Analysis Report 964309_Invoice_confirmation.exe

Overview

General Information

Sample Name: 964309_Invoice_confirmation.exe
Analysis ID: 337282
MD5: 84f07fb808c942462f3ab00c17782217
SHA1: b9044a839436619055ce9350d75293a2b28bb194
SHA256: 02553b25344fd73b18ed90ab5fc8e9c11100734b429e90a0527cbc1aed79e6bd
Tags: exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 964309_Invoice_confirmation.exe ReversingLabs: Detection: 13%

Compliance:

barindex
Uses 32bit PE files
Source: 964309_Invoice_confirmation.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Executable has a suspicious name (potential lure to open the executable)
Source: 964309_Invoice_confirmation.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: 964309_Invoice_confirmation.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: 964309_Invoice_confirmation.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: 964309_Invoice_confirmation.exe, 00000001.00000000.673641824.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBrneko.exe vs 964309_Invoice_confirmation.exe
Source: 964309_Invoice_confirmation.exe, 00000001.00000002.1843983752.00000000021D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs 964309_Invoice_confirmation.exe
Source: 964309_Invoice_confirmation.exe Binary or memory string: OriginalFilenameBrneko.exe vs 964309_Invoice_confirmation.exe
Uses 32bit PE files
Source: 964309_Invoice_confirmation.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0
Source: 964309_Invoice_confirmation.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 964309_Invoice_confirmation.exe ReversingLabs: Detection: 13%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: 964309_Invoice_confirmation.exe PID: 3484, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: 964309_Invoice_confirmation.exe PID: 3484, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_00402420 push esi; iretd 1_2_0040243E
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_004078C7 push cs; retf 1_2_004078DE
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_00407544 push edi; retf 1_2_0040756A
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_00401657 push esi; iretd 1_2_00401663
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_00408B03 push ds; retf 1_2_00408B0E
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_00404BD9 push esp; retf 1_2_00404BDA
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_004077B8 push ss; iretd 1_2_004077F1
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_00425892 push 61000010h; ret 1_2_0042589F
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 964309_Invoice_confirmation.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe RDTSC instruction interceptor: First address: 000000000040433B second address: 000000000040433B instructions: 0x00000000 rdtsc 0x00000002 wait 0x00000003 nop 0x00000004 dec esi 0x00000005 nop 0x00000006 nop 0x00000007 cmp esi, 00000000h 0x0000000a jne 00007F3DA0B9EEE6h 0x0000000c rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_004041EB rdtsc 1_2_004041EB
Source: 964309_Invoice_confirmation.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_004041EB rdtsc 1_2_004041EB
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_0042505B mov eax, dword ptr fs:[00000030h] 1_2_0042505B
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_00425A51 mov eax, dword ptr fs:[00000030h] 1_2_00425A51
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_00425A6A mov eax, dword ptr fs:[00000030h] 1_2_00425A6A
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_00424A0A mov eax, dword ptr fs:[00000030h] 1_2_00424A0A
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_00425A33 mov eax, dword ptr fs:[00000030h] 1_2_00425A33
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_00425A39 mov eax, dword ptr fs:[00000030h] 1_2_00425A39
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_00425AA5 mov eax, dword ptr fs:[00000030h] 1_2_00425AA5
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_00422EEF mov eax, dword ptr fs:[00000030h] 1_2_00422EEF
Source: 964309_Invoice_confirmation.exe, 00000001.00000002.1843804110.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: 964309_Invoice_confirmation.exe, 00000001.00000002.1843804110.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: 964309_Invoice_confirmation.exe, 00000001.00000002.1843804110.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: 964309_Invoice_confirmation.exe, 00000001.00000002.1843804110.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe Code function: 1_2_0042375C cpuid 1_2_0042375C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337282 Sample: 964309_Invoice_confirmation.exe Startdate: 08/01/2021 Architecture: WINDOWS Score: 84 8 Potential malicious icon found 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 4 other signatures 2->14 5 964309_Invoice_confirmation.exe 1 2->5         started        process3 signatures4 16 Tries to detect virtualization through RDTSC time measurements 5->16
No contacted IP infos