Analysis Report Agreement Terms Sample.pdf.exe

Overview

General Information

Sample Name: Agreement Terms Sample.pdf.exe
Analysis ID: 339336
MD5: 76b6c2b227dd2ae92bb3b86a66a8fe52
SHA1: db06ffb667569ab3b379012567c27919c36d885a
SHA256: 128fa77a11cedbe782819f0d2e2666a04e4f8d2966a72f215c77b8933c914a47
Tags: exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Potential time zone aware malware
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Agreement Terms Sample.pdf.exe Virustotal: Detection: 20% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: Agreement Terms Sample.pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Agreement Terms Sample.pdf.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: Agreement Terms Sample.pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Agreement Terms Sample.pdf.exe, 00000000.00000002.1371583853.0000000000410000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAffolker.exe vs Agreement Terms Sample.pdf.exe
Source: Agreement Terms Sample.pdf.exe Binary or memory string: OriginalFilenameAffolker.exe vs Agreement Terms Sample.pdf.exe
Uses 32bit PE files
Source: Agreement Terms Sample.pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal88.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe File created: C:\Users\user\AppData\Local\Temp\~DF053F462F68CD7C8A.TMP Jump to behavior
Source: Agreement Terms Sample.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Agreement Terms Sample.pdf.exe Virustotal: Detection: 20%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: Agreement Terms Sample.pdf.exe PID: 6116, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Agreement Terms Sample.pdf.exe PID: 6116, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_0040511F push ebp; ret 0_2_00405120
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_004085AB push esp; retf 0_2_004085AC
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_0042406A pushfd ; iretd 0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_0042181D pushfd ; iretd 0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_004242BF pushfd ; iretd 0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00424167 pushfd ; iretd 0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00423F6B pushfd ; iretd 0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00423921 pushfd ; iretd 0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00424126 pushfd ; iretd 0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_0042493E pushfd ; iretd 0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_004241DB pushfd ; iretd 0_2_00424A35
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00423FE2 pushfd ; iretd 0_2_00424A35

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: Agreement Terms Sample.pdf.exe
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00426C57 0_2_00426C57
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00426A17 0_2_00426A17
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00426A15 0_2_00426A15
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00426E18 0_2_00426E18
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00426CD1 0_2_00426CD1
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00426AEF 0_2_00426AEF
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00426CF6 0_2_00426CF6
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00423F6B 0_2_00423F6B
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_004267F7 0_2_004267F7
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00426BAF 0_2_00426BAF
Potential time zone aware malware
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Agreement Terms Sample.pdf.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe RDTSC instruction interceptor: First address: 00000000004262EB second address: 00000000004262EB instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAB3093C388h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dl, 00000015h 0x00000028 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002f jne 00007FAB3093C365h 0x00000031 cmp dl, dl 0x00000033 cmp eax, ecx 0x00000035 call 00007FAB3093C3FDh 0x0000003a call 00007FAB3093C398h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00426C57 rdtsc 0_2_00426C57
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Agreement Terms Sample.pdf.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00426C57 rdtsc 0_2_00426C57
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00426A17 mov eax, dword ptr fs:[00000030h] 0_2_00426A17
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00426A15 mov eax, dword ptr fs:[00000030h] 0_2_00426A15
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00425A2F mov eax, dword ptr fs:[00000030h] 0_2_00425A2F
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00421ED3 mov eax, dword ptr fs:[00000030h] 0_2_00421ED3
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_0042229E mov eax, dword ptr fs:[00000030h] 0_2_0042229E
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00425F78 mov eax, dword ptr fs:[00000030h] 0_2_00425F78
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_0042332A mov eax, dword ptr fs:[00000030h] 0_2_0042332A
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_00422537 mov eax, dword ptr fs:[00000030h] 0_2_00422537
Source: C:\Users\user\Desktop\Agreement Terms Sample.pdf.exe Code function: 0_2_004267F7 mov eax, dword ptr fs:[00000030h] 0_2_004267F7
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Agreement Terms Sample.pdf.exe, 00000000.00000002.1372402958.0000000000CE0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Agreement Terms Sample.pdf.exe, 00000000.00000002.1372402958.0000000000CE0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Agreement Terms Sample.pdf.exe, 00000000.00000002.1372402958.0000000000CE0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: Agreement Terms Sample.pdf.exe, 00000000.00000002.1372402958.0000000000CE0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339336 Sample: Agreement Terms  Sample.pdf.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 88 8 Multi AV Scanner detection for submitted file 2->8 10 Yara detected GuLoader 2->10 12 Uses an obfuscated file name to hide its real file extension (double extension) 2->12 14 6 other signatures 2->14 5 Agreement Terms  Sample.pdf.exe 1 2->5         started        process3 signatures4 16 Potential time zone aware malware 5->16
No contacted IP infos