Analysis Report Order 3350191107102300.bat.exe

Overview

General Information

Sample Name: Order 3350191107102300.bat.exe
Analysis ID: 356750
MD5: 7e7df58fd2de6dddae514d65a55ea92d
SHA1: 6d2753aa52a78273a1aad5b9f9aaa422395a80d4
SHA256: 96861b47729d7e9e4af5c1b016900631339c8357a614cf4fb02ebfbbadece8ff
Tags: exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Order 3350191107102300.bat.exe Virustotal: Detection: 39% Perma Link
Source: Order 3350191107102300.bat.exe ReversingLabs: Detection: 37%

Compliance:

barindex
Uses 32bit PE files
Source: Order 3350191107102300.bat.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Order 3350191107102300.bat.exe, 00000000.00000002.744618411.000000000078A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Order 3350191107102300.bat.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_004012C4 0_2_004012C4
PE file contains strange resources
Source: Order 3350191107102300.bat.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Order 3350191107102300.bat.exe, 00000000.00000000.218631460.000000000040F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCODFISH.exe vs Order 3350191107102300.bat.exe
Source: Order 3350191107102300.bat.exe, 00000000.00000002.744578137.0000000000750000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Order 3350191107102300.bat.exe
Source: Order 3350191107102300.bat.exe Binary or memory string: OriginalFilenameCODFISH.exe vs Order 3350191107102300.bat.exe
Uses 32bit PE files
Source: Order 3350191107102300.bat.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0
Source: Order 3350191107102300.bat.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Order 3350191107102300.bat.exe Virustotal: Detection: 39%
Source: Order 3350191107102300.bat.exe ReversingLabs: Detection: 37%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: Order 3350191107102300.bat.exe PID: 3276, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Order 3350191107102300.bat.exe PID: 3276, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_0040504D push edi; ret 0_2_00405055
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_00404A52 pushad ; iretd 0_2_00404A5C
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_00405062 push edi; ret 0_2_0040506D
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_0040522D pushfd ; retf 0_2_00405230
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_00405C3C pushfd ; ret 0_2_00405C47
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_00403CCC push ecx; ret 0_2_00403CCD
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_00408972 push ebx; retf 0_2_00408975
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_00409102 pushad ; iretd 0_2_00409108
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_00408926 pushad ; retf 0_2_00408940
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_004059A8 push cs; ret 0_2_004059A9
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_02A862B0 push eax; ret 0_2_02A862B1
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_02A85E99 push F6FE382Ah; ret 0_2_02A85E9F
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_02A83E9F push ebx; iretd 0_2_02A83EA0
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_02A84628 pushfd ; retf 0_2_02A84634
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_02A85B34 push edi; ret 0_2_02A85B36
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_02A8347F push eax; ret 0_2_02A83488
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_02A81951 push es; retf 0_2_02A81952
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Order 3350191107102300.bat.exe, 00000000.00000002.746595733.0000000002A80000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEF9
Source: Order 3350191107102300.bat.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe RDTSC instruction interceptor: First address: 0000000002A83066 second address: 0000000002A83066 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F2BA038A159h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test cx, 6B86h 0x00000022 pop ecx 0x00000023 jmp 00007F2BA038A152h 0x00000025 test eax, eax 0x00000027 add edi, edx 0x00000029 cmp bl, cl 0x0000002b dec ecx 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F2BA038A0F2h 0x00000031 cmp bl, dl 0x00000033 push ecx 0x00000034 cmp eax, ecx 0x00000036 test ch, ah 0x00000038 call 00007F2BA038A178h 0x0000003d call 00007F2BA038A169h 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_02A8329B rdtsc 0_2_02A8329B
Source: Order 3350191107102300.bat.exe, 00000000.00000002.746595733.0000000002A80000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exef9
Source: Order 3350191107102300.bat.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_02A8329B rdtsc 0_2_02A8329B
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_02A82EE9 mov eax, dword ptr fs:[00000030h] 0_2_02A82EE9
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_02A81FD2 mov eax, dword ptr fs:[00000030h] 0_2_02A81FD2
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_02A81FD7 mov eax, dword ptr fs:[00000030h] 0_2_02A81FD7
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_02A858EA mov eax, dword ptr fs:[00000030h] 0_2_02A858EA
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe Code function: 0_2_02A854F3 mov eax, dword ptr fs:[00000030h] 0_2_02A854F3
Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356750 Sample: Order 3350191107102300.bat.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 80 7 Potential malicious icon found 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 4 other signatures 2->13 5 Order 3350191107102300.bat.exe 2->5         started        process3
No contacted IP infos