Loading ...

Play interactive tourEdit tour

Analysis Report USD18,620-00_swift-copy_mt103.exe

Overview

General Information

Sample Name:USD18,620-00_swift-copy_mt103.exe
Analysis ID:356539
MD5:395a2f37acb7606721dd540c4bd25575
SHA1:a1e28437c7d4c64fd087078e9063a4588f36018f
SHA256:376e9cf15752762b0b38372261de1b2595816c2116100a2cf7164e5227b3a207
Tags:exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Machine Learning detection for sample
Potentially malicious time measurement code found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: USD18,620-00_swift-copy_mt103.exe PID: 6600JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: USD18,620-00_swift-copy_mt103.exe PID: 6600JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: USD18,620-00_swift-copy_mt103.exeVirustotal: Detection: 30%Perma Link
      Source: USD18,620-00_swift-copy_mt103.exeReversingLabs: Detection: 21%
      Machine Learning detection for sampleShow sources
      Source: USD18,620-00_swift-copy_mt103.exeJoe Sandbox ML: detected

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: USD18,620-00_swift-copy_mt103.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BCE961 NtProtectVirtualMemory,1_2_02BCE961
      Source: USD18,620-00_swift-copy_mt103.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTannages7.exe vs USD18,620-00_swift-copy_mt103.exe
      Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.751691739.0000000002210000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs USD18,620-00_swift-copy_mt103.exe
      Source: USD18,620-00_swift-copy_mt103.exeBinary or memory string: OriginalFilenameTannages7.exe vs USD18,620-00_swift-copy_mt103.exe
      Source: USD18,620-00_swift-copy_mt103.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal80.troj.evad.winEXE@1/0@0/0
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DFE00194A98C429E88.TMPJump to behavior
      Source: USD18,620-00_swift-copy_mt103.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: USD18,620-00_swift-copy_mt103.exeVirustotal: Detection: 30%
      Source: USD18,620-00_swift-copy_mt103.exeReversingLabs: Detection: 21%
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeWindow detected: Number of UI elements: 15

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: USD18,620-00_swift-copy_mt103.exe PID: 6600, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: USD18,620-00_swift-copy_mt103.exe PID: 6600, type: MEMORY
      Source: USD18,620-00_swift-copy_mt103.exeStatic PE information: real checksum: 0x416ac should be: 0x3a3c0
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_00407B19 push 760F90C1h; iretd 1_2_00407B92
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BCE6D8 push esp; retf 1_2_02BCE6DC
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BCE707 push cs; ret 1_2_02BCE954
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BCE861 push cs; ret 1_2_02BCE954
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1228 1_2_02BC1228
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC13BC 1_2_02BC13BC
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1358 1_2_02BC1358
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1049 1_2_02BC1049
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC71B8 1_2_02BC71B8
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1160 1_2_02BC1160
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1688 1_2_02BC1688
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1650 1_2_02BC1650
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1780 1_2_02BC1780
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC17E8 1_2_02BC17E8
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC45B2 1_2_02BC45B2
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC15E0 1_2_02BC15E0
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1570 1_2_02BC1570
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1568 1_2_02BC1568
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC3567 1_2_02BC3567
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1AC4 1_2_02BC1AC4
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BCEA05 1_2_02BCEA05
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1A48 1_2_02BC1A48
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1B88 1_2_02BC1B88
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1BF4 1_2_02BC1BF4
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC18C4 1_2_02BC18C4
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1860 1_2_02BC1860
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1980 1_2_02BC1980
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC19E4 1_2_02BC19E4
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC191C 1_2_02BC191C
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1CB8 1_2_02BC1CB8
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1C50 1_2_02BC1C50
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1D87 1_2_02BC1D87
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1DE8 1_2_02BC1DE8
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1D14 1_2_02BC1D14
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: USD18,620-00_swift-copy_mt103.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeRDTSC instruction interceptor: First address: 0000000002BC671A second address: 0000000002BC671A instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6A903A1645h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp cx, dx 0x00000020 pop ecx 0x00000021 cmp dl, dl 0x00000023 jmp 00007F6A903A163Ah 0x00000025 test dh, dh 0x00000027 add edi, edx 0x00000029 dec ecx 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007F6A903A1540h 0x00000033 jmp 00007F6A903A163Ah 0x00000035 test dh, dh 0x00000037 push ecx 0x00000038 test ecx, 8A763D23h 0x0000003e call 00007F6A903A16B5h 0x00000043 call 00007F6A903A1655h 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC5290 rdtsc 1_2_02BC5290
      Source: USD18,620-00_swift-copy_mt103.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Potentially malicious time measurement code foundShow sources
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1049 Start: 02BC144F End: 02BC11C01_2_02BC1049
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC1160 Start: 02BC144F End: 02BC11C01_2_02BC1160
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC5290 rdtsc 1_2_02BC5290
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC636A mov eax, dword ptr fs:[00000030h]1_2_02BC636A
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC4118 mov eax, dword ptr fs:[00000030h]1_2_02BC4118
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BCC104 mov eax, dword ptr fs:[00000030h]1_2_02BCC104
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BCC144 mov eax, dword ptr fs:[00000030h]1_2_02BCC144
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC4600 mov eax, dword ptr fs:[00000030h]1_2_02BC4600
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC465C mov eax, dword ptr fs:[00000030h]1_2_02BC465C
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC45B2 mov eax, dword ptr fs:[00000030h]1_2_02BC45B2
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC458C mov eax, dword ptr fs:[00000030h]1_2_02BC458C
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC3567 mov eax, dword ptr fs:[00000030h]1_2_02BC3567
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BCAB24 mov eax, dword ptr fs:[00000030h]1_2_02BCAB24
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BCD9B3 mov eax, dword ptr fs:[00000030h]1_2_02BCD9B3
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BCD9FB mov eax, dword ptr fs:[00000030h]1_2_02BCD9FB
      Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.750838494.0000000000D90000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
      Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.750838494.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.750838494.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.750838494.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeCode function: 1_2_02BC3055 cpuid 1_2_02BC3055
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exeQueries volume information: C:\ VolumeInformationJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Process Injection1OS Credential DumpingSecurity Software Discovery311Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery221SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.