Analysis Report Hotelization1.exe

Overview

General Information

Sample Name:	Hotelization1.exe
Analysis ID:	356481
MD5:	e9fe792682164781809becea8a7a3902
SHA1:	ec474df86437d7d85b23b1e45de5b1c250ab56d6
SHA256:	0b2d52ea23f34796033d9d4f2bc2de17ad413e7fb82089faf7c55bc454a192cf
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Hotelization1.exe

ReversingLabs: Detection: 21%

Compliance:

Uses 32bit PE files

Source: Hotelization1.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Hotelization1.exe

Code function: 4x nop then jne 020E5481h

0_2_020E5491

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Hotelization1.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_00402659	0_2_00402659
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_0040185A	0_2_0040185A
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_00402609	0_2_00402609
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_0040180D	0_2_0040180D
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_0040161E	0_2_0040161E
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_004028EF	0_2_004028EF
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_004026FA	0_2_004026FA
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_004026A4	0_2_004026A4
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_004024B5	0_2_004024B5
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_0040274C	0_2_0040274C
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_00402564	0_2_00402564
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_0040250C	0_2_0040250C
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_004027C8	0_2_004027C8
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_004027A7	0_2_004027A7
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_004027B6	0_2_004027B6
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_004025BC	0_2_004025BC

Uses 32bit PE files

Source: Hotelization1.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Hotelization1.exe

File created: C:\Users\user\AppData\Local\Temp\~DF3AF5D2DA9F942D5F.TMP

Jump to behavior

Source: Hotelization1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Hotelization1.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Hotelization1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Hotelization1.exe

ReversingLabs: Detection: 21%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: Hotelization1.exe PID: 3360, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: Hotelization1.exe PID: 3360, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_00406437 push ds; iretd	0_2_00406439
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_00403EA3 push esi; retf	0_2_00403EBB
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_0040274C push eax; retf	0_2_0040274B
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_00402FFF push ds; ret	0_2_00403002

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\Hotelization1.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Hotelization1.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Hotelization1.exe

RDTSC instruction interceptor: First address: 00000000020E2761 second address: 00000000020E2761 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6560A1C59Dh 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e cmp bh, ch 0x00000020 pushad 0x00000021 mov bh, 82h 0x00000023 cmp bh, FFFFFF82h 0x00000026 jne 00007F6560A1BC79h 0x0000002c popad 0x0000002d add edi, edx 0x0000002f test bl, al 0x00000031 dec ecx 0x00000032 cmp ecx, 00000000h 0x00000035 jne 00007F6560A1C53Fh 0x00000037 push ecx 0x00000038 test ah, 00000038h 0x0000003b call 00007F6560A1C588h 0x00000040 call 00007F6560A1C5ADh 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Hotelization1.exe

Code function: 0_2_020E2030 rdtsc

0_2_020E2030

Source: Hotelization1.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Hotelization1.exe

Code function: 0_2_020E2030 rdtsc

0_2_020E2030

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_020E1A0A mov eax, dword ptr fs:[00000030h]	0_2_020E1A0A
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_020E1827 mov eax, dword ptr fs:[00000030h]	0_2_020E1827
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_020E4A9E mov eax, dword ptr fs:[00000030h]	0_2_020E4A9E
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_020E50DF mov eax, dword ptr fs:[00000030h]	0_2_020E50DF
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_020E50DA mov eax, dword ptr fs:[00000030h]	0_2_020E50DA
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_020E4358 mov eax, dword ptr fs:[00000030h]	0_2_020E4358
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_020E13C1 mov eax, dword ptr fs:[00000030h]	0_2_020E13C1
Source: C:\Users\user\Desktop\Hotelization1.exe	Code function: 0_2_020E25EE mov eax, dword ptr fs:[00000030h]	0_2_020E25EE

HIPS / PFW / Operating System Protection Evasion:

Source: Hotelization1.exe, 00000000.00000002.734355506.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Hotelization1.exe, 00000000.00000002.734355506.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Hotelization1.exe, 00000000.00000002.734355506.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Hotelization1.exe, 00000000.00000002.734355506.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	356481
Product:	CloudBasic
Start time:	08:42:26
Start date:	23.02.2021
Sample:	Hotelization1.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e9fe792682164781809becea8a7a3902
SHA1:	ec474df86437d7d85b23b1e45de5b1c250ab56d6
SHA256:	0b2d52ea23f34796033d9d4f2bc2de17ad413e7fb82089faf7c55bc454a192cf
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report Hotelization1.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map