Loading ...

Play interactive tourEdit tour

Analysis Report req 20934083.exe

Overview

General Information

Sample Name:req 20934083.exe
Analysis ID:315910
MD5:73a1bfc69007e21a2a148a1a32746e40
SHA1:375f489b909e6af4d0addf408c9e4fbd623a0def
SHA256:d2a452a7cb994221f40bb1226409297b5f2ef21ee6502310c29c8ce86865346a
Tags:GuLoader

Most interesting Screenshot:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Potential malicious icon found
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • req 20934083.exe (PID: 7116 cmdline: 'C:\Users\user\Desktop\req 20934083.exe' MD5: 73A1BFC69007E21A2A148A1A32746E40)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: req 20934083.exe PID: 7116JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: req 20934083.exe PID: 7116JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      System Summary:

      barindex
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: C:\Users\user\Desktop\req 20934083.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\req 20934083.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E8FCC NtProtectVirtualMemory,0_2_020E8FCC
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E8FCC NtProtectVirtualMemory,0_2_020E8FCC
      Source: req 20934083.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: req 20934083.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: req 20934083.exe, 00000000.00000002.599751622.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs req 20934083.exe
      Source: req 20934083.exe, 00000000.00000000.333723900.0000000000411000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRokokostil3.exe vs req 20934083.exe
      Source: req 20934083.exeBinary or memory string: OriginalFilenameRokokostil3.exe vs req 20934083.exe
      Source: req 20934083.exe, 00000000.00000002.599751622.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs req 20934083.exe
      Source: req 20934083.exe, 00000000.00000000.333723900.0000000000411000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRokokostil3.exe vs req 20934083.exe
      Source: req 20934083.exeBinary or memory string: OriginalFilenameRokokostil3.exe vs req 20934083.exe
      Source: classification engineClassification label: mal72.rans.troj.evad.winEXE@1/0@0/0
      Source: req 20934083.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: req 20934083.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\req 20934083.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\req 20934083.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\req 20934083.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\req 20934083.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: req 20934083.exe PID: 7116, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: req 20934083.exe PID: 7116, type: MEMORY
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_0040E45A push eax; ret 0_2_0040E499
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_00403B18 pushad ; iretd 0_2_00403B45
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E12EF push esi; ret 0_2_020E12F1
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_0040E45A push eax; ret 0_2_0040E499
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_00403B18 pushad ; iretd 0_2_00403B45
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E12EF push esi; ret 0_2_020E12F1
      Source: C:\Users\user\Desktop\req 20934083.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\req 20934083.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: req 20934083.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: req 20934083.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\req 20934083.exeRDTSC instruction interceptor: First address: 00000000020E6E13 second address: 00000000020E70A2 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov ecx, dword ptr [eax+24h] 0x00000006 mov dword ptr [ebp+10h], ecx 0x00000009 mov esi, dword ptr [eax+20h] 0x0000000c jmp 00007F5A0CB974CEh 0x0000000e test cx, bx 0x00000011 add esi, dword ptr [ebp+04h] 0x00000014 xor ecx, ecx 0x00000016 jmp 00007F5A0CB974C6h 0x00000018 test ecx, eax 0x0000001a mov edx, dword ptr [esi] 0x0000001c add edx, dword ptr [ebp+04h] 0x0000001f jmp 00007F5A0CB974D2h 0x00000021 test edx, ebx 0x00000023 push ecx 0x00000024 push esi 0x00000025 push edx 0x00000026 call 00007F5A0CB975F4h 0x0000002b jmp 00007F5A0CB974CEh 0x0000002d test bh, ch 0x0000002f mov esi, dword ptr [esp+04h] 0x00000033 jmp 00007F5A0CB974C6h 0x00000035 cmp dh, ah 0x00000037 mov eax, 00001505h 0x0000003c jmp 00007F5A0CB974CEh 0x0000003e pushad 0x0000003f mov esi, 00000041h 0x00000044 rdtsc
      Source: C:\Users\user\Desktop\req 20934083.exeRDTSC instruction interceptor: First address: 00000000020E6F52 second address: 00000000020E70A2 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add esi, 04h 0x00000006 inc ecx 0x00000007 cmp ecx, dword ptr [ebp+08h] 0x0000000a jne 00007F5A0CBF7DD1h 0x00000010 mov edx, dword ptr [esi] 0x00000012 add edx, dword ptr [ebp+04h] 0x00000015 jmp 00007F5A0CBF7EE2h 0x00000017 test edx, ebx 0x00000019 push ecx 0x0000001a push esi 0x0000001b push edx 0x0000001c call 00007F5A0CBF8004h 0x00000021 jmp 00007F5A0CBF7EDEh 0x00000023 test bh, ch 0x00000025 mov esi, dword ptr [esp+04h] 0x00000029 jmp 00007F5A0CBF7ED6h 0x0000002b cmp dh, ah 0x0000002d mov eax, 00001505h 0x00000032 jmp 00007F5A0CBF7EDEh 0x00000034 pushad 0x00000035 mov esi, 00000041h 0x0000003a rdtsc
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E460D rdtsc 0_2_020E460D
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E460D rdtsc 0_2_020E460D
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: req 20934083.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: req 20934083.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Found potential dummy code loops (likely to delay analysis)Show sources
      Source: C:\Users\user\Desktop\req 20934083.exeProcess Stats: CPU usage > 90% for more than 60s
      Source: C:\Users\user\Desktop\req 20934083.exeProcess Stats: CPU usage > 90% for more than 60s
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E460D rdtsc 0_2_020E460D
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E460D rdtsc 0_2_020E460D
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E4278 mov eax, dword ptr fs:[00000030h]0_2_020E4278
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E76C9 mov eax, dword ptr fs:[00000030h]0_2_020E76C9
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E3063 mov eax, dword ptr fs:[00000030h]0_2_020E3063
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E307E mov eax, dword ptr fs:[00000030h]0_2_020E307E
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E849B mov eax, dword ptr fs:[00000030h]0_2_020E849B
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E84B5 mov eax, dword ptr fs:[00000030h]0_2_020E84B5
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E30C9 mov eax, dword ptr fs:[00000030h]0_2_020E30C9
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E2CDC mov eax, dword ptr fs:[00000030h]0_2_020E2CDC
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E84D9 mov eax, dword ptr fs:[00000030h]0_2_020E84D9
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E2CF5 mov eax, dword ptr fs:[00000030h]0_2_020E2CF5
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E850F mov eax, dword ptr fs:[00000030h]0_2_020E850F
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E2D51 mov eax, dword ptr fs:[00000030h]0_2_020E2D51
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E696A mov eax, dword ptr fs:[00000030h]0_2_020E696A
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E8567 mov eax, dword ptr fs:[00000030h]0_2_020E8567
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E25C1 mov eax, dword ptr fs:[00000030h]0_2_020E25C1
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E85C1 mov eax, dword ptr fs:[00000030h]0_2_020E85C1
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E4278 mov eax, dword ptr fs:[00000030h]0_2_020E4278
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E76C9 mov eax, dword ptr fs:[00000030h]0_2_020E76C9
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E3063 mov eax, dword ptr fs:[00000030h]0_2_020E3063
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E307E mov eax, dword ptr fs:[00000030h]0_2_020E307E
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E849B mov eax, dword ptr fs:[00000030h]0_2_020E849B
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E84B5 mov eax, dword ptr fs:[00000030h]0_2_020E84B5
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E30C9 mov eax, dword ptr fs:[00000030h]0_2_020E30C9
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E2CDC mov eax, dword ptr fs:[00000030h]0_2_020E2CDC
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E84D9 mov eax, dword ptr fs:[00000030h]0_2_020E84D9
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E2CF5 mov eax, dword ptr fs:[00000030h]0_2_020E2CF5
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E850F mov eax, dword ptr fs:[00000030h]0_2_020E850F
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E2D51 mov eax, dword ptr fs:[00000030h]0_2_020E2D51
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E696A mov eax, dword ptr fs:[00000030h]0_2_020E696A
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E8567 mov eax, dword ptr fs:[00000030h]0_2_020E8567
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E25C1 mov eax, dword ptr fs:[00000030h]0_2_020E25C1
      Source: C:\Users\user\Desktop\req 20934083.exeCode function: 0_2_020E85C1 mov eax, dword ptr fs:[00000030h]0_2_020E85C1
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: req 20934083.exe, 00000000.00000002.599528561.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: req 20934083.exe, 00000000.00000002.599528561.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: req 20934083.exe, 00000000.00000002.599528561.0000000000C60000.00000002.00000001.sdmpBinary or memory string: &Program Manager
      Source: req 20934083.exe, 00000000.00000002.599528561.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: req 20934083.exe, 00000000.00000002.599528561.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: req 20934083.exe, 00000000.00000002.599528561.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: req 20934083.exe, 00000000.00000002.599528561.0000000000C60000.00000002.00000001.sdmpBinary or memory string: &Program Manager
      Source: req 20934083.exe, 00000000.00000002.599528561.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery311Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.