Analysis Report file

Overview

General Information

Sample Name: file (renamed file extension from none to exe)
Analysis ID: 342365
MD5: 555c401b38d724743846b628ae639c85
SHA1: 855f8dd61e8382e9f7d193428b6b02385add2db8
SHA256: 31665a69dca33ae199f7f8149e0ca8d992c6e402e01bfc4e7eeaab46a40d33f0
Tags: exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 44% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: file.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: file.exe, 00000000.00000002.1348689124.00000000006E8000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\file.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00645C42 0_2_00645C42
PE file contains strange resources
Source: file.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1348578831.0000000000600000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs file.exe
Source: file.exe, 00000000.00000002.1349866018.00000000028C0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamesmittende.exeFE2X vs file.exe
Source: file.exe, 00000000.00000002.1348328819.0000000000418000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamesmittende.exe vs file.exe
Source: file.exe Binary or memory string: OriginalFilenamesmittende.exe vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\~DFC7949FBBDA9531CE.TMP Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe Virustotal: Detection: 44%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: file.exe PID: 5932, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: file.exe PID: 5932, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A045 push ebp; retf 0_2_0040A046
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A055 push ebp; retf 0_2_0040A056
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040980A push cs; ret 0_2_00409810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00408896 push ebp; retf 0_2_004088AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A0B9 push ebp; retf 0_2_0040A0BA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00403980 pushad ; ret 0_2_00403981
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004089A0 push ss; retf 0_2_004089A6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004079B7 push edx; iretd 0_2_004079E1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A2EC push edx; iretd 0_2_0040A31A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409288 push edi; retf 0_2_00409298
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A349 push ebp; retf 0_2_0040A34A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409332 push edi; retf 0_2_00409340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A3C4 push esi; retf 0_2_0040A3C6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409B91 push cs; ret 0_2_00409BA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00408C4D push ebp; retf 0_2_00408C4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A528 push cs; retf 0_2_0040A52A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006465B3 push eax; ret 0_2_006465B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00644759 pushfd ; retf 0_2_006447FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064471C pushfd ; retf 0_2_006447FD
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00641364 0_2_00641364
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 00000000006430D5 second address: 00000000006430D5 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ecx, 00001000h 0x00000010 div ecx 0x00000012 test eax, ecx 0x00000014 cmp edx, 00000000h 0x00000017 jne 00007FC1E0914B20h 0x00000019 dec ebx 0x0000001a xor edx, edx 0x0000001c mov eax, ebx 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 0000000000645D26 second address: 0000000000645D26 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FC1E0DCEFB8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test bx, dx 0x00000020 cmp bl, dl 0x00000022 add edi, edx 0x00000024 test dl, al 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007FC1E0DCEF5Fh 0x00000035 test bx, cx 0x00000038 test cx, dx 0x0000003b call 00007FC1E0DCEFE4h 0x00000040 call 00007FC1E0DCEFC8h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00642812 rdtsc 0_2_00642812
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: file.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\file.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00642812 rdtsc 0_2_00642812
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00643066 mov eax, dword ptr fs:[00000030h] 0_2_00643066
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00643079 mov eax, dword ptr fs:[00000030h] 0_2_00643079
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00645413 mov eax, dword ptr fs:[00000030h] 0_2_00645413
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006420B5 mov eax, dword ptr fs:[00000030h] 0_2_006420B5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064599D mov eax, dword ptr fs:[00000030h] 0_2_0064599D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00641B81 mov eax, dword ptr fs:[00000030h] 0_2_00641B81
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: file.exe, 00000000.00000002.1348748260.0000000000D70000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: file.exe, 00000000.00000002.1348748260.0000000000D70000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: file.exe, 00000000.00000002.1348748260.0000000000D70000.00000002.00000001.sdmp Binary or memory string: Progman
Source: file.exe, 00000000.00000002.1348748260.0000000000D70000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 342365 Sample: file Startdate: 20/01/2021 Architecture: WINDOWS Score: 76 8 Multi AV Scanner detection for submitted file 2->8 10 Yara detected GuLoader 2->10 12 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->12 14 Yara detected VB6 Downloader Generic 2->14 5 file.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Found potential dummy code loops (likely to delay analysis) 5->18 20 Tries to detect virtualization through RDTSC time measurements 5->20
No contacted IP infos