Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XShSI2OXaC.exe

Overview

General Information

Sample Name:XShSI2OXaC.exe
Analysis ID:736966
MD5:b69c9170ffab277e1bd13fde891a5ae5
SHA1:8928e5d360edbecd1547cf61831d4f055bed92af
SHA256:a81489460818664146f756543f081b702bcb69244ebf8f6a240b02b2357c577c
Tags:exesigned
Infos:

Detection

GuLoader
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
Drops PE files
Contains functionality to shutdown / reboot the system
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • XShSI2OXaC.exe (PID: 5820 cmdline: C:\Users\user\Desktop\XShSI2OXaC.exe MD5: B69C9170FFAB277E1BD13FDE891A5AE5)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.777436198.0000000003220000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: XShSI2OXaC.exeReversingLabs: Detection: 40%
    Source: XShSI2OXaC.exeVirustotal: Detection: 8%Perma Link
    Source: XShSI2OXaC.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneJump to behavior
    Source: XShSI2OXaC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_00405B6C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_004028D5 FindFirstFileW,
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_0040679D FindFirstFileW,FindClose,
    Source: XShSI2OXaC.exeString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
    Source: XShSI2OXaC.exeString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
    Source: XShSI2OXaC.exeString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
    Source: XShSI2OXaC.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: XShSI2OXaC.exeString found in binary or memory: http://repository.certum.pl/ctnca.cer09
    Source: XShSI2OXaC.exeString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
    Source: XShSI2OXaC.exeString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
    Source: XShSI2OXaC.exeString found in binary or memory: http://subca.ocsp-certum.com01
    Source: XShSI2OXaC.exeString found in binary or memory: http://subca.ocsp-certum.com02
    Source: XShSI2OXaC.exeString found in binary or memory: http://subca.ocsp-certum.com05
    Source: XShSI2OXaC.exeString found in binary or memory: http://www.certum.pl/CPS0
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_00405601 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,
    Source: XShSI2OXaC.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_0040350D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_00406B64
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_73791B5F
    Source: XShSI2OXaC.exeStatic PE information: invalid certificate
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeProcess Stats: CPU usage > 98%
    Source: XShSI2OXaC.exeReversingLabs: Detection: 40%
    Source: XShSI2OXaC.exeVirustotal: Detection: 8%
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeFile read: C:\Users\user\Desktop\XShSI2OXaC.exeJump to behavior
    Source: XShSI2OXaC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_0040350D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeFile created: C:\Users\user\AppData\Local\Temp\nsyA070.tmpJump to behavior
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeFile written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Contentness\Filialbestyrerens\Talkability\Platybrachycephalous\Plugin_Status.iniJump to behavior
    Source: classification engineClassification label: mal60.troj.evad.winEXE@1/6@0/0
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_00402171 CoCreateInstance,
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_004048B8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneJump to behavior
    Source: XShSI2OXaC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Source: Yara matchFile source: 00000000.00000002.777436198.0000000003220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_73791B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeFile created: C:\Users\user\AppData\Local\Temp\nszA331.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeRDTSC instruction interceptor: First address: 0000000003221D6F second address: 0000000003221D6F instructions: 0x00000000 rdtsc 0x00000002 test ch, 00000040h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F6E649CF979h 0x0000000d test cx, bx 0x00000010 inc ebp 0x00000011 cmp ax, cx 0x00000014 inc ebx 0x00000015 jmp 00007F6E649CFB35h 0x0000001a test bx, dx 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_00405B6C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_004028D5 FindFirstFileW,
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_0040679D FindFirstFileW,FindClose,
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_73791B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
    Source: C:\Users\user\Desktop\XShSI2OXaC.exeCode function: 0_2_0040350D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Native API
    1
    Windows Service
    1
    Access Token Manipulation
    1
    Access Token Manipulation
    OS Credential Dumping1
    Security Software Discovery
    Remote Services1
    Archive Collected Data
    Exfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    System Shutdown/Reboot
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    Windows Service
    RootkitLSASS Memory3
    File and Directory Discovery
    Remote Desktop Protocol1
    Clipboard Data
    Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager13
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    XShSI2OXaC.exe40%ReversingLabsWin32.Trojan.InjectorX
    XShSI2OXaC.exe8%VirustotalBrowse
    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nszA331.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nszA331.tmp\System.dll0%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\nszA331.tmp\System.dll4%MetadefenderBrowse
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://subca.ocsp-certum.com050%URL Reputationsafe
    http://subca.ocsp-certum.com050%URL Reputationsafe
    http://subca.ocsp-certum.com020%URL Reputationsafe
    http://subca.ocsp-certum.com010%URL Reputationsafe
    http://subca.ocsp-certum.com010%URL Reputationsafe
    No contacted domains info
    NameSourceMaliciousAntivirus DetectionReputation
    http://crl.certum.pl/ctnca2.crl0lXShSI2OXaC.exefalse
      high
      http://repository.certum.pl/ctnca2.cer09XShSI2OXaC.exefalse
        high
        http://crl.certum.pl/ctsca2021.crl0oXShSI2OXaC.exefalse
          high
          http://repository.certum.pl/ctnca.cer09XShSI2OXaC.exefalse
            high
            http://nsis.sf.net/NSIS_ErrorErrorXShSI2OXaC.exefalse
              high
              http://repository.certum.pl/ctsca2021.cer0XShSI2OXaC.exefalse
                high
                http://crl.certum.pl/ctnca.crl0kXShSI2OXaC.exefalse
                  high
                  http://subca.ocsp-certum.com05XShSI2OXaC.exefalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.certum.pl/CPS0XShSI2OXaC.exefalse
                    high
                    http://subca.ocsp-certum.com02XShSI2OXaC.exefalse
                    • URL Reputation: safe
                    unknown
                    http://subca.ocsp-certum.com01XShSI2OXaC.exefalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    No contacted IP infos
                    Joe Sandbox Version:36.0.0 Rainbow Opal
                    Analysis ID:736966
                    Start date and time:2022-11-03 12:40:26 +01:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 7m 26s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:XShSI2OXaC.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:15
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal60.troj.evad.winEXE@1/6@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 86.1% (good quality ratio 84.8%)
                    • Quality average: 88.3%
                    • Quality standard deviation: 20.8%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240s for sample files taking high CPU consumption
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    No simulations
                    No context
                    No context
                    No context
                    No context
                    No context
                    Process:C:\Users\user\Desktop\XShSI2OXaC.exe
                    File Type:MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                    Category:dropped
                    Size (bytes):852
                    Entropy (8bit):2.8931668942154323
                    Encrypted:false
                    SSDEEP:12:8gl0gsXou41w/tz+7RafgKDuKiP/3NJkKAd4t2Y+xIBjK:8/f4eaRMgKxiX9HAv7aB
                    MD5:4C35348ABAD84AE5B63C7EE3148E0F95
                    SHA1:6805EF5D68BFDFF71F2841255892BC1957AE40AA
                    SHA-256:0D6C1CB8C1BB8471AA59E453AE72C69B894A85EB2CE3AE3EFAE789CC89D92ADF
                    SHA-512:74CB2490211DC4163D2AEA5C550338806070CD90FA7A461A2DBFBBC96B49CB44E2F351BAFAD5D3B201263923A2E674209C6DEBD1C3C7F746DDBE694216EB8320
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:L..................F........................................................#....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................h.a.r.d.z.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....N.1...........Temp..:............................................T.e.m.p.....`.2...........hale4r.txt..F............................................h.a.l.e.4.r...t.x.t...........\.h.a.l.e.4.r...t.x.t.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................
                    Process:C:\Users\user\Desktop\XShSI2OXaC.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:modified
                    Size (bytes):12288
                    Entropy (8bit):5.737504888129487
                    Encrypted:false
                    SSDEEP:192:BenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XB9IwL:B8+Qlt70Fj/lQRY/9VjjlL
                    MD5:8CF2AC271D7679B1D68EEFC1AE0C5618
                    SHA1:7CC1CAAA747EE16DC894A600A4256F64FA65A9B8
                    SHA-256:6950991102462D84FDC0E3B0AE30C95AF8C192F77CE3D78E8D54E6B22F7C09BA
                    SHA-512:CE828FB9ECD7655CC4C974F78F209D3326BA71CED60171A45A437FC3FFF3BD0D69A0997ADACA29265C7B5419BDEA2B17F8CC8CEAE1B8CE6B22B7ED9120BB5AD3
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    • Antivirus: Metadefender, Detection: 4%, Browse
                    Reputation:moderate, very likely benign file
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L......]...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                    Process:C:\Users\user\Desktop\XShSI2OXaC.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):102
                    Entropy (8bit):3.52328456258532
                    Encrypted:false
                    SSDEEP:3:Q++l3293myVfslYx5hev/LmRlfVRlVl:Q++lQWyVkixm3up
                    MD5:4F9A42DF26A7D4555300076765236140
                    SHA1:1F97D929B2FEC9B8171BC8433F046753E66A10A9
                    SHA-256:35BFF73B98E198313A09FDC972F7E9F16014C7E96ACA96A094510D3F6462473C
                    SHA-512:26C627C99A9F1BE9C311C3B185A258BC5FE2DF9DB3AB7657BB2582940C185252AB586F6F20A8086E530D4A946BD9DF495F0C43C4C9259225945E16AC61AF5C00
                    Malicious:false
                    Reputation:low
                    Preview:..[.A.R.M.O.U.R.Y. .C.R.A.T.E. .S.T.A.T.U.S.].....A.u.r.a.P.l.u.g.I.n._.V.e.r.s.i.o.n.=.4...0...0...0.
                    Process:C:\Users\user\Desktop\XShSI2OXaC.exe
                    File Type:C source, ASCII text
                    Category:dropped
                    Size (bytes):22849
                    Entropy (8bit):5.11077967265171
                    Encrypted:false
                    SSDEEP:384:mF+fT69ihYf2GM4R07AZI5dNkWb5jaxZBqOVSSZREtMOPSXCm:mf6AZINJb5jaxDqRSZgk
                    MD5:1C9F1050DD84B2B185741F28309D3B30
                    SHA1:740C9AAFF5D67D3254239B5509D613E4BE9B5B85
                    SHA-256:669D3FF0B8649789381CDBB589746248898AFB4EBC2053952E57EB9475F5064A
                    SHA-512:4A568558B4EF9ED4CA579E8DFBB0FDFFFFE6A442AE11E1FF48E1DB93267469BF66BC3B10DA3397A30C362E4F4CE0A1367E6266D0A78BC61060C103BB4625A1CF
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:/*.** 2013-10-09.**.** The author disclaims copyright to this source code. In place of.** a legal notice, here is a blessing:.**.** May you do good and not evil..** May you find forgiveness for yourself and forgive others..** May you share freely, never taking more than you give..**.******************************************************************************.**.** This file contains the implementation of an SQLite vfs wrapper for.** unix that generates per-database log files of all disk activity..*/../*.** This module contains code for a wrapper VFS that causes a log of.** most VFS calls to be written into a file on disk..**.** Each database connection creates a separate log file in the same.** directory as the original database and named after the original.** database. A unique suffix is added to avoid name collisions. .** Separate log files are used so that concurrent processes do not.** try to write log operations to the same file at the same instant, .** resulting in
                    Process:C:\Users\user\Desktop\XShSI2OXaC.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):169398
                    Entropy (8bit):6.943066252449536
                    Encrypted:false
                    SSDEEP:1536:kYNzSfaJrHw2kpeuoo3koyTLZbsBnqxlkTfIYsZYR0JY6nue2HSPKb4aBSBXPVso:OaRSpXo/DLZe9rlsU0JDnUAKb4USV2M
                    MD5:41A2DEFADC6A543205116432277F62D5
                    SHA1:FEBF4BE1B62529495501EAECE3E4691342F021C7
                    SHA-256:13DC3B2288380DB05CF9DDFA1EEBB66DB7C01035D3B895242824BC7CE2E6DC55
                    SHA-512:3C548C50A93B730B903A1EBEB65DC73C07238E56F2EFBCFFA986B8A63C4628FA677A157A0C3AE52123B2FA21FEFBF2966EEB7E0646EB43A4EEC9A25D035D86CC
                    Malicious:false
                    Preview:.../.{....kD..>...I^{..h.}:).v}..e....D(.|Y).....j.....?.nA..0..m..>.r...V..'j1.=......*.d...../s*.+8..@.0.j...?6g,^v..:....mF...P4.O....BM.s..,mq.u....!2L..h..p..h.%:wm..GH.K.....S..}....hB.N.=.E0)....S.@2..Q5.T...m.].}...cYqL......_....s.....S....4..hs...T..R...R?%.=.s.@N...Q..F...!.a......."...M....[3..-.....h....xe.M........5$..d|.c.;...T.S..SE.V.]...?a...0.l...!"..Rc..y.-1....[.Ou...c./UOEf.}T]..?r.[A...F..F@:..|-x".........k....ll"4.pY.....0.j..3.I....J6.P..2.(.Js..U:...N..Qp..e.....Q.uLF...Xg..*.4..x.....j>W.m.t.X..\.w.H:)y......}....v.<..y..q1.{..&f/...h.......vh..d.(..vi...._......E.q..'N.uHKt9Y.R.#:m.|.S..FLU9`.,N...S{.6l....frgH.Q..r..1...;Y.->..e7:2)k@-S.P....\...6.(m.xm.C.H..&R.<3An.n..B....N.z}...\mX`...^!..(@.Y.I..QKk...Ik..A@Z....>T.Pp.~./...F.(..q.<b"%......;XO...W......".4..UA._.=.|..|.......at_....^..%!...K..\.b..S.,..R...[..2i..!.c.hs9]1za.X.F-o\...q..L...a..6.q....l.l..Y...V.T.J.7..{..@&.%v....T]..R..b..B...D...
                    Process:C:\Users\user\Desktop\XShSI2OXaC.exe
                    File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):136
                    Entropy (8bit):5.506031499655005
                    Encrypted:false
                    SSDEEP:3:yionv//thPl9vt3lAnsrtxBll8xn9gR5XfixtIS2kj7QJ/lsg1p:6v/lhPys6aorIStC2up
                    MD5:1E05E353B63930E92518EC5136819E9E
                    SHA1:82E22F6A10959DDF998F17799BC8257528DF9C8E
                    SHA-256:8E686112200E526D3928BF2F717A00B2E6EC74826AB3DC3AB63F7B5D6F760348
                    SHA-512:E2896BB1D9C1514C7F6E6A60F4E1614FEF8DCBE774AEE4FA977C7DE91BBF37DDE6D45ECA73730082182226B8D3F755A06528FF57C4294F7F1AAD50910FB7A39E
                    Malicious:false
                    Preview:.PNG........IHDR................a....sBIT....|.d....?IDAT8.c`....x200<b``x....A..c....P..I!Q.L...7...S...'P.+>........_Di>.....IEND.B`.
                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                    Entropy (8bit):7.775192199206559
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:XShSI2OXaC.exe
                    File size:192936
                    MD5:b69c9170ffab277e1bd13fde891a5ae5
                    SHA1:8928e5d360edbecd1547cf61831d4f055bed92af
                    SHA256:a81489460818664146f756543f081b702bcb69244ebf8f6a240b02b2357c577c
                    SHA512:0bf095bdc0bd8c0898952e83249930fd02f68415915681a11cfed7276f7949384ed8cea8ee2339dfd567ca298402768e86a6e795086629c642c11a9d932d0196
                    SSDEEP:3072:PSrFD0QAGq6muqIpb5Hp15W0Om6GHAPulczSd8/Zjx5lY8pV+DdhLeWxSbTEZfSu:7QA4WaniPVSd8xflY8Ygmjd
                    TLSH:8214F1513AB0E507ED275A3118796F273FF1791A19918B0B6350BBAA7D23380866F31F
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........18..PV..PV..PV.*_...PV..PW.MPV.*_...PV..sf..PV..VP..PV.Rich.PV.........PE..L......].................f...*.......5............@
                    Icon Hash:f4f0d0dc4cccdcd4
                    Entrypoint:0x40350d
                    Entrypoint Section:.text
                    Digitally signed:true
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x5DF6D4ED [Mon Dec 16 00:50:53 2019 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:24f4223e271413c25abad52fd456a9bc
                    Signature Valid:false
                    Signature Issuer:OU="Mesterlig Efterbehandlingen Buggy ", E=rykninger@Vasks.Ud, O=Professionalisere, L=Paris 14, S=\xcele-de-France, C=FR
                    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                    Error Number:-2146762487
                    Not Before, Not After
                    • 11/2/2022 4:13:09 PM 11/1/2025 4:13:09 PM
                    Subject Chain
                    • OU="Mesterlig Efterbehandlingen Buggy ", E=rykninger@Vasks.Ud, O=Professionalisere, L=Paris 14, S=\xcele-de-France, C=FR
                    Version:3
                    Thumbprint MD5:C6482E31BD649A8F80BC03910D4D9041
                    Thumbprint SHA-1:D014D5D190B882F8D11FE7402087EB970E60A7DB
                    Thumbprint SHA-256:44451256F3DBCD4B695F950230470C038611B2648483EF95256B6744B7A32134
                    Serial:08753235BB3B561B
                    Instruction
                    sub esp, 000002D4h
                    push ebx
                    push esi
                    push edi
                    push 00000020h
                    pop edi
                    xor ebx, ebx
                    push 00008001h
                    mov dword ptr [esp+14h], ebx
                    mov dword ptr [esp+10h], 0040A230h
                    mov dword ptr [esp+1Ch], ebx
                    call dword ptr [004080ACh]
                    call dword ptr [004080A8h]
                    and eax, BFFFFFFFh
                    cmp ax, 00000006h
                    mov dword ptr [0042A24Ch], eax
                    je 00007F6E64BD9BC3h
                    push ebx
                    call 00007F6E64BDCE97h
                    cmp eax, ebx
                    je 00007F6E64BD9BB9h
                    push 00000C00h
                    call eax
                    mov esi, 004082B0h
                    push esi
                    call 00007F6E64BDCE11h
                    push esi
                    call dword ptr [00408154h]
                    lea esi, dword ptr [esi+eax+01h]
                    cmp byte ptr [esi], 00000000h
                    jne 00007F6E64BD9B9Ch
                    push 0000000Ah
                    call 00007F6E64BDCE6Ah
                    push 00000008h
                    call 00007F6E64BDCE63h
                    push 00000006h
                    mov dword ptr [0042A244h], eax
                    call 00007F6E64BDCE57h
                    cmp eax, ebx
                    je 00007F6E64BD9BC1h
                    push 0000001Eh
                    call eax
                    test eax, eax
                    je 00007F6E64BD9BB9h
                    or byte ptr [0042A24Fh], 00000040h
                    push ebp
                    call dword ptr [00408040h]
                    push ebx
                    call dword ptr [0040829Ch]
                    mov dword ptr [0042A318h], eax
                    push ebx
                    lea eax, dword ptr [esp+34h]
                    push 000002B4h
                    push eax
                    push ebx
                    push 004216E8h
                    call dword ptr [00408184h]
                    push 0040A384h
                    Programming Language:
                    • [EXP] VC++ 6.0 SP5 build 8804
                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x650000x36e0.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x2d2800x1f28.ndata
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x2ac.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x647b0x6600False0.6578967524509803data6.426522741823245IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x80000x13840x1400False0.45data5.136348990166042IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0xa0000x203580x600False0.5032552083333334data4.005849468822358IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .ndata0x2b0000x3a0000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x650000x36e00x3800False0.44998604910714285data5.471517583781187IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    NameRVASizeTypeLanguageCountry
                    RT_BITMAP0x652b00x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States
                    RT_ICON0x656180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
                    RT_DIALOG0x67bc00x144dataEnglishUnited States
                    RT_DIALOG0x67d080x13cdataEnglishUnited States
                    RT_DIALOG0x67e480x100dataEnglishUnited States
                    RT_DIALOG0x67f480x11cdataEnglishUnited States
                    RT_DIALOG0x680680xc4dataEnglishUnited States
                    RT_DIALOG0x681300x60dataEnglishUnited States
                    RT_GROUP_ICON0x681900x14dataEnglishUnited States
                    RT_VERSION0x681a80x1f4dataEnglishUnited States
                    RT_MANIFEST0x683a00x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States
                    DLLImport
                    KERNEL32.dllExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, MoveFileW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, lstrcmpW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, DeleteFileW, FindFirstFileW, FindNextFileW, FindClose, SetFilePointer, ReadFile, MulDiv, lstrlenA, WideCharToMultiByte, MultiByteToWideChar, WritePrivateProfileStringW, FreeLibrary, GetPrivateProfileStringW, GetModuleHandleW, LoadLibraryExW
                    USER32.dllGetWindowRect, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, ScreenToClient, EnableMenuItem, GetDlgItem, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, SystemParametersInfoW, EndDialog, RegisterClassW, DialogBoxParamW, CreateWindowExW, GetClassInfoW, DestroyWindow, CharNextW, ExitWindowsEx, SetWindowTextW, LoadImageW, SetTimer, ShowWindow, PostQuitMessage, wsprintfW, SetWindowLongW, FindWindowExW, IsWindow, CreatePopupMenu, AppendMenuW, GetSystemMetrics, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
                    GDI32.dllSelectObject, SetTextColor, SetBkMode, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor
                    SHELL32.dllShellExecuteExW, SHGetPathFromIDListW, SHGetSpecialFolderLocation, SHGetFileInfoW, SHFileOperationW, SHBrowseForFolderW
                    ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                    COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                    ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance
                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States
                    No network behavior found
                    No statistics
                    Target ID:0
                    Start time:12:41:19
                    Start date:03/11/2022
                    Path:C:\Users\user\Desktop\XShSI2OXaC.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\Desktop\XShSI2OXaC.exe
                    Imagebase:0x400000
                    File size:192936 bytes
                    MD5 hash:B69C9170FFAB277E1BD13FDE891A5AE5
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.777436198.0000000003220000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low

                    No disassembly