Windows Analysis Report
GdsGKfLRby.exe

Overview

General Information

Sample name:	GdsGKfLRby.exe renamed because original name is a hash value
Original sample name:	b437936e1752bd430545f30ba5223fabe413dc39ec2a82f437d11fd857dcede8.exe
Analysis ID:	1447645
MD5:	48e6ba377d90401cee819471fcea38b9
SHA1:	0f6f6ef2b5691946703d37a6316452dda6d5eab5
SHA256:	b437936e1752bd430545f30ba5223fabe413dc39ec2a82f437d11fd857dcede8
Tags:	exeNetWire
Infos:

Detection

NetWire

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected NetWire RAT

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (may stop execution after accessing registry keys)

Found large amount of non-executed APIs

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
NetWire RC, NetWire	Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.Keylog files are stored on the infected machine in an obfuscated form. The algorithm is: for i in range(0,num_read): buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF	APT33	http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/ http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: GdsGKfLRby.exe

Avira: detected

Antivirus detection for URL or domain

Source: netwire2021.duckdns.org:7929

Avira URL Cloud: Label: malware

Found malware configuration

Source: 1.2.GdsGKfLRby.exe.400000.0.unpack

Malware Configuration Extractor: NetWire {"C2 list": ["netwire2021.duckdns.org:7929"], "Password": "Password", "Host ID": "HostId-yISsE2", "Mutex": "qFlJFfII", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "C:\\Users\\Administrator\\AppData\\Roaming\\Logs\\"}

Multi AV Scanner detection for domain / URL

Source: netwire2021.duckdns.org:7929

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for submitted file

Source: GdsGKfLRby.exe	ReversingLabs: Detection: 97%
Source: GdsGKfLRby.exe	Virustotal: Detection: 87%			Perma Link

Machine Learning detection for sample

Source: GdsGKfLRby.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040C4B7 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegCloseKey,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,	1_2_0040C4B7
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040E511 CryptUnprotectData,LocalFree,	1_2_0040E511
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040EDD6 fopen,malloc,fclose,fread,fclose,CryptUnprotectData,sprintf,strcmp,strcmp,	1_2_0040EDD6
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040D290 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	1_2_0040D290

Uses 32bit PE files

Source: GdsGKfLRby.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	1_2_00406453
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,	1_2_0040680D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,	1_2_0040753D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	1_2_00413A85
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	1_2_0040DB1C
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,	1_2_00406F83
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,	1_2_00406390

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

1_2_00406084

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: netwire2021.duckdns.org:7929

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00405811 send,recv,

1_2_00405811

Source: global traffic

DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: GdsGKfLRby.exe	String found in binary or memory: http://www.yandex.com
Source: GdsGKfLRby.exe	String found in binary or memory: http://www.yandex.comsocks=

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,

1_2_00409953

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00411D8C GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetDIBits,calloc,GetDIBits,ReleaseDC,DeleteDC,DeleteObject,free,

1_2_00411D8C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

1_2_00409953

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

1_2_00409953

System Summary

Malicious sample detected (through community Yara rule)

Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 00000001.00000000.2103922275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000001.00000000.2103948547.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: Process Memory Space: GdsGKfLRby.exe PID: 6496, type: MEMORYSTR	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 703D0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 713A0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 72370000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73AE0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 77030000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 78000000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73340000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 763B0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73740000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 74AB0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76080000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76BF0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 74CB0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75BF0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 767B0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73940000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 74DB0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 750F0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75280000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 768B0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76DF0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73A80000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75170000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 759F0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75CF0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75F80000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76280000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76930000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76B70000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75D30000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 762C0000 page read and write	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00403047	1_2_00403047
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0041D049	1_2_0041D049
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00419463	1_2_00419463
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00415079	1_2_00415079
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00420420	1_2_00420420
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_004208C0	1_2_004208C0
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_004034D3	1_2_004034D3
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00414976	1_2_00414976
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00402E68	1_2_00402E68
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00416619	1_2_00416619
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040AEC6	1_2_0040AEC6
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00402AFC	1_2_00402AFC
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00415ABF	1_2_00415ABF
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00420F40	1_2_00420F40
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0041FF50	1_2_0041FF50
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040A728	1_2_0040A728

One or more processes crash

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 400

Uses 32bit PE files

Source: GdsGKfLRby.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Yara signature match

Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 00000001.00000000.2103922275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000001.00000000.2103948547.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: Process Memory Space: GdsGKfLRby.exe PID: 6496, type: MEMORYSTR	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@1/0

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

1_2_00406084

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00402570 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00402570

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6496

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3ab78efb-164e-430d-a63c-7038e90018f3

Jump to behavior

Source: GdsGKfLRby.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GdsGKfLRby.exe	ReversingLabs: Detection: 97%
Source: GdsGKfLRby.exe	Virustotal: Detection: 87%

Source: unknown	Process created: C:\Users\user\Desktop\GdsGKfLRby.exe "C:\Users\user\Desktop\GdsGKfLRby.exe"
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 400

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Section loaded: netutils.dll	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00408417 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc,

1_2_00408417

PE file contains an invalid checksum

Source: GdsGKfLRby.exe

Static PE information: real checksum: 0x2be0d should be: 0x307b4

PE file contains sections with non-standard names

Source: GdsGKfLRby.exe

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DCE9 push ecx; mov dword ptr [esp], 00423976h	1_2_0040DD9F
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DCE9 push ebp; mov dword ptr [esp], 0042398Ah	1_2_0040DDD9
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DCE9 push edx; mov dword ptr [esp], 00423997h	1_2_0040DDF7
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DCE9 push edx; mov dword ptr [esp], esi	1_2_0040E394
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040A4BC push esi; mov dword ptr [esp], 00423347h	1_2_0040A543
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00409953 push edi; mov dword ptr [esp], 00000091h	1_2_00409980
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00409953 push ebp; mov dword ptr [esp], 00000090h	1_2_0040998D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00411D8C push edx; mov dword ptr [esp], edi	1_2_00412058
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00409E61 push eax; mov dword ptr [esp], ebx	1_2_00409FDE
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406E04 push ecx; mov dword ptr [esp], ebx	1_2_00406E69
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040262F push edx; mov dword ptr [esp], edi	1_2_004027C8
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040262F push edx; mov dword ptr [esp], edi	1_2_00402815
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040262F push edx; mov dword ptr [esp], edi	1_2_004029B2
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_004146E1 push eax; mov dword ptr [esp], ebx	1_2_0041470B
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040970C push eax; mov dword ptr [esp], 0042B4A0h	1_2_004097B9

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

API coverage: 0.6 %

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	1_2_00406453
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,	1_2_0040680D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,	1_2_0040753D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	1_2_00413A85
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	1_2_0040DB1C
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,	1_2_00406F83
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,	1_2_00406390

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

1_2_00406084

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004132E6 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics,

1_2_004132E6

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: GdsGKfLRby.exe, 00000001.00000002.2548942981.000000000064E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00408417 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc,

1_2_00408417

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004121C0 keybd_event,

1_2_004121C0

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004121EF SetCursorPos,mouse_event,

1_2_004121EF

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_0040A115 GetLocalTime,

1_2_0040A115

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004130E8 GetUserNameW,WideCharToMultiByte,

1_2_004130E8

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004132E6 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics,

1_2_004132E6

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected NetWire RAT

Source: Yara match	File source: GdsGKfLRby.exe, type: SAMPLE
Source: Yara match	File source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.2103948547.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GdsGKfLRby.exe PID: 6496, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
171.39.242.20.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
netwire2021.duckdns.org:7929	true	6%, Virustotal, Browse Avira URL Cloud: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: GdsGKfLRby.exe

Avira: detected

Antivirus detection for URL or domain

Source: netwire2021.duckdns.org:7929

Avira URL Cloud: Label: malware

Found malware configuration

Source: 1.2.GdsGKfLRby.exe.400000.0.unpack

Multi AV Scanner detection for domain / URL

Source: netwire2021.duckdns.org:7929

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for submitted file

Source: GdsGKfLRby.exe	ReversingLabs: Detection: 97%
Source: GdsGKfLRby.exe	Virustotal: Detection: 87%			Perma Link

Machine Learning detection for sample

Source: GdsGKfLRby.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040C4B7 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegCloseKey,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,	1_2_0040C4B7
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040E511 CryptUnprotectData,LocalFree,	1_2_0040E511
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040EDD6 fopen,malloc,fclose,fread,fclose,CryptUnprotectData,sprintf,strcmp,strcmp,	1_2_0040EDD6
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040D290 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	1_2_0040D290

Uses 32bit PE files

Source: GdsGKfLRby.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	1_2_00406453
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,	1_2_0040680D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,	1_2_0040753D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	1_2_00413A85
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	1_2_0040DB1C
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,	1_2_00406F83
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,	1_2_00406390

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

1_2_00406084

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: netwire2021.duckdns.org:7929

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00405811 send,recv,

1_2_00405811

Source: global traffic

DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: GdsGKfLRby.exe	String found in binary or memory: http://www.yandex.com
Source: GdsGKfLRby.exe	String found in binary or memory: http://www.yandex.comsocks=

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

1_2_00409953

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

1_2_00411D8C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

1_2_00409953

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

1_2_00409953

System Summary

Malicious sample detected (through community Yara rule)

Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 00000001.00000000.2103922275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000001.00000000.2103948547.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: Process Memory Space: GdsGKfLRby.exe PID: 6496, type: MEMORYSTR	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 703D0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 713A0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 72370000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73AE0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 77030000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 78000000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73340000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 763B0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73740000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 74AB0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76080000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76BF0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 74CB0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75BF0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 767B0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73940000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 74DB0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 750F0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75280000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 768B0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76DF0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 73A80000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75170000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 759F0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75CF0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75F80000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76280000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76930000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 76B70000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 75D30000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Memory allocated: 762C0000 page read and write	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00403047	1_2_00403047
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0041D049	1_2_0041D049
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00419463	1_2_00419463
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00415079	1_2_00415079
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00420420	1_2_00420420
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_004208C0	1_2_004208C0
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_004034D3	1_2_004034D3
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00414976	1_2_00414976
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00402E68	1_2_00402E68
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00416619	1_2_00416619
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040AEC6	1_2_0040AEC6
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00402AFC	1_2_00402AFC
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00415ABF	1_2_00415ABF
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00420F40	1_2_00420F40
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0041FF50	1_2_0041FF50
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040A728	1_2_0040A728

One or more processes crash

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 400

Uses 32bit PE files

Source: GdsGKfLRby.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Yara signature match

Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: GdsGKfLRby.exe, type: SAMPLE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 00000001.00000000.2103922275.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000001.00000000.2103948547.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000001.00000002.2548478412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: Process Memory Space: GdsGKfLRby.exe PID: 6496, type: MEMORYSTR	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@1/0

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

1_2_00406084

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00402570 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00402570

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6496

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3ab78efb-164e-430d-a63c-7038e90018f3

Jump to behavior

Source: GdsGKfLRby.exe

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GdsGKfLRby.exe	ReversingLabs: Detection: 97%
Source: GdsGKfLRby.exe	Virustotal: Detection: 87%

Source: unknown	Process created: C:\Users\user\Desktop\GdsGKfLRby.exe "C:\Users\user\Desktop\GdsGKfLRby.exe"
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 400

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Section loaded: netutils.dll	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00408417 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc,

1_2_00408417

PE file contains an invalid checksum

Source: GdsGKfLRby.exe

Static PE information: real checksum: 0x2be0d should be: 0x307b4

PE file contains sections with non-standard names

Source: GdsGKfLRby.exe

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DCE9 push ecx; mov dword ptr [esp], 00423976h	1_2_0040DD9F
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DCE9 push ebp; mov dword ptr [esp], 0042398Ah	1_2_0040DDD9
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DCE9 push edx; mov dword ptr [esp], 00423997h	1_2_0040DDF7
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DCE9 push edx; mov dword ptr [esp], esi	1_2_0040E394
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040A4BC push esi; mov dword ptr [esp], 00423347h	1_2_0040A543
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00409953 push edi; mov dword ptr [esp], 00000091h	1_2_00409980
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00409953 push ebp; mov dword ptr [esp], 00000090h	1_2_0040998D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00411D8C push edx; mov dword ptr [esp], edi	1_2_00412058
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00409E61 push eax; mov dword ptr [esp], ebx	1_2_00409FDE
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406E04 push ecx; mov dword ptr [esp], ebx	1_2_00406E69
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040262F push edx; mov dword ptr [esp], edi	1_2_004027C8
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040262F push edx; mov dword ptr [esp], edi	1_2_00402815
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040262F push edx; mov dword ptr [esp], edi	1_2_004029B2
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_004146E1 push eax; mov dword ptr [esp], ebx	1_2_0041470B
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040970C push eax; mov dword ptr [esp], 0042B4A0h	1_2_004097B9

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

API coverage: 0.6 %

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	1_2_00406453
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,	1_2_0040680D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,	1_2_0040753D
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	1_2_00413A85
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	1_2_0040DB1C
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,	1_2_00406F83
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	Code function: 1_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,	1_2_00406390

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

1_2_00406084

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004132E6 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics,

1_2_004132E6

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: GdsGKfLRby.exe, 00000001.00000002.2548942981.000000000064E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\GdsGKfLRby.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\GdsGKfLRby.exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_00408417 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc,

1_2_00408417

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004121C0 keybd_event,

1_2_004121C0

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004121EF SetCursorPos,mouse_event,

1_2_004121EF

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_0040A115 GetLocalTime,

1_2_0040A115

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004130E8 GetUserNameW,WideCharToMultiByte,

1_2_004130E8

Source: C:\Users\user\Desktop\GdsGKfLRby.exe

Code function: 1_2_004132E6 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics,

1_2_004132E6

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected NetWire RAT

Source: Yara match	File source: GdsGKfLRby.exe, type: SAMPLE
Source: Yara match	File source: 1.0.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GdsGKfLRby.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2548641285.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.2103948547.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GdsGKfLRby.exe PID: 6496, type: MEMORYSTR

ID:	1447645
Product:	CloudBasic
Start time:	09:55:12
Start date:	26.05.2024
Sample:	GdsGKfLRby.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	48e6ba377d90401cee819471fcea38b9
SHA1:	0f6f6ef2b5691946703d37a6316452dda6d5eab5
SHA256:	b437936e1752bd430545f30ba5223fabe413dc39ec2a82f437d11fd857dcede8
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GdsGKfLRby.exe_47b0a69c1a3a44ac22d8e11787a70ffb2e917_5b85fd9f_eb65cfd7-65d8-4100-8a9c-2d3fd4393bae\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	C77C9EBA5FE661A17F07D842EF1CE5AF	77BD272A442ACDAC02984E92630AF339D92B9079	BF7E0AEA29CF7C2C216E8BA91C1FD8AAC2705BB29F737735108D88CBA14B2288
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D99.tmp.dmp	Mini DuMP crash report, 14 streams, Sun May 26 07:56:40 2024, 0x1205a4 type	8F194E5A0044726B1FE2EFBE015991BA	79A593995BE9290490F53DBCFFE70739CD84963C	2BB73E7FFB4E56A9BF3C7960C264F2AD94B38E010ED3E575A1B44273207F3B85
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E46.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	2938181CCA175503916E413BFC7362FF	2FC65C6B4BEA4EB472D657EBCC1EB66DB54E02FA	DC2D3E760EBD093F989BD2B9B420516DDE8239BA8BE2B464004B609F037EF5D6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E76.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	E9113B4E99B49F6DBB8983CDE3EF3713	87E006AFC3809171E1724A74950F15171CCA8258	C1B18ED805EA1D878F1AF3FEB9D951D929BF05E70C9C730C68063DBFE405C69C
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	992E757362D3A5D078E92824678CC5EA	E0461E52932010E78D16F3FB8DC37AB3DD83D78A	87956B76A3EA6A3DDB6AA8D05DAB190965A58146CB76FC6FF42AB0B459CA288B

Windows Analysis Report
GdsGKfLRby.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs

Windows Analysis Report GdsGKfLRby.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs

Windows Analysis Report
GdsGKfLRby.exe

Malware Threat Intel
Provided by