Analysis Report PHOTOCHLORINATION.exe

Overview

General Information

Sample Name: PHOTOCHLORINATION.exe
Analysis ID: 377790
MD5: 584c030ac9abd52c2347214088b1fa14
SHA1: 6deb5d5b469ba5f63e937bb093281911eab7c054
SHA256: 59662ea91566a6d7578243f8f9ad28d84c2908ba17be418f0a45cdd218272b0b
Tags: GuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: PHOTOCHLORINATION.exe Virustotal: Detection: 27% Perma Link
Source: PHOTOCHLORINATION.exe ReversingLabs: Detection: 10%
Machine Learning detection for sample
Source: PHOTOCHLORINATION.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: PHOTOCHLORINATION.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00409131 0_2_00409131
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_0040942D 0_2_0040942D
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_004094BA 0_2_004094BA
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00409350 0_2_00409350
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00427AAC 0_2_00427AAC
Sample file is different than original file name gathered from version info
Source: PHOTOCHLORINATION.exe, 00000000.00000002.1173852011.0000000002130000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs PHOTOCHLORINATION.exe
Uses 32bit PE files
Source: PHOTOCHLORINATION.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe File created: C:\Users\user\AppData\Local\Temp\~DF14F9078FF1501F8C.TMP Jump to behavior
Source: PHOTOCHLORINATION.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PHOTOCHLORINATION.exe Virustotal: Detection: 27%
Source: PHOTOCHLORINATION.exe ReversingLabs: Detection: 10%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: PHOTOCHLORINATION.exe PID: 3000, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: PHOTOCHLORINATION.exe PID: 3000, type: MEMORY
PE file contains an invalid checksum
Source: PHOTOCHLORINATION.exe Static PE information: real checksum: 0x24302 should be: 0x1df4d
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00409131 push ecx; ret 0_2_00409160
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00407C50 pushfd ; iretd 0_2_00407C52
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00406497 push ebx; retf 0_2_004064C5
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_004078A5 pushfd ; ret 0_2_004079BA
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_0040A0B1 push CF58EBC2h; retn 58EBh 0_2_0040A0AD
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_0040912A push ecx; ret 0_2_00409130
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00408DC9 push ss; retf 0_2_00408DCA
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00408E4A pushfd ; iretd 0_2_00408E4E
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_0040660D push ebx; retf 0_2_0040660E
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00407694 pushfd ; ret 0_2_004079BA
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00421C71 push 39B0D224h; retf 0_2_00421C89
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_004208C9 push E8D18566h; retf 0055h 0_2_004208E5
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00424CD1 push 38B0D224h; ret 0_2_00424D09
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00423515 push 38B0D224h; ret 0_2_0042352D
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00423A39 push C9D38566h; retn 0004h 0_2_00423A55
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_004252F9 push 39B0D224h; retf 0_2_00425331
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00421A89 push 39B0D224h; retf 0_2_00421AA1
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_004227C5 push ebx; ret 0_2_004227EA
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00421BF9 push 39B0D224h; retf 0_2_00421C11
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00422833 0_2_00422833
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_004228C5 0_2_004228C5
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00422887 0_2_00422887
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_0042294B 0_2_0042294B
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00422917 0_2_00422917
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00421937 0_2_00421937
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_004229E5 0_2_004229E5
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00422991 0_2_00422991
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00422A61 0_2_00422A61
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00422A1B 0_2_00422A1B
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00421283 0_2_00421283
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00421280 0_2_00421280
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00422AB5 0_2_00422AB5
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00421F4F 0_2_00421F4F
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00422B6B 0_2_00422B6B
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00421F76 0_2_00421F76
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00422B15 0_2_00422B15
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00421F19 0_2_00421F19
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_004227EE 0_2_004227EE
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_004227F1 0_2_004227F1
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00421FA3 0_2_00421FA3
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00422BA7 0_2_00422BA7
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe RDTSC instruction interceptor: First address: 0000000000426276 second address: 0000000000426276 instructions:
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PHOTOCHLORINATION.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: PHOTOCHLORINATION.exe, 00000000.00000002.1172940359.0000000000420000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEW
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe RDTSC instruction interceptor: First address: 0000000000426276 second address: 0000000000426276 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00409131 rdtsc 0_2_00409131
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: PHOTOCHLORINATION.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: PHOTOCHLORINATION.exe, 00000000.00000002.1172940359.0000000000420000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeW

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00409131 rdtsc 0_2_00409131
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_0042688D mov eax, dword ptr fs:[00000030h] 0_2_0042688D
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00426897 mov eax, dword ptr fs:[00000030h] 0_2_00426897
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00421937 mov eax, dword ptr fs:[00000030h] 0_2_00421937
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_004221C0 mov eax, dword ptr fs:[00000030h] 0_2_004221C0
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_004221FB mov eax, dword ptr fs:[00000030h] 0_2_004221FB
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_0042327C mov eax, dword ptr fs:[00000030h] 0_2_0042327C
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_0042575C mov eax, dword ptr fs:[00000030h] 0_2_0042575C
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_00425FC9 mov eax, dword ptr fs:[00000030h] 0_2_00425FC9
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: PHOTOCHLORINATION.exe, 00000000.00000002.1173641561.0000000000CA0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: PHOTOCHLORINATION.exe, 00000000.00000002.1173641561.0000000000CA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: PHOTOCHLORINATION.exe, 00000000.00000002.1173641561.0000000000CA0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: PHOTOCHLORINATION.exe, 00000000.00000002.1173641561.0000000000CA0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exe Code function: 0_2_004263D9 cpuid 0_2_004263D9
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377790 Sample: PHOTOCHLORINATION.exe Startdate: 29/03/2021 Architecture: WINDOWS Score: 84 8 Multi AV Scanner detection for submitted file 2->8 10 Yara detected GuLoader 2->10 12 Machine Learning detection for sample 2->12 14 2 other signatures 2->14 5 PHOTOCHLORINATION.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->18 20 Found potential dummy code loops (likely to delay analysis) 5->20 22 Tries to detect virtualization through RDTSC time measurements 5->22
No contacted IP infos