Analysis Report Proof of payment.exe

Overview

General Information

Sample Name: Proof of payment.exe
Analysis ID: 338405
MD5: 606275919e922f6a1f639c42f8e2580c
SHA1: 32d9ef9a02da8cf64594608c61bb7adc7b397703
SHA256: 94644b63a2f087324bcbab6b789ec015939cee82844f788987835837f57d0acc
Tags: exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Compliance:

barindex
Uses 32bit PE files
Source: Proof of payment.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Executable has a suspicious name (potential lure to open the executable)
Source: Proof of payment.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Proof of payment.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Proof of payment.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: Proof of payment.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Proof of payment.exe, 00000000.00000002.1288564482.0000000002250000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Proof of payment.exe
Source: Proof of payment.exe, 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUNDERWOOD.exe vs Proof of payment.exe
Source: Proof of payment.exe Binary or memory string: OriginalFilenameUNDERWOOD.exe vs Proof of payment.exe
Uses 32bit PE files
Source: Proof of payment.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Proof of payment.exe File created: C:\Users\user\AppData\Local\Temp\~DF1BAB6DD5B79524A4.TMP Jump to behavior
Source: Proof of payment.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Proof of payment.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: Proof of payment.exe PID: 5352, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Proof of payment.exe PID: 5352, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_00402CAE push edx; retf 0_2_00402CAF
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004059F9 push FFFFFFC2h; ret 0_2_00405A30
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_0040460F push esi; iretd 0_2_00404613
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004077E4 push es; ret 0_2_004077F7
Source: C:\Users\user\Desktop\Proof of payment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F284A 0_2_004F284A
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F0C5C 0_2_004F0C5C
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F1948 0_2_004F1948
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F2966 0_2_004F2966
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F0D06 0_2_004F0D06
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F2642 0_2_004F2642
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F262E 0_2_004F262E
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F53D3 0_2_004F53D3
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Proof of payment.exe RDTSC instruction interceptor: First address: 00000000004F6062 second address: 00000000004F6062 instructions:
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Proof of payment.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Proof of payment.exe RDTSC instruction interceptor: First address: 00000000004F6062 second address: 00000000004F6062 instructions:
Source: C:\Users\user\Desktop\Proof of payment.exe RDTSC instruction interceptor: First address: 00000000004F53F1 second address: 00000000004F54D3 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test bh, dh 0x0000000d xor edi, edi 0x0000000f cmp bx, dx 0x00000012 mov dword ptr [ebp+000000F8h], 00A95F60h 0x0000001c cmp bh, ah 0x0000001e push edi 0x0000001f jmp 00007F6314B6B4DDh 0x00000021 call 00007F6314B6B469h 0x00000026 pop edi 0x00000027 jmp edi 0x00000029 pop edi 0x0000002a pushad 0x0000002b mov dh, 46h 0x0000002d cmp dh, 00000046h 0x00000030 jne 00007F6314B6863Dh 0x00000036 popad 0x00000037 call 00007F6314B6B4EBh 0x0000003c call 00007F6314B6B4A8h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\Proof of payment.exe RDTSC instruction interceptor: First address: 00000000004F54D3 second address: 00000000004F54D3 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6314B667A8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp bl, FFFFFFAAh 0x00000020 cmp ax, bx 0x00000023 jmp 00007F6314B667BAh 0x00000025 test ecx, 2977CC05h 0x0000002b add edi, edx 0x0000002d cmp dl, dl 0x0000002f dec dword ptr [ebp+000000F8h] 0x00000035 test ah, dh 0x00000037 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000003e jne 00007F6314B66701h 0x00000044 push edi 0x00000045 jmp 00007F6314B667EDh 0x00000047 call 00007F6314B66779h 0x0000004c pop edi 0x0000004d jmp edi 0x0000004f pop edi 0x00000050 pushad 0x00000051 mov dh, 46h 0x00000053 cmp dh, 00000046h 0x00000056 jne 00007F6314B6394Dh 0x0000005c popad 0x0000005d call 00007F6314B667FBh 0x00000062 call 00007F6314B667B8h 0x00000067 lfence 0x0000006a mov edx, dword ptr [7FFE0014h] 0x00000070 lfence 0x00000073 ret 0x00000074 mov esi, edx 0x00000076 pushad 0x00000077 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F284A rdtsc 0_2_004F284A
Source: Proof of payment.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F284A rdtsc 0_2_004F284A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F205F mov eax, dword ptr fs:[00000030h] 0_2_004F205F
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F4CD5 mov eax, dword ptr fs:[00000030h] 0_2_004F4CD5
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F208E mov eax, dword ptr fs:[00000030h] 0_2_004F208E
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F1948 mov eax, dword ptr fs:[00000030h] 0_2_004F1948
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F2DCB mov eax, dword ptr fs:[00000030h] 0_2_004F2DCB
Source: C:\Users\user\Desktop\Proof of payment.exe Code function: 0_2_004F519B mov eax, dword ptr fs:[00000030h] 0_2_004F519B
Source: Proof of payment.exe, 00000000.00000002.1288156600.0000000000D90000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Proof of payment.exe, 00000000.00000002.1288156600.0000000000D90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Proof of payment.exe, 00000000.00000002.1288156600.0000000000D90000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Proof of payment.exe, 00000000.00000002.1288156600.0000000000D90000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Proof of payment.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338405 Sample: Proof of payment.exe Startdate: 12/01/2021 Architecture: WINDOWS Score: 76 7 Yara detected GuLoader 2->7 9 Executable has a suspicious name (potential lure to open the executable) 2->9 11 Initial sample is a PE file and has a suspicious name 2->11 13 5 other signatures 2->13 5 Proof of payment.exe 1 2->5         started        process3
No contacted IP infos