Analysis Report AAN2101002-V017..exe

Overview

General Information

Sample Name: AAN2101002-V017..exe
Analysis ID: 337920
MD5: ef80587c41c329e507f7ad9b24037b67
SHA1: 12eee83a37b047af4610032fb3413ff3886e2080
SHA256: f2b2f10c3c65d8f81641b20ebbf91ca7da5ba685282b24677a4c5561758f7226
Tags: exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Potential time zone aware malware
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: AAN2101002-V017..exe Virustotal: Detection: 11% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: AAN2101002-V017..exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_0040CEDB 0_2_0040CEDB
PE file contains strange resources
Source: AAN2101002-V017..exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: AAN2101002-V017..exe, 00000000.00000000.228543860.0000000000416000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamesubcasino.exe vs AAN2101002-V017..exe
Source: AAN2101002-V017..exe, 00000000.00000002.1225434392.00000000020A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs AAN2101002-V017..exe
Source: AAN2101002-V017..exe Binary or memory string: OriginalFilenamesubcasino.exe vs AAN2101002-V017..exe
Uses 32bit PE files
Source: AAN2101002-V017..exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal80.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\AAN2101002-V017..exe File created: C:\Users\user\AppData\Local\Temp\~DF7E8BA7E2AA2205F3.TMP Jump to behavior
Source: AAN2101002-V017..exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: AAN2101002-V017..exe Virustotal: Detection: 11%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: AAN2101002-V017..exe PID: 1064, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: AAN2101002-V017..exe PID: 1064, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_0040F877 push cs; ret 0_2_0040F8C6
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_0040BC14 push cs; retf 0_2_0040BC32
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_0040B02B push cs; retf 0_2_0040B02E
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_0040D519 push eax; iretd 0_2_0040D51A
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_0040F70F push cs; ret 0_2_0040F8C6
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_0040F39D push edx; retf 0_2_0040F39E
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D5201 0_2_020D5201
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D7248 0_2_020D7248
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D1A9C 0_2_020D1A9C
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D2A9E 0_2_020D2A9E
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D72A6 0_2_020D72A6
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D32FD 0_2_020D32FD
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D7317 0_2_020D7317
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D2B28 0_2_020D2B28
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D2BA5 0_2_020D2BA5
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D1813 0_2_020D1813
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D6C79 0_2_020D6C79
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D2C87 0_2_020D2C87
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D2CF2 0_2_020D2CF2
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D2D7C 0_2_020D2D7C
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D5D89 0_2_020D5D89
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D61B3 0_2_020D61B3
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D71D9 0_2_020D71D9
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D2DD4 0_2_020D2DD4
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D71D7 0_2_020D71D7
Potential time zone aware malware
Source: C:\Users\user\Desktop\AAN2101002-V017..exe System information queried: CurrentTimeZoneInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: AAN2101002-V017..exe, 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\AAN2101002-V017..exe RDTSC instruction interceptor: First address: 00000000020D37CF second address: 00000000020D37CF instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FA3A0B0F2B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e nop 0x0000001f jmp 00007FA3A0B0F2DEh 0x00000021 cmp cx, cx 0x00000024 add edi, edx 0x00000026 cmp ecx, eax 0x00000028 dec ecx 0x00000029 test eax, D4DD871Eh 0x0000002e cmp ecx, 00000000h 0x00000031 jne 00007FA3A0B0F260h 0x00000033 test eax, E413EFD2h 0x00000038 push ecx 0x00000039 test eax, ebx 0x0000003b test dl, FFFFFFBDh 0x0000003e call 00007FA3A0B0F30Ch 0x00000043 call 00007FA3A0B0F2C8h 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D7E0D rdtsc 0_2_020D7E0D
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: AAN2101002-V017..exe, 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D7E0D rdtsc 0_2_020D7E0D
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D225F mov eax, dword ptr fs:[00000030h] 0_2_020D225F
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D62B2 mov eax, dword ptr fs:[00000030h] 0_2_020D62B2
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D1F97 mov eax, dword ptr fs:[00000030h] 0_2_020D1F97
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D689A mov eax, dword ptr fs:[00000030h] 0_2_020D689A
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D24BF mov eax, dword ptr fs:[00000030h] 0_2_020D24BF
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D24D2 mov eax, dword ptr fs:[00000030h] 0_2_020D24D2
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D35C1 mov eax, dword ptr fs:[00000030h] 0_2_020D35C1
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D35C3 mov eax, dword ptr fs:[00000030h] 0_2_020D35C3
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D71D9 mov eax, dword ptr fs:[00000030h] 0_2_020D71D9
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D71D7 mov eax, dword ptr fs:[00000030h] 0_2_020D71D7
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\AAN2101002-V017..exe Code function: 0_2_020D69A8 cpuid 0_2_020D69A8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337920 Sample: AAN2101002-V017..exe Startdate: 11/01/2021 Architecture: WINDOWS Score: 80 8 Multi AV Scanner detection for submitted file 2->8 10 Yara detected GuLoader 2->10 12 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->12 14 Yara detected VB6 Downloader Generic 2->14 5 AAN2101002-V017..exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Found potential dummy code loops (likely to delay analysis) 5->18 20 Tries to detect virtualization through RDTSC time measurements 5->20 22 Potential time zone aware malware 5->22
No contacted IP infos