Analysis Report FAKTURA I UWAGI.bat

Overview

General Information

Sample Name: FAKTURA I UWAGI.bat (renamed file extension from bat to exe)
Analysis ID: 357266
MD5: 2c3b4c255d8d786535c4832f5b7f7c0e
SHA1: 3cc1d799b6f92a338cffa35d74d52b1c4f19a91e
SHA256: 46c474c38fd679025142a453fc46243a91e0820d4ab0449aab0bd92c29d0ee30
Tags: GuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: FAKTURA I UWAGI.exe Virustotal: Detection: 42% Perma Link
Source: FAKTURA I UWAGI.exe ReversingLabs: Detection: 36%

Compliance:

barindex
Uses 32bit PE files
Source: FAKTURA I UWAGI.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_0040673C 1_2_0040673C
PE file contains strange resources
Source: FAKTURA I UWAGI.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: FAKTURA I UWAGI.exe, 00000001.00000000.200222774.000000000040F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamedosissspiro.exe vs FAKTURA I UWAGI.exe
Source: FAKTURA I UWAGI.exe, 00000001.00000002.725896004.0000000002090000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs FAKTURA I UWAGI.exe
Source: FAKTURA I UWAGI.exe Binary or memory string: OriginalFilenamedosissspiro.exe vs FAKTURA I UWAGI.exe
Uses 32bit PE files
Source: FAKTURA I UWAGI.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal88.rans.troj.evad.winEXE@1/0@0/0
Source: FAKTURA I UWAGI.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: FAKTURA I UWAGI.exe Virustotal: Detection: 42%
Source: FAKTURA I UWAGI.exe ReversingLabs: Detection: 36%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: FAKTURA I UWAGI.exe PID: 6492, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: FAKTURA I UWAGI.exe PID: 6492, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_00406B41 push FFFFFFFFh; ret 1_2_00406B44
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_004065F7 push edx; ret 1_2_00406607
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E6893 push esi; retf 1_2_020E68A6
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E44CB pushad ; ret 1_2_020E44D3
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1A30 1_2_020E1A30
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1AA6 1_2_020E1AA6
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E56CF 1_2_020E56CF
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E56D2 1_2_020E56D2
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1AE3 1_2_020E1AE3
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1B49 1_2_020E1B49
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E176F 1_2_020E176F
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E179A 1_2_020E179A
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E17C9 1_2_020E17C9
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E17F6 1_2_020E17F6
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E184D 1_2_020E184D
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1C63 1_2_020E1C63
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E18B2 1_2_020E18B2
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1D2D 1_2_020E1D2D
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1D2B 1_2_020E1D2B
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1925 1_2_020E1925
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1958 1_2_020E1958
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1D52 1_2_020E1D52
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1D81 1_2_020E1D81
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1993 1_2_020E1993
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E19D9 1_2_020E19D9
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe RDTSC instruction interceptor: First address: 00000000020E596A second address: 00000000020E5829 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cl, al 0x0000000c mov eax, 00000539h 0x00000011 mov ecx, dword ptr [ebp+1Ch] 0x00000014 mov edx, 8802EDACh 0x00000019 cmp edx, FBBA1D1Eh 0x0000001f call 00007F030CBE3678h 0x00000024 jmp 00007F030CBE3C1Ah 0x00000026 test dh, ah 0x00000028 push esi 0x00000029 push edx 0x0000002a jmp 00007F030CBE3C1Eh 0x0000002c test bh, 00000007h 0x0000002f push ecx 0x00000030 jmp 00007F030CBE3C1Ah 0x00000032 cmp dh, ch 0x00000034 cmp eax, 00000539h 0x00000039 jne 00007F030CBE3C92h 0x0000003f jmp 00007F030CBE3C1Eh 0x00000041 cmp edi, 8CD470F3h 0x00000047 test dx, ax 0x0000004a test bh, dh 0x0000004c push 6DDB9555h 0x00000051 call 00007F030CBE3F42h 0x00000056 mov eax, dword ptr fs:[00000030h] 0x0000005c cmp cl, al 0x0000005e mov eax, dword ptr [eax+0Ch] 0x00000061 mov eax, dword ptr [eax+14h] 0x00000064 mov ecx, dword ptr [eax] 0x00000066 mov eax, ecx 0x00000068 cmp edx, 332BDEA8h 0x0000006e jmp 00007F030CBE3C2Bh 0x00000070 mov ebx, dword ptr [eax+28h] 0x00000073 cmp ebx, 00000000h 0x00000076 je 00007F030CBE3C29h 0x00000078 pushad 0x00000079 mov eax, 000000CAh 0x0000007e rdtsc
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe RDTSC instruction interceptor: First address: 00000000020E59D0 second address: 00000000020E59D0 instructions:
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: FAKTURA I UWAGI.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe RDTSC instruction interceptor: First address: 00000000020E5914 second address: 00000000020E596A instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp bx, ax 0x00000006 test ecx, ecx 0x00000008 test ax, dx 0x0000000b test bl, bl 0x0000000d jmp 00007F030C871BA2h 0x0000000f cmp cx, bx 0x00000012 push ss 0x00000013 pop ss 0x00000014 jmp 00007F030C871BA1h 0x00000016 pushad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe RDTSC instruction interceptor: First address: 00000000020E596A second address: 00000000020E5829 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cl, al 0x0000000c mov eax, 00000539h 0x00000011 mov ecx, dword ptr [ebp+1Ch] 0x00000014 mov edx, 8802EDACh 0x00000019 cmp edx, FBBA1D1Eh 0x0000001f call 00007F030CBE3678h 0x00000024 jmp 00007F030CBE3C1Ah 0x00000026 test dh, ah 0x00000028 push esi 0x00000029 push edx 0x0000002a jmp 00007F030CBE3C1Eh 0x0000002c test bh, 00000007h 0x0000002f push ecx 0x00000030 jmp 00007F030CBE3C1Ah 0x00000032 cmp dh, ch 0x00000034 cmp eax, 00000539h 0x00000039 jne 00007F030CBE3C92h 0x0000003f jmp 00007F030CBE3C1Eh 0x00000041 cmp edi, 8CD470F3h 0x00000047 test dx, ax 0x0000004a test bh, dh 0x0000004c push 6DDB9555h 0x00000051 call 00007F030CBE3F42h 0x00000056 mov eax, dword ptr fs:[00000030h] 0x0000005c cmp cl, al 0x0000005e mov eax, dword ptr [eax+0Ch] 0x00000061 mov eax, dword ptr [eax+14h] 0x00000064 mov ecx, dword ptr [eax] 0x00000066 mov eax, ecx 0x00000068 cmp edx, 332BDEA8h 0x0000006e jmp 00007F030CBE3C2Bh 0x00000070 mov ebx, dword ptr [eax+28h] 0x00000073 cmp ebx, 00000000h 0x00000076 je 00007F030CBE3C29h 0x00000078 pushad 0x00000079 mov eax, 000000CAh 0x0000007e rdtsc
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe RDTSC instruction interceptor: First address: 00000000020E59D0 second address: 00000000020E59D0 instructions:
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe RDTSC instruction interceptor: First address: 00000000020E5EC3 second address: 00000000020E2FED instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test dx, ax 0x0000000e test edx, edx 0x00000010 ret 0x00000011 cmp si, 7336h 0x00000016 test bl, cl 0x00000018 call 00007F030CBE66FFh 0x0000001d cmp dx, ax 0x00000020 call 00007F030CBE3AF1h 0x00000025 cmp ebx, ecx 0x00000027 jmp 00007F030CBE3C22h 0x00000029 test ecx, 4D23117Ah 0x0000002f cmp dh, ch 0x00000031 xor edi, edi 0x00000033 test dx, dx 0x00000036 mov ecx, 00A95F60h 0x0000003b cmp ecx, 7DEA00C7h 0x00000041 test dl, al 0x00000043 cmp cl, cl 0x00000045 push ecx 0x00000046 cmp cx, 8097h 0x0000004b call 00007F030CBE3C3Dh 0x00000050 call 00007F030CBE3C39h 0x00000055 lfence 0x00000058 mov edx, dword ptr [7FFE0014h] 0x0000005e lfence 0x00000061 ret 0x00000062 mov esi, edx 0x00000064 pushad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe RDTSC instruction interceptor: First address: 00000000020E2FED second address: 00000000020E2FED instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F030C871BA9h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e cmp eax, edx 0x00000020 add edi, edx 0x00000022 test cx, bx 0x00000025 dec ecx 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007F030C871B67h 0x0000002b cmp cl, cl 0x0000002d push ecx 0x0000002e cmp cx, 8097h 0x00000033 call 00007F030C871BBDh 0x00000038 call 00007F030C871BB9h 0x0000003d lfence 0x00000040 mov edx, dword ptr [7FFE0014h] 0x00000046 lfence 0x00000049 ret 0x0000004a mov esi, edx 0x0000004c pushad 0x0000004d rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1616 rdtsc 1_2_020E1616
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: FAKTURA I UWAGI.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1616 rdtsc 1_2_020E1616
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E2E36 mov eax, dword ptr fs:[00000030h] 1_2_020E2E36
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E530A mov eax, dword ptr fs:[00000030h] 1_2_020E530A
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E176F mov eax, dword ptr fs:[00000030h] 1_2_020E176F
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1FCA mov eax, dword ptr fs:[00000030h] 1_2_020E1FCA
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E57D8 mov eax, dword ptr fs:[00000030h] 1_2_020E57D8
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1FE0 mov eax, dword ptr fs:[00000030h] 1_2_020E1FE0
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E600D mov eax, dword ptr fs:[00000030h] 1_2_020E600D
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E600B mov eax, dword ptr fs:[00000030h] 1_2_020E600B
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E1D52 mov eax, dword ptr fs:[00000030h] 1_2_020E1D52
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: FAKTURA I UWAGI.exe, 00000001.00000002.725714003.0000000000C30000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: FAKTURA I UWAGI.exe, 00000001.00000002.725714003.0000000000C30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: FAKTURA I UWAGI.exe, 00000001.00000002.725714003.0000000000C30000.00000002.00000001.sdmp Binary or memory string: Progman
Source: FAKTURA I UWAGI.exe, 00000001.00000002.725714003.0000000000C30000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe Code function: 1_2_020E56A5 cpuid 1_2_020E56A5
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 357266 Sample: FAKTURA I UWAGI.bat Startdate: 24/02/2021 Architecture: WINDOWS Score: 88 7 Potential malicious icon found 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 6 other signatures 2->13 5 FAKTURA I UWAGI.exe 2->5         started        process3
No contacted IP infos