Loading ...

Play interactive tourEdit tour

Analysis Report Beyan.PDF.exe

Overview

General Information

Sample Name:Beyan.PDF.exe
Analysis ID:251362
MD5:ba7efb74c2a46d8f8b9bcbae0a271d53
SHA1:27582e288bfb89a691c441c210989197050148e7
SHA256:5e7c67a0d5053360b4769443d8a068525c53196b52203feec9e7d533e44db169

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Beyan.PDF.exe (PID: 4916 cmdline: 'C:\Users\user\Desktop\Beyan.PDF.exe' MD5: BA7EFB74C2A46D8F8B9BCBAE0A271D53)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Beyan.PDF.exe PID: 4916JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: Beyan.PDF.exeVirustotal: Detection: 22%Perma Link
    Source: Beyan.PDF.exeReversingLabs: Detection: 16%

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: Beyan.PDF.exe
    Source: C:\Users\user\Desktop\Beyan.PDF.exeProcess Stats: CPU usage > 98%
    Source: Beyan.PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: Beyan.PDF.exe, 00000000.00000002.864607457.0000000002970000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRUSTICOATDETECTABLYSWA.exeFE2X vs Beyan.PDF.exe
    Source: Beyan.PDF.exe, 00000000.00000000.436285020.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRUSTICOATDETECTABLYSWA.exe vs Beyan.PDF.exe
    Source: Beyan.PDF.exe, 00000000.00000002.863196957.00000000021B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Beyan.PDF.exe
    Source: Beyan.PDF.exeBinary or memory string: OriginalFilenameRUSTICOATDETECTABLYSWA.exe vs Beyan.PDF.exe
    Source: classification engineClassification label: mal76.rans.troj.evad.winEXE@1/0@0/0
    Source: Beyan.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Beyan.PDF.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\Beyan.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Beyan.PDF.exeVirustotal: Detection: 22%
    Source: Beyan.PDF.exeReversingLabs: Detection: 16%

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: Process Memory Space: Beyan.PDF.exe PID: 4916, type: MEMORY
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_0040784A push ebx; ret 0_2_00407870
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_0040B623 push eax; retf 0_2_0040B642
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_0040C0CF pushfd ; ret 0_2_0040C09C
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_00407ADF push eax; ret 0_2_00407AE0
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_0040C097 pushfd ; ret 0_2_0040C09C
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_0040C138 push esp; ret 0_2_0040C159
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_00409FAA push ebp; ret 0_2_00409FAB

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Uses an obfuscated file name to hide its real file extension (double extension)Show sources
    Source: Possible double extension: pdf.exeStatic PE information: Beyan.PDF.exe
    Source: C:\Users\user\Desktop\Beyan.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Beyan.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Beyan.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Beyan.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Beyan.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Beyan.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Beyan.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\Beyan.PDF.exeRDTSC instruction interceptor: First address: 00000000021E8A63 second address: 00000000021E8A63 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FDBFCCB516Dh 0x0000001f popad 0x00000020 call 00007FDBFCCB4FFCh 0x00000025 lfence 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_021E8A60 rdtsc 0_2_021E8A60
    Source: Beyan.PDF.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_021E8A60 rdtsc 0_2_021E8A60
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_021E3211 mov eax, dword ptr fs:[00000030h]0_2_021E3211
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_021E2495 mov eax, dword ptr fs:[00000030h]0_2_021E2495
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_021E4CC9 mov eax, dword ptr fs:[00000030h]0_2_021E4CC9
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_021E36C4 mov eax, dword ptr fs:[00000030h]0_2_021E36C4
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_021E3722 mov eax, dword ptr fs:[00000030h]0_2_021E3722
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_021E379F mov eax, dword ptr fs:[00000030h]0_2_021E379F
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_021E31BE mov eax, dword ptr fs:[00000030h]0_2_021E31BE
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_021E83B4 mov eax, dword ptr fs:[00000030h]0_2_021E83B4
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_021E7BD6 mov eax, dword ptr fs:[00000030h]0_2_021E7BD6
    Source: C:\Users\user\Desktop\Beyan.PDF.exeCode function: 0_2_021E91C7 mov eax, dword ptr fs:[00000030h]0_2_021E91C7
    Source: Beyan.PDF.exe, 00000000.00000002.862901333.0000000000D40000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: Beyan.PDF.exe, 00000000.00000002.862901333.0000000000D40000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: Beyan.PDF.exe, 00000000.00000002.862901333.0000000000D40000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: Beyan.PDF.exe, 00000000.00000002.862901333.0000000000D40000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection1Masquerading1Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingSecurity Software Discovery111Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information11Input CaptureSystem Information Discovery11Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.