Loading ...

Play interactive tourEdit tour

Analysis Report PHOTOCHLORINATION.exe

Overview

General Information

Sample Name:PHOTOCHLORINATION.exe
Analysis ID:377790
MD5:584c030ac9abd52c2347214088b1fa14
SHA1:6deb5d5b469ba5f63e937bb093281911eab7c054
SHA256:59662ea91566a6d7578243f8f9ad28d84c2908ba17be418f0a45cdd218272b0b
Tags:GuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • PHOTOCHLORINATION.exe (PID: 3000 cmdline: 'C:\Users\user\Desktop\PHOTOCHLORINATION.exe' MD5: 584C030AC9ABD52C2347214088B1FA14)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: PHOTOCHLORINATION.exe PID: 3000JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: PHOTOCHLORINATION.exe PID: 3000JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: PHOTOCHLORINATION.exeVirustotal: Detection: 27%Perma Link
      Source: PHOTOCHLORINATION.exeReversingLabs: Detection: 10%
      Machine Learning detection for sampleShow sources
      Source: PHOTOCHLORINATION.exeJoe Sandbox ML: detected
      Source: PHOTOCHLORINATION.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_004091310_2_00409131
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_0040942D0_2_0040942D
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_004094BA0_2_004094BA
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_004093500_2_00409350
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00427AAC0_2_00427AAC
      Source: PHOTOCHLORINATION.exe, 00000000.00000002.1173852011.0000000002130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PHOTOCHLORINATION.exe
      Source: PHOTOCHLORINATION.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal84.troj.evad.winEXE@1/0@0/0
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeFile created: C:\Users\user\AppData\Local\Temp\~DF14F9078FF1501F8C.TMPJump to behavior
      Source: PHOTOCHLORINATION.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: PHOTOCHLORINATION.exeVirustotal: Detection: 27%
      Source: PHOTOCHLORINATION.exeReversingLabs: Detection: 10%

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: PHOTOCHLORINATION.exe PID: 3000, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: PHOTOCHLORINATION.exe PID: 3000, type: MEMORY
      Source: PHOTOCHLORINATION.exeStatic PE information: real checksum: 0x24302 should be: 0x1df4d
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00409131 push ecx; ret 0_2_00409160
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00407C50 pushfd ; iretd 0_2_00407C52
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00406497 push ebx; retf 0_2_004064C5
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_004078A5 pushfd ; ret 0_2_004079BA
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_0040A0B1 push CF58EBC2h; retn 58EBh0_2_0040A0AD
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_0040912A push ecx; ret 0_2_00409130
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00408DC9 push ss; retf 0_2_00408DCA
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00408E4A pushfd ; iretd 0_2_00408E4E
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_0040660D push ebx; retf 0_2_0040660E
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00407694 pushfd ; ret 0_2_004079BA
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00421C71 push 39B0D224h; retf 0_2_00421C89
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_004208C9 push E8D18566h; retf 0055h0_2_004208E5
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00424CD1 push 38B0D224h; ret 0_2_00424D09
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00423515 push 38B0D224h; ret 0_2_0042352D
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00423A39 push C9D38566h; retn 0004h0_2_00423A55
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_004252F9 push 39B0D224h; retf 0_2_00425331
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00421A89 push 39B0D224h; retf 0_2_00421AA1
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_004227C5 push ebx; ret 0_2_004227EA
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00421BF9 push 39B0D224h; retf 0_2_00421C11
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00422833 0_2_00422833
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_004228C5 0_2_004228C5
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00422887 0_2_00422887
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_0042294B 0_2_0042294B
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00422917 0_2_00422917
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00421937 0_2_00421937
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_004229E5 0_2_004229E5
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00422991 0_2_00422991
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00422A61 0_2_00422A61
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00422A1B 0_2_00422A1B
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00421283 0_2_00421283
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00421280 0_2_00421280
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00422AB5 0_2_00422AB5
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00421F4F 0_2_00421F4F
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00422B6B 0_2_00422B6B
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00421F76 0_2_00421F76
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00422B15 0_2_00422B15
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00421F19 0_2_00421F19
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_004227EE 0_2_004227EE
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_004227F1 0_2_004227F1
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00421FA3 0_2_00421FA3
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00422BA7 0_2_00422BA7
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeRDTSC instruction interceptor: First address: 0000000000426276 second address: 0000000000426276 instructions:
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: PHOTOCHLORINATION.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: PHOTOCHLORINATION.exe, 00000000.00000002.1172940359.0000000000420000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEW
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeRDTSC instruction interceptor: First address: 0000000000426276 second address: 0000000000426276 instructions:
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00409131 rdtsc 0_2_00409131
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: PHOTOCHLORINATION.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: PHOTOCHLORINATION.exe, 00000000.00000002.1172940359.0000000000420000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeW

      Anti Debugging:

      barindex
      Found potential dummy code loops (likely to delay analysis)Show sources
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeProcess Stats: CPU usage > 90% for more than 60s
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00409131 rdtsc 0_2_00409131
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_0042688D mov eax, dword ptr fs:[00000030h]0_2_0042688D
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00426897 mov eax, dword ptr fs:[00000030h]0_2_00426897
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00421937 mov eax, dword ptr fs:[00000030h]0_2_00421937
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_004221C0 mov eax, dword ptr fs:[00000030h]0_2_004221C0
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_004221FB mov eax, dword ptr fs:[00000030h]0_2_004221FB
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_0042327C mov eax, dword ptr fs:[00000030h]0_2_0042327C
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_0042575C mov eax, dword ptr fs:[00000030h]0_2_0042575C
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_00425FC9 mov eax, dword ptr fs:[00000030h]0_2_00425FC9
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: PHOTOCHLORINATION.exe, 00000000.00000002.1173641561.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: PHOTOCHLORINATION.exe, 00000000.00000002.1173641561.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: PHOTOCHLORINATION.exe, 00000000.00000002.1173641561.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: PHOTOCHLORINATION.exe, 00000000.00000002.1173641561.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\PHOTOCHLORINATION.exeCode function: 0_2_004263D9 cpuid 0_2_004263D9

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery511Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.