Analysis Report 15790_Invoice_confirmation.exe

Overview

General Information

Sample Name: 15790_Invoice_confirmation.exe
Analysis ID: 337718
MD5: 9090a8a77646971374cea3112aa3beed
SHA1: bfd3e70ce4230d04e97a9ed394bfabf287a5bfe7
SHA256: c4e0e2bc76880e6144bbc96ad64e55bd10f6f66805ccfd5a86c36182201372eb
Tags: exeGuLoader

Most interesting Screenshot:
Errors
  • Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Potential malicious icon found
Yara detected GuLoader
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Compliance:

barindex
Uses 32bit PE files
Source: 15790_Invoice_confirmation.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389175473.00000000006CA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Executable has a suspicious name (potential lure to open the executable)
Source: 15790_Invoice_confirmation.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: 15790_Invoice_confirmation.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_00401600 0_2_00401600
PE file contains strange resources
Source: 15790_Invoice_confirmation.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameklist.exe vs 15790_Invoice_confirmation.exe
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389068575.0000000000600000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs 15790_Invoice_confirmation.exe
Source: 15790_Invoice_confirmation.exe Binary or memory string: OriginalFilenameklist.exe vs 15790_Invoice_confirmation.exe
Uses 32bit PE files
Source: 15790_Invoice_confirmation.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0
Source: 15790_Invoice_confirmation.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: 15790_Invoice_confirmation.exe PID: 5668, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: 15790_Invoice_confirmation.exe PID: 5668, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_00407878 push 6B7AF3E2h; ret 0_2_004078A6
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_0040A438 pushad ; retf 0_2_0040A443
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_0040903B push FFFFFFEBh; ret 0_2_0040903F
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_004058D8 push ebx; iretd 0_2_004058E9
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_004058EB push ebx; iretd 0_2_004058E9
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_0040A4F9 push ebx; retf 0_2_0040A570
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_0040A572 push ebx; retf 0_2_0040A570
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_00407181 push FFFFFFEBh; ret 0_2_00407183
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_00407E5C pushfd ; ret 0_2_00407E6D
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_00407EA9 pushfd ; ret 0_2_00407E6D
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_0040775D push 6B7AF3E2h; ret 0_2_004078A6
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_0040A72F push esi; ret 0_2_0040A732
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_0040A7D2 push ebp; ret 0_2_0040A7E2
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_00635D00 push eax; ret 0_2_00635D01
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe RDTSC instruction interceptor: First address: 000000000040433A second address: 000000000040433A instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 nop 0x00000004 dec esi 0x00000005 nop 0x00000006 nop 0x00000007 cmp esi, 00000000h 0x0000000a jne 00007F9CE8932DB6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe RDTSC instruction interceptor: First address: 0000000000633264 second address: 0000000000633264 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F9CE8936B98h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F9CE8936B9Eh 0x00000024 test bh, ah 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F9CE8936B73h 0x0000002c push ecx 0x0000002d call 00007F9CE8936BDEh 0x00000032 call 00007F9CE8936BAAh 0x00000037 lfence 0x0000003a mov edx, dword ptr [7FFE0014h] 0x00000040 lfence 0x00000043 ret 0x00000044 mov esi, edx 0x00000046 pushad 0x00000047 rdtsc
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 15790_Invoice_confirmation.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe RDTSC instruction interceptor: First address: 000000000040433A second address: 000000000040433A instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 nop 0x00000004 dec esi 0x00000005 nop 0x00000006 nop 0x00000007 cmp esi, 00000000h 0x0000000a jne 00007F9CE8932DB6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe RDTSC instruction interceptor: First address: 0000000000633264 second address: 0000000000633264 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F9CE8936B98h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F9CE8936B9Eh 0x00000024 test bh, ah 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F9CE8936B73h 0x0000002c push ecx 0x0000002d call 00007F9CE8936BDEh 0x00000032 call 00007F9CE8936BAAh 0x00000037 lfence 0x0000003a mov edx, dword ptr [7FFE0014h] 0x00000040 lfence 0x00000043 ret 0x00000044 mov esi, edx 0x00000046 pushad 0x00000047 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_0063347D rdtsc 0_2_0063347D
Source: 15790_Invoice_confirmation.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_0063347D rdtsc 0_2_0063347D
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_0063507E mov eax, dword ptr fs:[00000030h] 0_2_0063507E
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_00634C05 mov eax, dword ptr fs:[00000030h] 0_2_00634C05
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_006330D4 mov eax, dword ptr fs:[00000030h] 0_2_006330D4
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_00631CDD mov eax, dword ptr fs:[00000030h] 0_2_00631CDD
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_00631D05 mov eax, dword ptr fs:[00000030h] 0_2_00631D05
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe Code function: 0_2_0063171E mov eax, dword ptr fs:[00000030h] 0_2_0063171E
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389313697.0000000000D50000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389313697.0000000000D50000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389313697.0000000000D50000.00000002.00000001.sdmp Binary or memory string: Progman
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389313697.0000000000D50000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337718 Sample: 15790_Invoice_confirmation.exe Startdate: 09/01/2021 Architecture: WINDOWS Score: 80 8 Potential malicious icon found 2->8 10 Yara detected GuLoader 2->10 12 Executable has a suspicious name (potential lure to open the executable) 2->12 14 3 other signatures 2->14 5 15790_Invoice_confirmation.exe 1 2->5         started        process3 signatures4 16 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->16 18 Tries to detect virtualization through RDTSC time measurements 5->18
No contacted IP infos