Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Variant.Razy.845229.20225.25607

Overview

General Information

Sample Name:SecuriteInfo.com.Variant.Razy.845229.20225.25607 (renamed file extension from 25607 to exe)
Analysis ID:356588
MD5:8eb163c0d46881f620662958e37ae6ed
SHA1:6e4efaee511765eeed72eff90ae4eae26b0c162a
SHA256:422cc4ab46ac67030dcf4da2b6211913c55dbc51962f578a6419ea52417db806

Most interesting Screenshot:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Detected potential crypto function
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.20225.exe PID: 7120JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.20225.exe PID: 7120JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exeVirustotal: Detection: 30%Perma Link
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exeReversingLabs: Detection: 39%
      Machine Learning detection for sampleShow sources
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exeJoe Sandbox ML: detected

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeCode function: 0_2_004098340_2_00409834
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeCode function: 0_2_00402BFE0_2_00402BFE
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182245012.0000000002120000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Variant.Razy.845229.20225.exe
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182028704.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepunktskatterintrave.exe vs SecuriteInfo.com.Variant.Razy.845229.20225.exe
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exeBinary or memory string: OriginalFilenamepunktskatterintrave.exe vs SecuriteInfo.com.Variant.Razy.845229.20225.exe
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal72.troj.evad.winEXE@1/0@0/0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeFile created: C:\Users\user\AppData\Local\Temp\~DF81A51854DC3EFB29.TMPJump to behavior
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exeVirustotal: Detection: 30%
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exeReversingLabs: Detection: 39%

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.20225.exe PID: 7120, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.20225.exe PID: 7120, type: MEMORY
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exeStatic PE information: real checksum: 0x29f52 should be: 0x23811
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeCode function: 0_2_0040523D push ebp; retf 0_2_00405242
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeCode function: 0_2_00408294 push ds; ret 0_2_0040829E
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeCode function: 0_2_0040792D push ecx; retf 0_2_0040792E
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeCode function: 0_2_00407FC9 push ecx; retf 0_2_0040800E
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeCode function: 0_2_0040139D push eax; retf 0_2_0040139E
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182164198.0000000000750000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182164198.0000000000750000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Found potential dummy code loops (likely to delay analysis)Show sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.20225.exeProcess Stats: CPU usage > 90% for more than 60s
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182178934.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182178934.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182178934.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: SecuriteInfo.com.Variant.Razy.845229.20225.exe, 00000000.00000002.1182178934.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.