Windows Analysis Report
Inventory_list.img.exe

Overview

General Information

Sample name: Inventory_list.img.exe
Analysis ID: 1445939
MD5: a5b21b2b487ef822fa7564a5a6833e10
SHA1: 658b3e8680f568b6ae557bbc14cefbf8ce6cc54d
SHA256: 55803a4227e0110d88300cd0ea5c98d479738a2a33be1d07702301eb1fc37527
Infos:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://studentzindagi.za.com/bxbPiwfERAZWdsgPWBtUv3.bin Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Inventory_list.img.exe ReversingLabs: Detection: 44%
Uses 32bit PE files
Source: Inventory_list.img.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.11.30:49853 version: TLS 1.2
Source: Inventory_list.img.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_004065C5 FindFirstFileW,FindClose, 6_2_004065C5
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 6_2_00405990
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_00402862 FindFirstFileW, 6_2_00402862
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_00402862 FindFirstFileW, 8_2_00402862
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_004065C5 FindFirstFileW,FindClose, 8_2_004065C5
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 8_2_00405990
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.185.215.13 91.185.215.13
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bxbPiwfERAZWdsgPWBtUv3.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: studentzindagi.za.comCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bxbPiwfERAZWdsgPWBtUv3.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: studentzindagi.za.comCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: studentzindagi.za.com
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: Inventory_list.img.exe, 00000008.00000002.95675212784.000000003885E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Inventory_list.img.exe, 00000008.00000002.95675212784.000000003885E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Inventory_list.img.exe, 00000006.00000002.91209728992.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Inventory_list.img.exe, 00000006.00000000.90558447101.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Inventory_list.img.exe, 00000008.00000000.91036716567.000000000040A000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Inventory_list.img.exe, 00000008.00000002.95673327948.0000000036281000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Inventory_list.img.exe, 00000008.00000002.95659936798.0000000005A27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://studentzindagi.za.com/bxbPiwfERAZWdsgPWBtUv3.bin.v_
Source: Inventory_list.img.exe, 00000008.00000002.95659936798.0000000005A27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://studentzindagi.za.com/bxbPiwfERAZWdsgPWBtUv3.binSv2
Source: Inventory_list.img.exe, 00000008.00000002.95673327948.0000000036281000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: Inventory_list.img.exe, 00000008.00000002.95673327948.0000000036281000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: Inventory_list.img.exe, 00000008.00000002.95673327948.0000000036281000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.11.30:49853 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 6_2_00405425
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 6_2_00403373
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 8_2_00403373
Creates files inside the system directory
Source: C:\Users\user\Desktop\Inventory_list.img.exe File created: C:\Windows\SysWOW64\kaleb.ini Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_00404C62 6_2_00404C62
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_00406ADD 6_2_00406ADD
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_004072B4 6_2_004072B4
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_00404C62 8_2_00404C62
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_00406ADD 8_2_00406ADD
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_004072B4 8_2_004072B4
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_00153900 8_2_00153900
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_00158C10 8_2_00158C10
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_0015F430 8_2_0015F430
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_00154518 8_2_00154518
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_0015BF50 8_2_0015BF50
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_00153C48 8_2_00153C48
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_36061A30 8_2_36061A30
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_36067050 8_2_36067050
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_36067FB0 8_2_36067FB0
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_360634A0 8_2_360634A0
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_3606A1E8 8_2_3606A1E8
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: String function: 00402C37 appears 51 times
PE / OLE file has an invalid certificate
Source: Inventory_list.img.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Inventory_list.img.exe, 00000008.00000002.95659936798.0000000005A27000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Inventory_list.img.exe
Uses 32bit PE files
Source: Inventory_list.img.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal84.troj.spyw.evad.winEXE@3/15@2/2
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 6_2_00403373
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 8_2_00403373
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 6_2_004046E6
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_004020FE CoCreateInstance, 6_2_004020FE
Source: C:\Users\user\Desktop\Inventory_list.img.exe File created: C:\Program Files (x86)\skitserer.ini Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\meningskorrekturer Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Inventory_list.img.exe File created: C:\Users\user\AppData\Local\Temp\nsiA3EC.tmp Jump to behavior
Source: Inventory_list.img.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Inventory_list.img.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Inventory_list.img.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Inventory_list.img.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\Inventory_list.img.exe File read: C:\Users\user\Desktop\Inventory_list.img.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Inventory_list.img.exe "C:\Users\user\Desktop\Inventory_list.img.exe"
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process created: C:\Users\user\Desktop\Inventory_list.img.exe "C:\Users\user\Desktop\Inventory_list.img.exe"
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process created: C:\Users\user\Desktop\Inventory_list.img.exe "C:\Users\user\Desktop\Inventory_list.img.exe" Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe File written: C:\Windows\SysWOW64\kaleb.ini Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Inventory_list.img.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.91211781525.0000000005147000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 6_2_10001B18
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_10002DE0 push eax; ret 6_2_10002E0E
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_00150C45 push ebx; retf 8_2_00150C52
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_00150C6D push edi; retf 8_2_00150C7A
Drops PE files
Source: C:\Users\user\Desktop\Inventory_list.img.exe File created: C:\Users\user\AppData\Local\Temp\nslC409.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Inventory_list.img.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Inventory_list.img.exe Memory allocated: 110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Memory allocated: 36280000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Memory allocated: 36080000 memory reserve | memory write watch Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Inventory_list.img.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslC409.tmp\System.dll Jump to dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Inventory_list.img.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Inventory_list.img.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_004065C5 FindFirstFileW,FindClose, 6_2_004065C5
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 6_2_00405990
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_00402862 FindFirstFileW, 6_2_00402862
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_00402862 FindFirstFileW, 8_2_00402862
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_004065C5 FindFirstFileW,FindClose, 8_2_004065C5
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 8_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 8_2_00405990
Source: Inventory_list.img.exe, 00000008.00000002.95659936798.00000000059E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\Inventory_list.img.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Inventory_list.img.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 6_2_10001B18
Enables debug privileges
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Inventory_list.img.exe Process created: C:\Users\user\Desktop\Inventory_list.img.exe "C:\Users\user\Desktop\Inventory_list.img.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Inventory_list.img.exe Queries volume information: C:\Users\user\Desktop\Inventory_list.img.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Code function: 6_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 6_2_00403373
Source: C:\Users\user\Desktop\Inventory_list.img.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Inventory_list.img.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Inventory_list.img.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Inventory_list.img.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Inventory_list.img.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Inventory_list.img.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.95673327948.00000000362D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Inventory_list.img.exe PID: 8884, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.185.215.13
 studentzindagi.za.com Slovenia
41828 TELEMACH-HOSTINGSI false
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
studentzindagi.za.com 91.185.215.13 true
api.ipify.org 104.26.13.205 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • Avira URL Cloud: safe
 unknown
http://studentzindagi.za.com/bxbPiwfERAZWdsgPWBtUv3.bin false
  • Avira URL Cloud: malware
 unknown