Loading ...

Play interactive tourEdit tour

Analysis Report Shipping Documents.exe

Overview

General Information

Sample Name:Shipping Documents.exe
Analysis ID:339385
MD5:a13297a6096403fbf5a7511265e151bb
SHA1:e02adaeb53e1362281d565fa14b23485aeb758d4
SHA256:35eaf7cfa69be622c7fae2b72daf3ab245c0237475288ff81568a5fa597fd2f5
Tags:DHLexeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Executable has a suspicious name (potential lure to open the executable)
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Potential time zone aware malware
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Shipping Documents.exe (PID: 6460 cmdline: 'C:\Users\user\Desktop\Shipping Documents.exe' MD5: A13297A6096403FBF5A7511265E151BB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Shipping Documents.exe PID: 6460JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: Shipping Documents.exe PID: 6460JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: Shipping Documents.exeVirustotal: Detection: 34%Perma Link
      Source: Shipping Documents.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

      System Summary:

      barindex
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: Shipping Documents.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Shipping Documents.exe
      Source: C:\Users\user\Desktop\Shipping Documents.exeProcess Stats: CPU usage > 98%
      Source: Shipping Documents.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Shipping Documents.exe, 00000000.00000000.230396857.0000000000410000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHanderlsaftalernes5.exe vs Shipping Documents.exe
      Source: Shipping Documents.exeBinary or memory string: OriginalFilenameHanderlsaftalernes5.exe vs Shipping Documents.exe
      Source: Shipping Documents.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal88.troj.evad.winEXE@1/0@0/0
      Source: C:\Users\user\Desktop\Shipping Documents.exeFile created: C:\Users\user\AppData\Local\Temp\~DF1BA10356BF232D3D.TMPJump to behavior
      Source: Shipping Documents.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Shipping Documents.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Shipping Documents.exeVirustotal: Detection: 34%

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Shipping Documents.exe PID: 6460, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Shipping Documents.exe PID: 6460, type: MEMORY
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004072E6 push 0AF4BD9Dh; ret 0_2_00407302
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F6849 push es; iretd 0_2_004F699E
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F6428 push FFFFFFF7h; ret 0_2_004F6430
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F04D2 push edi; retf 0_2_004F04D3
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F7DC9 push ebx; iretd 0_2_004F7DCA
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F7BE3 push ebp; retf 0_2_004F7BE5
      Source: C:\Users\user\Desktop\Shipping Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F6AA8 0_2_004F6AA8
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F255A 0_2_004F255A
      Potential time zone aware malwareShow sources
      Source: C:\Users\user\Desktop\Shipping Documents.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Shipping Documents.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Shipping Documents.exeRDTSC instruction interceptor: First address: 00000000004F6353 second address: 00000000004F6353 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FE6207C9A34h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test edx, ecx 0x0000001f cmp dl, dl 0x00000021 cmp dh, 00000029h 0x00000024 add edi, edx 0x00000026 test al, cl 0x00000028 dec dword ptr [ebp+000000F8h] 0x0000002e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000035 jne 00007FE6207C99B6h 0x00000037 pushad 0x00000038 mov cl, A1h 0x0000003a cmp cl, FFFFFFA1h 0x0000003d jne 00007FE6207C6A6Fh 0x00000043 popad 0x00000044 call 00007FE6207C9A1Ah 0x00000049 call 00007FE6207C9A44h 0x0000004e lfence 0x00000051 mov edx, dword ptr [7FFE0014h] 0x00000057 lfence 0x0000005a ret 0x0000005b mov esi, edx 0x0000005d pushad 0x0000005e rdtsc
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F1A4D rdtsc 0_2_004F1A4D
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: Shipping Documents.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Found potential dummy code loops (likely to delay analysis)Show sources
      Source: C:\Users\user\Desktop\Shipping Documents.exeProcess Stats: CPU usage > 90% for more than 60s
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F1A4D rdtsc 0_2_004F1A4D
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F6008 mov eax, dword ptr fs:[00000030h]0_2_004F6008
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F5A1D mov eax, dword ptr fs:[00000030h]0_2_004F5A1D
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F20C5 mov eax, dword ptr fs:[00000030h]0_2_004F20C5
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F22F6 mov eax, dword ptr fs:[00000030h]0_2_004F22F6
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F6AF5 mov eax, dword ptr fs:[00000030h]0_2_004F6AF5
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F6AA8 mov eax, dword ptr fs:[00000030h]0_2_004F6AA8
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F255A mov eax, dword ptr fs:[00000030h]0_2_004F255A
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F337D mov eax, dword ptr fs:[00000030h]0_2_004F337D
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F25A8 mov eax, dword ptr fs:[00000030h]0_2_004F25A8
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: Shipping Documents.exe, 00000000.00000002.1210731304.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: Shipping Documents.exe, 00000000.00000002.1210731304.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: Shipping Documents.exe, 00000000.00000002.1210731304.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
      Source: Shipping Documents.exe, 00000000.00000002.1210731304.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
      Source: Shipping Documents.exe, 00000000.00000002.1210731304.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\Shipping Documents.exeCode function: 0_2_004F3219 cpuid 0_2_004F3219

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSystem Time Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemorySecurity Software Discovery411Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery211SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.