum: 0x3f1bf6 should be: 0x4a8b4

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Code function: 1_2_72D930C0 push eax; ret

1_2_72D930EE

PE file contains sections with non-standard names

Source: vm3dc003.dll.1.dr	Static PE information: section name: .didat
Source: vm3dc003.dll.1.dr	Static PE information: section name: .gehcont
Source: vm3dc003.dll.1.dr	Static PE information: section name: _RDATA

Binary contains a suspicious time stamp

Source: System.Runtime.CompilerServices.VisualC.dll.1.dr

Static PE information: 0xC22B5F28 [Fri Mar 24 23:05:12 2073 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Code function: 1_2_72D91BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_72D91BFF

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	File created: C:\Users\user\AppData\Local\Temp\vm3dc003.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	File created: C:\Users\user\AppData\Local\Temp\uninstalla.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	File created: C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	File created: C:\Users\user\AppData\Local\Temp\nse4A46.tmp\System.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (31).png

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vm3dc003.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uninstalla.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,	1_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe	API call chain: ExitProcess graph end node

Source: vm3dc003.dll.1.dr	Binary or memory string: LegalCopyrightCopyright (C) 1998-2021 VMware, Inc.B
Source: vm3dc003.dll.1.dr	Binary or memory string: {4d36e968-e325-11ce-bfc1-08002be10318}SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}CoInstallers32SOFTWARE\Microsoft\Windows\CurrentVersion\RunVMware VM3DService ProcessRegDeleteValue failed (0x%lx).
Source: vm3dc003.dll.1.dr	Binary or memory string: noreply@vmware.com0
Source: vm3dc003.dll.1.dr	Binary or memory string: http://www.vmware.com/0
Source: vm3dc003.dll.1.dr	Binary or memory string: VMware, Inc.
Source: vm3dc003.dll.1.dr	Binary or memory string: dbghelp.dllSoftware\VMware, Inc.\VMware SVGADebugSearchPathBacktrace[%2d] rip=%p %s+%#x %s:%d
Source: vm3dc003.dll.1.dr	Binary or memory string: VMware, Inc.1!0
Source: vm3dc003.dll.1.dr	Binary or memory string: %s: VMToolsRegistry Not set.
Source: vm3dc003.dll.1.dr	Binary or memory string: FileDescriptionVMware SVGA 3D Coinstaller:
Source: vm3dc003.dll.1.dr	Binary or memory string: http://www.vmware.com/0/
Source: vm3dc003.dll.1.dr	Binary or memory string: Software\VMware, Inc.\VMware SVGA
Source: vm3dc003.dll.1.dr	Binary or memory string: VMware, Inc.1
Source: vm3dc003.dll.1.dr	Binary or memory string: VMware, Inc.0
Source: vm3dc003.dll.1.dr	Binary or memory string: ProductNameVMware SVGA 3D`
Source: vm3dc003.dll.1.dr	Binary or memory string: CompanyNameVMware, Inc.^

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

Code function: 1_2_72D91BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_72D91BFF

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.5627.exe

1_2_0040352D

ID:	634994
Product:	CloudBasic
Start time:	09:41:13
Start date:	27.05.2022
Sample:	SecuriteInfo.com.W32.AIDetect.malware2.5627.14109
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	7f369d460c84146944c3c12bf83901af
SHA1:	29ea3441429d555ddfd0fd8d5973aab0f9ea2663
SHA256:	a5e095edbdf743431c5e866c01c3a592fc5a7ddf6bfb617d72f81181743adf3a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\CELSIAN.Gra	data	F042FA6C1A5A11E1E94F4C7D55F4696F	3A9C3519A67FD03DC3C97EEA6B04CFFD1AA38715	B30D6EBFBD48675A3899E47EA4FEFD63A784CF4D291CE1CE7E805B70BB71D67D
C:\Users\user\AppData\Local\Temp\Exolve.ini	ASCII text, with CRLF line terminators	272BC34712948F6A7132DD80E17DE84E	461967EA55D874C28BF0999FB66CACE785D9BCA9	019D3E92BF00DC7409E188A19F11AB33C31BFBAFE5B2E036632CC69B71207FE9
C:\Users\user\AppData\Local\Temp\Green_Leaves_21.bmp	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3	2F12A714A50993C090C94EC2672490E1	4F9A319C412F1B1B251C027B1C2448BBDBB9CA6F	E759639DCCA8E96864BC82EDBACFD5BB14FE37412A6F3FCE7C82BF1BB944B6E4
C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows	E3F74999CDB00FCAAA6A40A97B8F199B	F3A2C8DF8E98F7DCB49CBE5C4A717A6087A656D2	6929BC473DF404FCED714F345479216B66B72ACF116061DF1CDD8ACAEE961333
C:\Users\user\AppData\Local\Temp\drive-harddisk-system-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	39182B562FCB2BAD93D58516462708A8	F9A88E1F1313BD05CDB1E962DE8170CCCFDA9151	DEF4215BBA93FAED6FCF7E4687EF89AB828DB10E69171A5E14908F091302C59F
C:\Users\user\AppData\Local\Temp\mail-unread-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	433D25AD6818DB00083CD062A16D3479	D4210D893E965912EA7BD45C80D359FECAB54A98	3D06E8FA89BA4FA9D9BCC260F38C72D1A104FE3E6F8923A3EE553563832027CB
C:\Users\user\AppData\Local\Temp\nse4A46.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\scanner.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	0CBA7EB7455B0DB79456C5911F12B75E	DAACA4FE36E4F61016D473A0A1CD4C980906872B	50F4DB972320FF30D4FD98B61F58D956678F38FD1D11CA5109E5559D02A986BE
C:\Users\user\AppData\Local\Temp\uninstalla.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	1DCEAF980C4D83AE2A13BD0F047E1BD7	7D97E79EFB047361A8C2A8AC0A26B37127C3C7AC	0C340FB13ACAAAE759215AF9C970DC6C167418534C421EB626643E20FD0AC832
C:\Users\user\AppData\Local\Temp\vm3dc003.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	059BE7432DFAD92F4EA0A2E5941C52A7	1C1B989D6B9D0FA0808FCA8893ADDC8CD76602D9	8E184A514D8716B59B24892CB425752E6D7837735C1E9F1996D66E70BFEC033B
C:\Users\user\AppData\Local\Temp\vtshim.c	C source, ASCII text	1B00C31FF20D27F07B299063908311E0	1976E6DD68DD0D64508C91A6DFAB8E75F8AAF6CD	EC872BB1DDC330D3F19F68D033B0706E1B78D4A91A58998674B67EAD58BEA729

Windows Analysis Report
SecuriteInfo.com.W32.AIDetect.malware2.5627.14109

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware2.5627.14109

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.W32.AIDetect.malware2.5627.14109