Analysis Report USD18,620-00_swift-copy_mt103.exe

Overview

General Information

Sample Name:	USD18,620-00_swift-copy_mt103.exe
Analysis ID:	356539
MD5:	395a2f37acb7606721dd540c4bd25575
SHA1:	a1e28437c7d4c64fd087078e9063a4588f36018f
SHA256:	376e9cf15752762b0b38372261de1b2595816c2116100a2cf7164e5227b3a207
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Machine Learning detection for sample

Potentially malicious time measurement code found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

PE file contains an invalid checksum

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: USD18,620-00_swift-copy_mt103.exe	Virustotal: Detection: 30%			Perma Link
Source: USD18,620-00_swift-copy_mt103.exe	ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: USD18,620-00_swift-copy_mt103.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: USD18,620-00_swift-copy_mt103.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

Code function: 1_2_02BCE961 NtProtectVirtualMemory,

1_2_02BCE961

PE file contains strange resources

Source: USD18,620-00_swift-copy_mt103.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTannages7.exe vs USD18,620-00_swift-copy_mt103.exe
Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.751691739.0000000002210000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs USD18,620-00_swift-copy_mt103.exe
Source: USD18,620-00_swift-copy_mt103.exe	Binary or memory string: OriginalFilenameTannages7.exe vs USD18,620-00_swift-copy_mt103.exe

Uses 32bit PE files

Source: USD18,620-00_swift-copy_mt103.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFE00194A98C429E88.TMP

Jump to behavior

Source: USD18,620-00_swift-copy_mt103.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: USD18,620-00_swift-copy_mt103.exe	Virustotal: Detection: 30%
Source: USD18,620-00_swift-copy_mt103.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

Window detected: Number of UI elements: 15

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: USD18,620-00_swift-copy_mt103.exe PID: 6600, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: USD18,620-00_swift-copy_mt103.exe PID: 6600, type: MEMORY

PE file contains an invalid checksum

Source: USD18,620-00_swift-copy_mt103.exe

Static PE information: real checksum: 0x416ac should be: 0x3a3c0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_00407B19 push 760F90C1h; iretd	1_2_00407B92
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCE6D8 push esp; retf	1_2_02BCE6DC
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCE707 push cs; ret	1_2_02BCE954
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCE861 push cs; ret	1_2_02BCE954

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1228	1_2_02BC1228
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC13BC	1_2_02BC13BC
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1358	1_2_02BC1358
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1049	1_2_02BC1049
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC71B8	1_2_02BC71B8
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1160	1_2_02BC1160
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1688	1_2_02BC1688
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1650	1_2_02BC1650
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1780	1_2_02BC1780
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC17E8	1_2_02BC17E8
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC45B2	1_2_02BC45B2
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC15E0	1_2_02BC15E0
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1570	1_2_02BC1570
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1568	1_2_02BC1568
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC3567	1_2_02BC3567
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1AC4	1_2_02BC1AC4
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCEA05	1_2_02BCEA05
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1A48	1_2_02BC1A48
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1B88	1_2_02BC1B88
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1BF4	1_2_02BC1BF4
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC18C4	1_2_02BC18C4
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1860	1_2_02BC1860
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1980	1_2_02BC1980
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC19E4	1_2_02BC19E4
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC191C	1_2_02BC191C
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1CB8	1_2_02BC1CB8
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1C50	1_2_02BC1C50
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1D87	1_2_02BC1D87
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1DE8	1_2_02BC1DE8
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1D14	1_2_02BC1D14

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: USD18,620-00_swift-copy_mt103.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

RDTSC instruction interceptor: First address: 0000000002BC671A second address: 0000000002BC671A instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6A903A1645h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp cx, dx 0x00000020 pop ecx 0x00000021 cmp dl, dl 0x00000023 jmp 00007F6A903A163Ah 0x00000025 test dh, dh 0x00000027 add edi, edx 0x00000029 dec ecx 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007F6A903A1540h 0x00000033 jmp 00007F6A903A163Ah 0x00000035 test dh, dh 0x00000037 push ecx 0x00000038 test ecx, 8A763D23h 0x0000003e call 00007F6A903A16B5h 0x00000043 call 00007F6A903A1655h 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

Code function: 1_2_02BC5290 rdtsc

1_2_02BC5290

Source: USD18,620-00_swift-copy_mt103.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1049 Start: 02BC144F End: 02BC11C0		1_2_02BC1049
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1160 Start: 02BC144F End: 02BC11C0		1_2_02BC1160

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

Code function: 1_2_02BC5290 rdtsc

1_2_02BC5290

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC636A mov eax, dword ptr fs:[00000030h]	1_2_02BC636A
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC4118 mov eax, dword ptr fs:[00000030h]	1_2_02BC4118
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCC104 mov eax, dword ptr fs:[00000030h]	1_2_02BCC104
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCC144 mov eax, dword ptr fs:[00000030h]	1_2_02BCC144
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC4600 mov eax, dword ptr fs:[00000030h]	1_2_02BC4600
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC465C mov eax, dword ptr fs:[00000030h]	1_2_02BC465C
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC45B2 mov eax, dword ptr fs:[00000030h]	1_2_02BC45B2
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC458C mov eax, dword ptr fs:[00000030h]	1_2_02BC458C
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC3567 mov eax, dword ptr fs:[00000030h]	1_2_02BC3567
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCAB24 mov eax, dword ptr fs:[00000030h]	1_2_02BCAB24
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCD9B3 mov eax, dword ptr fs:[00000030h]	1_2_02BCD9B3
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCD9FB mov eax, dword ptr fs:[00000030h]	1_2_02BCD9FB

HIPS / PFW / Operating System Protection Evasion:

Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.750838494.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.750838494.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.750838494.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.750838494.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

Code function: 1_2_02BC3055 cpuid

1_2_02BC3055

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	356539
Product:	CloudBasic
Start time:	09:47:26
Start date:	23.02.2021
Sample:	USD18,620-00_swift-copy_mt103.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	395a2f37acb7606721dd540c4bd25575
SHA1:	a1e28437c7d4c64fd087078e9063a4588f36018f
SHA256:	376e9cf15752762b0b38372261de1b2595816c2116100a2cf7164e5227b3a207
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report USD18,620-00_swift-copy_mt103.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map