Analysis Report Shipping Documents.exe

Overview

General Information

Sample Name: Shipping Documents.exe
Analysis ID: 339385
MD5: a13297a6096403fbf5a7511265e151bb
SHA1: e02adaeb53e1362281d565fa14b23485aeb758d4
SHA256: 35eaf7cfa69be622c7fae2b72daf3ab245c0237475288ff81568a5fa597fd2f5
Tags: DHLexeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Executable has a suspicious name (potential lure to open the executable)
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Potential time zone aware malware
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Shipping Documents.exe Virustotal: Detection: 34% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: Shipping Documents.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Executable has a suspicious name (potential lure to open the executable)
Source: Shipping Documents.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Shipping Documents.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Shipping Documents.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: Shipping Documents.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Shipping Documents.exe, 00000000.00000000.230396857.0000000000410000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameHanderlsaftalernes5.exe vs Shipping Documents.exe
Source: Shipping Documents.exe Binary or memory string: OriginalFilenameHanderlsaftalernes5.exe vs Shipping Documents.exe
Uses 32bit PE files
Source: Shipping Documents.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal88.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Shipping Documents.exe File created: C:\Users\user\AppData\Local\Temp\~DF1BA10356BF232D3D.TMP Jump to behavior
Source: Shipping Documents.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Shipping Documents.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Shipping Documents.exe Virustotal: Detection: 34%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: Shipping Documents.exe PID: 6460, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Shipping Documents.exe PID: 6460, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004072E6 push 0AF4BD9Dh; ret 0_2_00407302
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F6849 push es; iretd 0_2_004F699E
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F6428 push FFFFFFF7h; ret 0_2_004F6430
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F04D2 push edi; retf 0_2_004F04D3
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F7DC9 push ebx; iretd 0_2_004F7DCA
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F7BE3 push ebp; retf 0_2_004F7BE5
Source: C:\Users\user\Desktop\Shipping Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F6AA8 0_2_004F6AA8
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F255A 0_2_004F255A
Potential time zone aware malware
Source: C:\Users\user\Desktop\Shipping Documents.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Shipping Documents.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Shipping Documents.exe RDTSC instruction interceptor: First address: 00000000004F6353 second address: 00000000004F6353 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FE6207C9A34h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test edx, ecx 0x0000001f cmp dl, dl 0x00000021 cmp dh, 00000029h 0x00000024 add edi, edx 0x00000026 test al, cl 0x00000028 dec dword ptr [ebp+000000F8h] 0x0000002e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000035 jne 00007FE6207C99B6h 0x00000037 pushad 0x00000038 mov cl, A1h 0x0000003a cmp cl, FFFFFFA1h 0x0000003d jne 00007FE6207C6A6Fh 0x00000043 popad 0x00000044 call 00007FE6207C9A1Ah 0x00000049 call 00007FE6207C9A44h 0x0000004e lfence 0x00000051 mov edx, dword ptr [7FFE0014h] 0x00000057 lfence 0x0000005a ret 0x0000005b mov esi, edx 0x0000005d pushad 0x0000005e rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F1A4D rdtsc 0_2_004F1A4D
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Shipping Documents.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Shipping Documents.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F1A4D rdtsc 0_2_004F1A4D
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F6008 mov eax, dword ptr fs:[00000030h] 0_2_004F6008
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F5A1D mov eax, dword ptr fs:[00000030h] 0_2_004F5A1D
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F20C5 mov eax, dword ptr fs:[00000030h] 0_2_004F20C5
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F22F6 mov eax, dword ptr fs:[00000030h] 0_2_004F22F6
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F6AF5 mov eax, dword ptr fs:[00000030h] 0_2_004F6AF5
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F6AA8 mov eax, dword ptr fs:[00000030h] 0_2_004F6AA8
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F255A mov eax, dword ptr fs:[00000030h] 0_2_004F255A
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F337D mov eax, dword ptr fs:[00000030h] 0_2_004F337D
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F25A8 mov eax, dword ptr fs:[00000030h] 0_2_004F25A8
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Shipping Documents.exe, 00000000.00000002.1210731304.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Shipping Documents.exe, 00000000.00000002.1210731304.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Shipping Documents.exe, 00000000.00000002.1210731304.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: Shipping Documents.exe, 00000000.00000002.1210731304.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: Shipping Documents.exe, 00000000.00000002.1210731304.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Shipping Documents.exe Code function: 0_2_004F3219 cpuid 0_2_004F3219
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339385 Sample: Shipping Documents.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 88 8 Multi AV Scanner detection for submitted file 2->8 10 Yara detected GuLoader 2->10 12 Executable has a suspicious name (potential lure to open the executable) 2->12 14 6 other signatures 2->14 5 Shipping Documents.exe 1 2->5         started        process3 signatures4 16 Potential time zone aware malware 5->16
No contacted IP infos