Loading ...

Play interactive tourEdit tour

Analysis Report AAN2101002-V017..exe

Overview

General Information

Sample Name:AAN2101002-V017..exe
Analysis ID:337920
MD5:ef80587c41c329e507f7ad9b24037b67
SHA1:12eee83a37b047af4610032fb3413ff3886e2080
SHA256:f2b2f10c3c65d8f81641b20ebbf91ca7da5ba685282b24677a4c5561758f7226
Tags:exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Potential time zone aware malware
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • AAN2101002-V017..exe (PID: 1064 cmdline: 'C:\Users\user\Desktop\AAN2101002-V017..exe' MD5: EF80587C41C329E507F7AD9B24037B67)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: AAN2101002-V017..exe PID: 1064JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: AAN2101002-V017..exe PID: 1064JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: AAN2101002-V017..exeVirustotal: Detection: 11%Perma Link
      Source: AAN2101002-V017..exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_0040CEDB0_2_0040CEDB
      Source: AAN2101002-V017..exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: AAN2101002-V017..exe, 00000000.00000000.228543860.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesubcasino.exe vs AAN2101002-V017..exe
      Source: AAN2101002-V017..exe, 00000000.00000002.1225434392.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs AAN2101002-V017..exe
      Source: AAN2101002-V017..exeBinary or memory string: OriginalFilenamesubcasino.exe vs AAN2101002-V017..exe
      Source: AAN2101002-V017..exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal80.troj.evad.winEXE@1/0@0/0
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeFile created: C:\Users\user\AppData\Local\Temp\~DF7E8BA7E2AA2205F3.TMPJump to behavior
      Source: AAN2101002-V017..exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: AAN2101002-V017..exeVirustotal: Detection: 11%

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: AAN2101002-V017..exe PID: 1064, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: AAN2101002-V017..exe PID: 1064, type: MEMORY
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_0040F877 push cs; ret 0_2_0040F8C6
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_0040BC14 push cs; retf 0_2_0040BC32
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_0040B02B push cs; retf 0_2_0040B02E
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_0040D519 push eax; iretd 0_2_0040D51A
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_0040F70F push cs; ret 0_2_0040F8C6
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_0040F39D push edx; retf 0_2_0040F39E
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D5201 0_2_020D5201
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D7248 0_2_020D7248
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D1A9C 0_2_020D1A9C
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D2A9E 0_2_020D2A9E
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D72A6 0_2_020D72A6
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D32FD 0_2_020D32FD
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D7317 0_2_020D7317
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D2B28 0_2_020D2B28
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D2BA5 0_2_020D2BA5
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D1813 0_2_020D1813
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D6C79 0_2_020D6C79
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D2C87 0_2_020D2C87
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D2CF2 0_2_020D2CF2
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D2D7C 0_2_020D2D7C
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D5D89 0_2_020D5D89
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D61B3 0_2_020D61B3
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D71D9 0_2_020D71D9
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D2DD4 0_2_020D2DD4
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D71D7 0_2_020D71D7
      Potential time zone aware malwareShow sources
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeSystem information queried: CurrentTimeZoneInformationJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: AAN2101002-V017..exe, 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeRDTSC instruction interceptor: First address: 00000000020D37CF second address: 00000000020D37CF instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FA3A0B0F2B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e nop 0x0000001f jmp 00007FA3A0B0F2DEh 0x00000021 cmp cx, cx 0x00000024 add edi, edx 0x00000026 cmp ecx, eax 0x00000028 dec ecx 0x00000029 test eax, D4DD871Eh 0x0000002e cmp ecx, 00000000h 0x00000031 jne 00007FA3A0B0F260h 0x00000033 test eax, E413EFD2h 0x00000038 push ecx 0x00000039 test eax, ebx 0x0000003b test dl, FFFFFFBDh 0x0000003e call 00007FA3A0B0F30Ch 0x00000043 call 00007FA3A0B0F2C8h 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D7E0D rdtsc 0_2_020D7E0D
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: AAN2101002-V017..exe, 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Found potential dummy code loops (likely to delay analysis)Show sources
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeProcess Stats: CPU usage > 90% for more than 60s
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D7E0D rdtsc 0_2_020D7E0D
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D225F mov eax, dword ptr fs:[00000030h]0_2_020D225F
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D62B2 mov eax, dword ptr fs:[00000030h]0_2_020D62B2
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D1F97 mov eax, dword ptr fs:[00000030h]0_2_020D1F97
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D689A mov eax, dword ptr fs:[00000030h]0_2_020D689A
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D24BF mov eax, dword ptr fs:[00000030h]0_2_020D24BF
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D24D2 mov eax, dword ptr fs:[00000030h]0_2_020D24D2
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D35C1 mov eax, dword ptr fs:[00000030h]0_2_020D35C1
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D35C3 mov eax, dword ptr fs:[00000030h]0_2_020D35C3
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D71D9 mov eax, dword ptr fs:[00000030h]0_2_020D71D9
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D71D7 mov eax, dword ptr fs:[00000030h]0_2_020D71D7
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
      Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
      Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\AAN2101002-V017..exeCode function: 0_2_020D69A8 cpuid 0_2_020D69A8

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemorySecurity Software Discovery411Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery211SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.