Analysis Report Proforma Invoice 1009745.exe

Overview

General Information

Sample Name: Proforma Invoice 1009745.exe
Analysis ID: 343935
MD5: 71eee7537f1ac4347b00db9d5777a078
SHA1: 5867ba045cb9817a6f15938d021db6839c5b346f
SHA256: 956ec30b9191b8755a1b879822317ccda7be9a0284a4df1f1f3efd53669f8928
Tags: exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Proforma Invoice 1009745.exe Virustotal: Detection: 23% Perma Link
Source: Proforma Invoice 1009745.exe ReversingLabs: Detection: 23%

Compliance:

barindex
Uses 32bit PE files
Source: Proforma Invoice 1009745.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Executable has a suspicious name (potential lure to open the executable)
Source: Proforma Invoice 1009745.exe Static file information: Suspicious name
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_022C76C7 NtProtectVirtualMemory, 0_2_022C76C7
PE file contains strange resources
Source: Proforma Invoice 1009745.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Proforma Invoice 1009745.exe, 00000000.00000002.1404411560.0000000000419000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameARBEJDSPSYKOLOGIEN.exe vs Proforma Invoice 1009745.exe
Source: Proforma Invoice 1009745.exe, 00000000.00000002.1405395953.00000000021E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Proforma Invoice 1009745.exe
Source: Proforma Invoice 1009745.exe Binary or memory string: OriginalFilenameARBEJDSPSYKOLOGIEN.exe vs Proforma Invoice 1009745.exe
Uses 32bit PE files
Source: Proforma Invoice 1009745.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal80.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe File created: C:\Users\user\AppData\Local\Temp\~DFC2B0EFE621F04776.TMP Jump to behavior
Source: Proforma Invoice 1009745.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Proforma Invoice 1009745.exe Virustotal: Detection: 23%
Source: Proforma Invoice 1009745.exe ReversingLabs: Detection: 23%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: Proforma Invoice 1009745.exe PID: 7064, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Proforma Invoice 1009745.exe PID: 7064, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_0040734E push ebx; iretd 0_2_0040737B
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_022C0EB0 push 85660000h; ret 0_2_022C0EB5
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_022C7EF9 push esp; retf 0_2_022C7EFA
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_022C7DFA push ebx; retf 0_2_022C7E13
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_022C6CB5 0_2_022C6CB5
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe RDTSC instruction interceptor: First address: 00000000022C69A5 second address: 00000000022C69A5 instructions:
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Proforma Invoice 1009745.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe RDTSC instruction interceptor: First address: 00000000022C69A5 second address: 00000000022C69A5 instructions:
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe RDTSC instruction interceptor: First address: 00000000022C65A9 second address: 00000000022C65A9 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FB0889D2538h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test bh, ah 0x0000001f test ax, cx 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a jmp 00007FB0889D2576h 0x0000002c test ecx, eax 0x0000002e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000035 jne 00007FB0889D24CDh 0x00000037 cmp bh, ch 0x00000039 call 00007FB0889D25A0h 0x0000003e call 00007FB0889D2548h 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_022C6621 rdtsc 0_2_022C6621
Source: Proforma Invoice 1009745.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_022C6621 rdtsc 0_2_022C6621
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_022C3642 mov eax, dword ptr fs:[00000030h] 0_2_022C3642
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_022C6CB5 mov eax, dword ptr fs:[00000030h] 0_2_022C6CB5
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_022C6280 mov eax, dword ptr fs:[00000030h] 0_2_022C6280
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_022C2737 mov eax, dword ptr fs:[00000030h] 0_2_022C2737
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_022C5D7D mov eax, dword ptr fs:[00000030h] 0_2_022C5D7D
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_022C274B mov eax, dword ptr fs:[00000030h] 0_2_022C274B
Source: C:\Users\user\Desktop\Proforma Invoice 1009745.exe Code function: 0_2_022C219E mov eax, dword ptr fs:[00000030h] 0_2_022C219E
Source: Proforma Invoice 1009745.exe, 00000000.00000002.1405208564.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Proforma Invoice 1009745.exe, 00000000.00000002.1405208564.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Proforma Invoice 1009745.exe, 00000000.00000002.1405208564.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: Proforma Invoice 1009745.exe, 00000000.00000002.1405208564.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343935 Sample: Proforma Invoice 1009745.exe Startdate: 25/01/2021 Architecture: WINDOWS Score: 80 7 Multi AV Scanner detection for submitted file 2->7 9 Yara detected GuLoader 2->9 11 Executable has a suspicious name (potential lure to open the executable) 2->11 13 5 other signatures 2->13 5 Proforma Invoice 1009745.exe 1 2->5         started        process3
No contacted IP infos