Loading ...

Play interactive tourEdit tour

Analysis Report RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe

Overview

General Information

Sample Name:RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe
Analysis ID:339335
MD5:5a07a1d293ec00ef9f52f9c515c95f57
SHA1:e1712e01b0945a42e7d9b1c9dd2eca5b98c4174d
SHA256:c65e2de75fb34171072925ff6d7c2a9fa79e5d311c4296dacf7a12d524b4167d
Tags:exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe PID: 1664JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe PID: 1664JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeVirustotal: Detection: 21%Perma Link
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeReversingLabs: Detection: 17%
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeProcess Stats: CPU usage > 98%
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe, 00000000.00000000.665571809.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKROKODILLERNES.exe vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe, 00000000.00000002.1839903330.00000000021D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeBinary or memory string: OriginalFilenameKROKODILLERNES.exe vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal80.troj.evad.winEXE@1/0@0/0
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeFile created: C:\Users\user\AppData\Local\Temp\~DFB078FDF516815AF8.TMPJump to behavior
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeVirustotal: Detection: 21%
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeReversingLabs: Detection: 17%

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe PID: 1664, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe PID: 1664, type: MEMORY
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_004018BA push es; retf 0_2_004018C0
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_0040ABB2 push ebp; retf 0_2_0040ABB4
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_00406400 push FFFFFFCBh; retf 0_2_004064A7
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_0040AC32 push ecx; retf 0_2_0040AC34
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_00406D70 push es; retf 0_2_00406D71
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_00406E5D push ebx; retf 0_2_00406E61
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_0040AFEB push ebp; retf 0_2_0040AFEC
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_02217551 push eax; ret 0_2_02217545
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_02214F49 push edi; iretd 0_2_02214F4B
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_02211B27 0_2_02211B27
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeRDTSC instruction interceptor: First address: 00000000022169AF second address: 00000000022169AF instructions:
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeRDTSC instruction interceptor: First address: 00000000022169AF second address: 00000000022169AF instructions:
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeRDTSC instruction interceptor: First address: 00000000022137FF second address: 00000000022137FF instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FBB28C0FCF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp bl, bl 0x0000001f test ah, bh 0x00000021 pop ecx 0x00000022 jmp 00007FBB28C0FD1Ah 0x00000024 test edi, 6D6DB559h 0x0000002a add edi, edx 0x0000002c cmp dh, bh 0x0000002e dec ecx 0x0000002f cmp ecx, 00000000h 0x00000032 jne 00007FBB28C0FCA7h 0x00000034 test bl, cl 0x00000036 push ecx 0x00000037 cmp bl, dl 0x00000039 test ch, ch 0x0000003b call 00007FBB28C0FD46h 0x00000040 call 00007FBB28C0FD08h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_02212201 rdtsc 0_2_02212201
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Found potential dummy code loops (likely to delay analysis)Show sources
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeProcess Stats: CPU usage > 90% for more than 60s
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_02212201 rdtsc 0_2_02212201
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_022162BF mov eax, dword ptr fs:[00000030h]0_2_022162BF
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_0221730E mov eax, dword ptr fs:[00000030h]0_2_0221730E
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_02217375 mov eax, dword ptr fs:[00000030h]0_2_02217375
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_0221738D mov eax, dword ptr fs:[00000030h]0_2_0221738D
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_022121E1 mov eax, dword ptr fs:[00000030h]0_2_022121E1
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_022121CA mov eax, dword ptr fs:[00000030h]0_2_022121CA
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_022121D9 mov eax, dword ptr fs:[00000030h]0_2_022121D9
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_02213629 mov eax, dword ptr fs:[00000030h]0_2_02213629
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_02213606 mov eax, dword ptr fs:[00000030h]0_2_02213606
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_02211B27 mov eax, dword ptr fs:[00000030h]0_2_02211B27
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_0221699D mov eax, dword ptr fs:[00000030h]0_2_0221699D
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe, 00000000.00000002.1839681100.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe, 00000000.00000002.1839681100.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe, 00000000.00000002.1839681100.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe, 00000000.00000002.1839681100.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exeCode function: 0_2_02215371 cpuid 0_2_02215371

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery511Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.