Loading ...

Play interactive tourEdit tour

Analysis Report Order03092020_pdf.exe

Overview

General Information

Sample Name:Order03092020_pdf.exe
Analysis ID:281395
MD5:4d9e6608c7140b33bdf732e5912a0743
SHA1:55d8174aa4e440cf4fc02b83144138fd0ac8431b
SHA256:341f33c1103bf6340261fe146a5bded870d67a30e6a55ad9ef503fad17f33e60

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Order03092020_pdf.exe (PID: 6596 cmdline: 'C:\Users\user\Desktop\Order03092020_pdf.exe' MD5: 4D9E6608C7140B33BDF732E5912A0743)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Order03092020_pdf.exe PID: 6596JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: Order03092020_pdf.exe PID: 6596JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: Order03092020_pdf.exeAvira: detected
      Multi AV Scanner detection for submitted fileShow sources
      Source: Order03092020_pdf.exeVirustotal: Detection: 31%Perma Link
      Source: Order03092020_pdf.exe, 00000000.00000002.436642409.000000000073A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      System Summary:

      barindex
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Order03092020_pdf.exe
      Source: initial sampleStatic PE information: Filename: Order03092020_pdf.exe
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00401E5C0_2_00401E5C
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: String function: 004014FC appears 31 times
      Source: Order03092020_pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Order03092020_pdf.exe, 00000000.00000000.169773889.0000000000412000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecetsb.exe vs Order03092020_pdf.exe
      Source: Order03092020_pdf.exe, 00000000.00000002.436594303.0000000000700000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Order03092020_pdf.exe
      Source: Order03092020_pdf.exe, 00000000.00000002.436843357.00000000020D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamecetsb.exeFE2XWhiteh vs Order03092020_pdf.exe
      Source: Order03092020_pdf.exeBinary or memory string: OriginalFilenamecetsb.exe vs Order03092020_pdf.exe
      Source: classification engineClassification label: mal84.rans.troj.evad.winEXE@1/0@0/0
      Source: Order03092020_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Order03092020_pdf.exeVirustotal: Detection: 31%

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Order03092020_pdf.exe PID: 6596, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Order03092020_pdf.exe PID: 6596, type: MEMORY
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00404448 pushfd ; ret 0_2_0040444B
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_0040585C pushfd ; ret 0_2_0040585F
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00405064 pushfd ; ret 0_2_0040506B
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00405867 pushfd ; ret 0_2_0040586F
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00406C6A pushfd ; ret 0_2_00406C6B
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_0040506D pushfd ; ret 0_2_0040507B
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_0040546D pushfd ; ret 0_2_0040541B
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00405C0A pushfd ; ret 0_2_00405C0B
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_0040540C pushfd ; ret 0_2_0040541B
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00405016 pushfd ; ret 0_2_00405037
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_0040581A pushfd ; ret 0_2_00405833
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_0040541E pushfd ; ret 0_2_00405427
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00404825 pushfd ; ret 0_2_0040482B
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00405834 pushfd ; ret 0_2_00405843
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_0040483D pushfd ; ret 0_2_00404843
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_004068C7 pushfd ; ret 0_2_0040690B
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00404CCA pushfd ; retf 0_2_00404CCB
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00405CCA pushfd ; ret 0_2_00405CCB
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00405CCE pushfd ; ret 0_2_00405CCF
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_004058D2 pushfd ; ret 0_2_004058D7
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00405CD2 pushfd ; ret 0_2_00405CD3
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00405CD6 pushfd ; ret 0_2_00405CD7
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00404CD9 pushfd ; ret 0_2_00404D3B
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_004050DA pushfd ; ret 0_2_004050DB
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00405CDA pushfd ; ret 0_2_00405CDB
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_004054DC pushfd ; ret 0_2_004054DF
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00405CDE pushfd ; ret 0_2_00405CDF
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_00405CE1 pushfd ; ret 0_2_00405CDB
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_004054E2 pushfd ; ret 0_2_004054E3
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_004058E2 pushfd ; ret 0_2_004058E3
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_004054E6 pushfd ; ret 0_2_004054E7
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeRDTSC instruction interceptor: First address: 0000000002202572 second address: 0000000002202572 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F9B30A2E2A8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 test dl, bl 0x00000022 add edi, edx 0x00000024 cmp cx, ax 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F9B30A2E28Eh 0x0000002d push ecx 0x0000002e call 00007F9B30A2E2BFh 0x00000033 call 00007F9B30A2E2BAh 0x00000038 lfence 0x0000003b mov edx, dword ptr [7FFE0014h] 0x00000041 lfence 0x00000044 ret 0x00000045 mov esi, edx 0x00000047 pushad 0x00000048 rdtsc
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_02202A26 rdtsc 0_2_02202A26
      Source: Order03092020_pdf.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_02202A26 rdtsc 0_2_02202A26
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_0220222D mov eax, dword ptr fs:[00000030h]0_2_0220222D
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_02202794 mov eax, dword ptr fs:[00000030h]0_2_02202794
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_022013E8 mov eax, dword ptr fs:[00000030h]0_2_022013E8
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_02202454 mov eax, dword ptr fs:[00000030h]0_2_02202454
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_02200D70 mov eax, dword ptr fs:[00000030h]0_2_02200D70
      Source: C:\Users\user\Desktop\Order03092020_pdf.exeCode function: 0_2_02200975 mov eax, dword ptr fs:[00000030h]0_2_02200975
      Source: Order03092020_pdf.exe, 00000000.00000002.436716574.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: Order03092020_pdf.exe, 00000000.00000002.436716574.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: Order03092020_pdf.exe, 00000000.00000002.436716574.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: Order03092020_pdf.exe, 00000000.00000002.436716574.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Process Injection1Input Capture1Security Software Discovery111Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSystem Information Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.