Analysis Report SecuriteInfo.com.Variant.Razy.845229.20225.25607

Overview

General Information

Sample Name: SecuriteInfo.com.Variant.Razy.845229.20225.25607 (renamed file extension from 25607 to exe)
Analysis ID: 356588
MD5: 8eb163c0d46881f620662958e37ae6ed
SHA1: 6e4efaee511765eeed72eff90ae4eae26b0c162a
SHA256: 422cc4ab46ac67030dcf4da2b6211913c55dbc51962f578a6419ea52417db806

Most interesting Screenshot:

Detection

GuLoader
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Detected potential crypto function
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe Virustotal: Detection: 30% Perma Link
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe ReversingLabs: Detection: 39%
Machine Learning detection for sample
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Code function: 0_2_00409834 0_2_00409834
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Code function: 0_2_00402BFE 0_2_00402BFE
PE file contains strange resources
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182245012.0000000002120000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Variant.Razy.845229.20225.exe
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182028704.0000000000418000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamepunktskatterintrave.exe vs SecuriteInfo.com.Variant.Razy.845229.20225.exe
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe Binary or memory string: OriginalFilenamepunktskatterintrave.exe vs SecuriteInfo.com.Variant.Razy.845229.20225.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal72.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe File created: C:\Users\user\AppData\Local\Temp\~DF81A51854DC3EFB29.TMP Jump to behavior
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe Virustotal: Detection: 30%
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe ReversingLabs: Detection: 39%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.20225.exe PID: 7120, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.20225.exe PID: 7120, type: MEMORY
PE file contains an invalid checksum
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe Static PE information: real checksum: 0x29f52 should be: 0x23811
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Code function: 0_2_0040523D push ebp; retf 0_2_00405242
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Code function: 0_2_00408294 push ds; ret 0_2_0040829E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Code function: 0_2_0040792D push ecx; retf 0_2_0040792E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Code function: 0_2_00407FC9 push ecx; retf 0_2_0040800E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Code function: 0_2_0040139D push eax; retf 0_2_0040139E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182164198.0000000000750000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182164198.0000000000750000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exe Process Stats: CPU usage > 90% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182178934.0000000000C20000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182178934.0000000000C20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182178934.0000000000C20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182178934.0000000000C20000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356588 Sample: SecuriteInfo.com.Variant.Ra... Startdate: 23/02/2021 Architecture: WINDOWS Score: 72 8 Multi AV Scanner detection for submitted file 2->8 10 Yara detected GuLoader 2->10 12 Machine Learning detection for sample 2->12 14 2 other signatures 2->14 5 SecuriteInfo.com.Variant.Razy.845229.20225.exe 1 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16
No contacted IP infos