Loading ...

Play interactive tourEdit tour

Analysis Report Order 3350191107102300.bat.exe

Overview

General Information

Sample Name:Order 3350191107102300.bat.exe
Analysis ID:356750
MD5:7e7df58fd2de6dddae514d65a55ea92d
SHA1:6d2753aa52a78273a1aad5b9f9aaa422395a80d4
SHA256:96861b47729d7e9e4af5c1b016900631339c8357a614cf4fb02ebfbbadece8ff
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Order 3350191107102300.bat.exe PID: 3276JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: Order 3350191107102300.bat.exe PID: 3276JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: Order 3350191107102300.bat.exeVirustotal: Detection: 39%Perma Link
      Source: Order 3350191107102300.bat.exeReversingLabs: Detection: 37%

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: Order 3350191107102300.bat.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: Order 3350191107102300.bat.exe, 00000000.00000002.744618411.000000000078A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      System Summary:

      barindex
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Order 3350191107102300.bat.exe
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_004012C40_2_004012C4
      Source: Order 3350191107102300.bat.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Order 3350191107102300.bat.exe, 00000000.00000000.218631460.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCODFISH.exe vs Order 3350191107102300.bat.exe
      Source: Order 3350191107102300.bat.exe, 00000000.00000002.744578137.0000000000750000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Order 3350191107102300.bat.exe
      Source: Order 3350191107102300.bat.exeBinary or memory string: OriginalFilenameCODFISH.exe vs Order 3350191107102300.bat.exe
      Source: Order 3350191107102300.bat.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal80.rans.troj.evad.winEXE@1/0@0/0
      Source: Order 3350191107102300.bat.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Order 3350191107102300.bat.exeVirustotal: Detection: 39%
      Source: Order 3350191107102300.bat.exeReversingLabs: Detection: 37%

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Order 3350191107102300.bat.exe PID: 3276, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Order 3350191107102300.bat.exe PID: 3276, type: MEMORY
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_0040504D push edi; ret 0_2_00405055
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_00404A52 pushad ; iretd 0_2_00404A5C
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_00405062 push edi; ret 0_2_0040506D
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_0040522D pushfd ; retf 0_2_00405230
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_00405C3C pushfd ; ret 0_2_00405C47
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_00403CCC push ecx; ret 0_2_00403CCD
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_00408972 push ebx; retf 0_2_00408975
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_00409102 pushad ; iretd 0_2_00409108
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_00408926 pushad ; retf 0_2_00408940
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_004059A8 push cs; ret 0_2_004059A9
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_02A862B0 push eax; ret 0_2_02A862B1
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_02A85E99 push F6FE382Ah; ret 0_2_02A85E9F
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_02A83E9F push ebx; iretd 0_2_02A83EA0
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_02A84628 pushfd ; retf 0_2_02A84634
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_02A85B34 push edi; ret 0_2_02A85B36
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_02A8347F push eax; ret 0_2_02A83488
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_02A81951 push es; retf 0_2_02A81952
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Order 3350191107102300.bat.exe, 00000000.00000002.746595733.0000000002A80000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEF9
      Source: Order 3350191107102300.bat.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeRDTSC instruction interceptor: First address: 0000000002A83066 second address: 0000000002A83066 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F2BA038A159h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test cx, 6B86h 0x00000022 pop ecx 0x00000023 jmp 00007F2BA038A152h 0x00000025 test eax, eax 0x00000027 add edi, edx 0x00000029 cmp bl, cl 0x0000002b dec ecx 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F2BA038A0F2h 0x00000031 cmp bl, dl 0x00000033 push ecx 0x00000034 cmp eax, ecx 0x00000036 test ch, ah 0x00000038 call 00007F2BA038A178h 0x0000003d call 00007F2BA038A169h 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_02A8329B rdtsc 0_2_02A8329B
      Source: Order 3350191107102300.bat.exe, 00000000.00000002.746595733.0000000002A80000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exef9
      Source: Order 3350191107102300.bat.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_02A8329B rdtsc 0_2_02A8329B
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_02A82EE9 mov eax, dword ptr fs:[00000030h]0_2_02A82EE9
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_02A81FD2 mov eax, dword ptr fs:[00000030h]0_2_02A81FD2
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_02A81FD7 mov eax, dword ptr fs:[00000030h]0_2_02A81FD7
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_02A858EA mov eax, dword ptr fs:[00000030h]0_2_02A858EA
      Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exeCode function: 0_2_02A854F3 mov eax, dword ptr fs:[00000030h]0_2_02A854F3
      Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
      Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
      Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Process Injection1Input Capture1Security Software Discovery211Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.