Windows Analysis Report
xKBLVUHoY6.exe

Overview

General Information

Sample Name: xKBLVUHoY6.exe
Analysis ID: 679245
MD5: 6e0bf5d5220fbe4f7245653a259c7dad
SHA1: f077644ac1eb17aa811f4805e1f5f546b4f6166f
SHA256: 2914eb3edbf9dadb98429173fb1c1b5954742b10e49b1f804024e6448028f73e
Infos:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: xKBLVUHoY6.exe Virustotal: Detection: 36% Perma Link
Antivirus detection for URL or domain
Source: http://212.193.0.40/redi_oXifXcNSpB69.binn Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.bin~ Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.bin Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.binsvY Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.bing Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.binH Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.binoe Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.binZ Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.binalm Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://212.193.0.40/redi_oXifXcNSpB69.bin Virustotal: Detection: 15% Perma Link
Source: 00000000.00000002.1475620205.0000000003360000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://212.193.0.40/redi_oXifXcNSpB69.bin"}
Uses 32bit PE files
Source: xKBLVUHoY6.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: xKBLVUHoY6.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://212.193.0.40/redi_oXifXcNSpB69.bin
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.11.20:49727 -> 212.193.0.40:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASBAXETNRU ASBAXETNRU
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.bin
Source: CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binH
Source: CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binZ
Source: CasPol.exe, 00000003.00000002.5717397048.0000000001520000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binalm
Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.bing
Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binn
Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binoe
Source: CasPol.exe, 00000003.00000002.5717397048.0000000001520000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binsvY
Source: CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.bin~
Source: xKBLVUHoY6.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: xKBLVUHoY6.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: xKBLVUHoY6.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: xKBLVUHoY6.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: xKBLVUHoY6.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: xKBLVUHoY6.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: xKBLVUHoY6.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: xKBLVUHoY6.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: xKBLVUHoY6.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: xKBLVUHoY6.exe String found in binary or memory: http://ocsp.digicert.com0X
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056A8
Uses 32bit PE files
Source: xKBLVUHoY6.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Creates files inside the system directory
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe File created: C:\Windows\resources\0409 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_00406BFE 0_2_00406BFE
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_6E551BFF 0_2_6E551BFF
PE file contains strange resources
Source: xKBLVUHoY6.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: xKBLVUHoY6.exe Static PE information: invalid certificate
Source: xKBLVUHoY6.exe Virustotal: Detection: 36%
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe File read: C:\Users\user\Desktop\xKBLVUHoY6.exe Jump to behavior
Source: xKBLVUHoY6.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\xKBLVUHoY6.exe "C:\Users\user\Desktop\xKBLVUHoY6.exe"
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\xKBLVUHoY6.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\xKBLVUHoY6.exe" Jump to behavior
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Lansat Jump to behavior
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe File created: C:\Users\user\AppData\Local\Temp\nsp4C13.tmp Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winEXE@4/4@0/1
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404954
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8764:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8764:120:WilError_03
Source: xKBLVUHoY6.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1475620205.0000000003360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.817511706.0000000001230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.5715131175.0000000001230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_6E5530C0 push eax; ret 0_2_6E5530EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_0123154E push ds; retf 3_2_012315DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_012311C5 push esp; iretd 3_2_012311C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_012349CC push ebp; ret 3_2_012349CD
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_6E551BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_6E551BFF
Drops PE files
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe File created: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: xKBLVUHoY6.exe, 00000000.00000002.1475805085.0000000003461000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: xKBLVUHoY6.exe, 00000000.00000002.1475805085.0000000003461000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718346627.00000000015D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: CasPol.exe, 00000003.00000002.5718346627.00000000015D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=HTTP://212.193.0.40/REDI_OXIFXCNSPB69.BIN
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe API call chain: ExitProcess graph end node
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: xKBLVUHoY6.exe, 00000000.00000002.1475805085.0000000003461000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000003.00000002.5718346627.00000000015D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=http://212.193.0.40/redi_oXifXcNSpB69.bin
Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718112034.0000000001545000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: xKBLVUHoY6.exe, 00000000.00000002.1475805085.0000000003461000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718346627.00000000015D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_6E551BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_6E551BFF
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process queried: DebugPort Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\xKBLVUHoY6.exe" Jump to behavior
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679245 Sample: xKBLVUHoY6.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 88 21 Multi AV Scanner detection for domain / URL 2->21 23 Antivirus detection for URL or domain 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 3 other signatures 2->27 7 xKBLVUHoY6.exe 36 2->7         started        process3 file4 17 C:\Users\user\AppData\Local\...\System.dll, PE32 7->17 dropped 29 Tries to detect Any.run 7->29 31 Hides threads from debuggers 7->31 11 CasPol.exe 7 7->11         started        signatures5 process6 dnsIp7 19 212.193.0.40, 80 ASBAXETNRU Russian Federation 11->19 33 Tries to detect Any.run 11->33 35 Hides threads from debuggers 11->35 15 conhost.exe 11->15         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.193.0.40
 unknown Russian Federation
49392 ASBAXETNRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://212.193.0.40/redi_oXifXcNSpB69.bin true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown