Analysis Report 001982_Invoice_confirmation.exe

Overview

General Information

Sample Name:	001982_Invoice_confirmation.exe
Analysis ID:	337597
MD5:	e0167e6a13fea0d69a43e377fba75af4
SHA1:	03b36796e30e11ebae69edf59fc135fdb6c69233
SHA256:	f67020d5de462a963aeeaae1afe2bba3ba629da38a85a035a9389c454a402d0a
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Potential malicious icon found

Yara detected GuLoader

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Compliance:

Uses 32bit PE files

Source: 001982_Invoice_confirmation.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Executable has a suspicious name (potential lure to open the executable)

Source: 001982_Invoice_confirmation.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 001982_Invoice_confirmation.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe

Code function: 0_2_00401600

0_2_00401600

PE file contains strange resources

Source: 001982_Invoice_confirmation.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: 001982_Invoice_confirmation.exe, 00000000.00000002.1426308273.0000000000416000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRaala.exe vs 001982_Invoice_confirmation.exe
Source: 001982_Invoice_confirmation.exe, 00000000.00000002.1427161222.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 001982_Invoice_confirmation.exe
Source: 001982_Invoice_confirmation.exe	Binary or memory string: OriginalFilenameRaala.exe vs 001982_Invoice_confirmation.exe

Uses 32bit PE files

Source: 001982_Invoice_confirmation.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.rans.troj.evad.winEXE@1/0@0/0

Source: 001982_Invoice_confirmation.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: 001982_Invoice_confirmation.exe PID: 7120, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: 001982_Invoice_confirmation.exe PID: 7120, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe

Code function: 0_2_0040597E push AAA4CA0Bh; retf

0_2_004059C0

Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 001982_Invoice_confirmation.exe, 00000000.00000002.1426657754.00000000004F0000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe

RDTSC instruction interceptor: First address: 000000000040433A second address: 000000000040433A instructions: 0x00000000 rdtsc 0x00000002 wait 0x00000003 nop 0x00000004 dec esi 0x00000005 nop 0x00000006 nop 0x00000007 cmp esi, 00000000h 0x0000000a jne 00007FCAB4A39366h 0x0000000c rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe

Code function: 0_2_004F1060 rdtsc

0_2_004F1060

Source: 001982_Invoice_confirmation.exe, 00000000.00000002.1426657754.00000000004F0000.00000040.00000001.sdmp

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe

Code function: 0_2_004F1060 rdtsc

0_2_004F1060

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Code function: 0_2_004F1C6F mov eax, dword ptr fs:[00000030h]	0_2_004F1C6F
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Code function: 0_2_004F1C6D mov eax, dword ptr fs:[00000030h]	0_2_004F1C6D
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Code function: 0_2_004F4CC8 mov eax, dword ptr fs:[00000030h]	0_2_004F4CC8
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Code function: 0_2_004F516B mov eax, dword ptr fs:[00000030h]	0_2_004F516B
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Code function: 0_2_004F2D97 mov eax, dword ptr fs:[00000030h]	0_2_004F2D97
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Code function: 0_2_004F164F mov eax, dword ptr fs:[00000030h]	0_2_004F164F
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Code function: 0_2_004F1ED7 mov eax, dword ptr fs:[00000030h]	0_2_004F1ED7
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Code function: 0_2_004F1ED1 mov eax, dword ptr fs:[00000030h]	0_2_004F1ED1
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Code function: 0_2_004F5AEA mov eax, dword ptr fs:[00000030h]	0_2_004F5AEA
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Code function: 0_2_004F5AE0 mov eax, dword ptr fs:[00000030h]	0_2_004F5AE0
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Code function: 0_2_004F5B46 mov eax, dword ptr fs:[00000030h]	0_2_004F5B46
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Code function: 0_2_004F5B06 mov eax, dword ptr fs:[00000030h]	0_2_004F5B06
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Code function: 0_2_004F1F00 mov eax, dword ptr fs:[00000030h]	0_2_004F1F00
Source: C:\Users\user\Desktop\001982_Invoice_confirmation.exe	Code function: 0_2_004F5B27 mov eax, dword ptr fs:[00000030h]	0_2_004F5B27

Source: 001982_Invoice_confirmation.exe, 00000000.00000002.1426938215.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 001982_Invoice_confirmation.exe, 00000000.00000002.1426938215.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: 001982_Invoice_confirmation.exe, 00000000.00000002.1426938215.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: 001982_Invoice_confirmation.exe, 00000000.00000002.1426938215.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	337597
Product:	CloudBasic
Start time:	20:08:39
Start date:	08.01.2021
Sample:	001982_Invoice_confirmation.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e0167e6a13fea0d69a43e377fba75af4
SHA1:	03b36796e30e11ebae69edf59fc135fdb6c69233
SHA256:	f67020d5de462a963aeeaae1afe2bba3ba629da38a85a035a9389c454a402d0a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Analysis Report 001982_Invoice_confirmation.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map