Loading ...

Play interactive tourEdit tour

Analysis Report Hotelization1.exe

Overview

General Information

Sample Name:Hotelization1.exe
Analysis ID:356481
MD5:e9fe792682164781809becea8a7a3902
SHA1:ec474df86437d7d85b23b1e45de5b1c250ab56d6
SHA256:0b2d52ea23f34796033d9d4f2bc2de17ad413e7fb82089faf7c55bc454a192cf
Tags:exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Hotelization1.exe (PID: 3360 cmdline: 'C:\Users\user\Desktop\Hotelization1.exe' MD5: E9FE792682164781809BECEA8A7A3902)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Hotelization1.exe PID: 3360JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: Hotelization1.exe PID: 3360JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: Hotelization1.exeReversingLabs: Detection: 21%

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: Hotelization1.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 4x nop then jne 020E5481h0_2_020E5491
      Source: C:\Users\user\Desktop\Hotelization1.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_004026590_2_00402659
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_0040185A0_2_0040185A
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_004026090_2_00402609
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_0040180D0_2_0040180D
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_0040161E0_2_0040161E
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_004028EF0_2_004028EF
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_004026FA0_2_004026FA
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_004026A40_2_004026A4
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_004024B50_2_004024B5
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_0040274C0_2_0040274C
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_004025640_2_00402564
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_0040250C0_2_0040250C
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_004027C80_2_004027C8
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_004027A70_2_004027A7
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_004027B60_2_004027B6
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_004025BC0_2_004025BC
      Source: Hotelization1.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal68.troj.evad.winEXE@1/0@0/0
      Source: C:\Users\user\Desktop\Hotelization1.exeFile created: C:\Users\user\AppData\Local\Temp\~DF3AF5D2DA9F942D5F.TMPJump to behavior
      Source: Hotelization1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Hotelization1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Hotelization1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Hotelization1.exeReversingLabs: Detection: 21%

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Hotelization1.exe PID: 3360, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Hotelization1.exe PID: 3360, type: MEMORY
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_00406437 push ds; iretd 0_2_00406439
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_00403EA3 push esi; retf 0_2_00403EBB
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_0040274C push eax; retf 0_2_0040274B
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_00402FFF push ds; ret 0_2_00403002
      Source: C:\Users\user\Desktop\Hotelization1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Hotelization1.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Hotelization1.exeRDTSC instruction interceptor: First address: 00000000020E2761 second address: 00000000020E2761 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6560A1C59Dh 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e cmp bh, ch 0x00000020 pushad 0x00000021 mov bh, 82h 0x00000023 cmp bh, FFFFFF82h 0x00000026 jne 00007F6560A1BC79h 0x0000002c popad 0x0000002d add edi, edx 0x0000002f test bl, al 0x00000031 dec ecx 0x00000032 cmp ecx, 00000000h 0x00000035 jne 00007F6560A1C53Fh 0x00000037 push ecx 0x00000038 test ah, 00000038h 0x0000003b call 00007F6560A1C588h 0x00000040 call 00007F6560A1C5ADh 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_020E2030 rdtsc 0_2_020E2030
      Source: Hotelization1.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_020E2030 rdtsc 0_2_020E2030
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_020E1A0A mov eax, dword ptr fs:[00000030h]0_2_020E1A0A
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_020E1827 mov eax, dword ptr fs:[00000030h]0_2_020E1827
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_020E4A9E mov eax, dword ptr fs:[00000030h]0_2_020E4A9E
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_020E50DF mov eax, dword ptr fs:[00000030h]0_2_020E50DF
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_020E50DA mov eax, dword ptr fs:[00000030h]0_2_020E50DA
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_020E4358 mov eax, dword ptr fs:[00000030h]0_2_020E4358
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_020E13C1 mov eax, dword ptr fs:[00000030h]0_2_020E13C1
      Source: C:\Users\user\Desktop\Hotelization1.exeCode function: 0_2_020E25EE mov eax, dword ptr fs:[00000030h]0_2_020E25EE
      Source: Hotelization1.exe, 00000000.00000002.734355506.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: Hotelization1.exe, 00000000.00000002.734355506.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: Hotelization1.exe, 00000000.00000002.734355506.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: Hotelization1.exe, 00000000.00000002.734355506.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Process Injection1OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information2LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.