Analysis Report Aflytter2.exe

Overview

General Information

Sample Name: Aflytter2.exe
Analysis ID: 379126
MD5: 327bdd165c67a077606d414d038ecda9
SHA1: b9b3803795af6f6c3c7e8a6c06a23652bb07769f
SHA256: be630a75cb81b3ed6624660e3c909867771e810e0733faa6dc8a571defa590d3
Tags: exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains an invalid checksum
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Aflytter2.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: Aflytter2.exe ReversingLabs: Detection: 25%
Machine Learning detection for sample
Source: Aflytter2.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Aflytter2.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Aflytter2.exe, 00000000.00000002.1172614302.000000000073A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Aflytter2.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_00408F84 0_2_00408F84
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_00408FEF 0_2_00408FEF
Uses 32bit PE files
Source: Aflytter2.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal88.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Aflytter2.exe File created: C:\Users\user\AppData\Local\Temp\~DFD7FD3B0C05107E2A.TMP Jump to behavior
Source: Aflytter2.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Aflytter2.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Aflytter2.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Aflytter2.exe ReversingLabs: Detection: 25%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: Aflytter2.exe PID: 7120, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Aflytter2.exe PID: 7120, type: MEMORY
PE file contains an invalid checksum
Source: Aflytter2.exe Static PE information: real checksum: 0x25dde should be: 0x25236
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004080B4 pushfd ; retf 0_2_004080B5
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_00404594 push ebx; ret 0_2_00404595
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F1006 push esp; iretd 0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F103E push esp; iretd 0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F10D8 push esp; iretd 0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F54EC push esp; iretd 0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F54EA push esp; iretd 0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F1165 push esp; iretd 0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F090B push esp; iretd 0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F111F push esp; iretd 0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F0FCD push esp; iretd 0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F0FC5 push esp; iretd 0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aflytter2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aflytter2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F090B 0_2_004F090B
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F092C 0_2_004F092C
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F09C6 0_2_004F09C6
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F0983 0_2_004F0983
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F0A06 0_2_004F0A06
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F0A04 0_2_004F0A04
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F0A36 0_2_004F0A36
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F0A31 0_2_004F0A31
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F0AC6 0_2_004F0AC6
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F0A82 0_2_004F0A82
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F0B4D 0_2_004F0B4D
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F0B23 0_2_004F0B23
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Aflytter2.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Aflytter2.exe RDTSC instruction interceptor: First address: 000000000040931D second address: 000000000040931D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 29h 0x00000005 cmp eax, 000000B6h 0x0000000a cmp eax, 000000EEh 0x0000000f cmp ebx, 000000FDh 0x00000015 cmp ebx, 000000B4h 0x0000001b cmp eax, 00000092h 0x00000020 fprem 0x00000022 fxch st(0), st(1) 0x00000024 psubd xmm5, xmm1 0x00000028 fmulp st(1), st(0) 0x0000002a fldlg2 0x0000002c fsub st(0), st(0) 0x0000002e jmp 00007F576C967319h 0x00000030 cmp eax, 2Ch 0x00000033 cmp eax, 1Ah 0x00000036 cmp eax, 000000ACh 0x0000003b cmp edi, 02EAFF40h 0x00000041 movd mm1, ebx 0x00000044 movd mm1, ebx 0x00000047 movd mm1, ebx 0x0000004a movd mm1, ebx 0x0000004d psrlw mm7, DAh 0x00000051 lfence 0x00000054 emms 0x00000056 fst st(5) 0x00000058 fyl2x 0x0000005a fmulp st(0), st(0) 0x0000005c wait 0x0000005d fninit 0x0000005f jmp 00007F576C967318h 0x00000061 jne 00007F576C967127h 0x00000067 inc edi 0x00000068 cmp ebx, 70h 0x0000006b cmp eax, 25h 0x0000006e cmp ebx, 000000BFh 0x00000074 cmp ebx, 000000CEh 0x0000007a cmp ebx, 07h 0x0000007d cmp eax, 000000DDh 0x00000082 punpckhwd mm3, mm4 0x00000085 fsincos 0x00000087 pcmpgtd xmm0, xmm2 0x0000008b fscale 0x0000008d punpckhbw mm3, mm4 0x00000090 psubusb xmm7, xmm2 0x00000094 psrad mm6, mm2 0x00000097 jmp 00007F576C967318h 0x00000099 cmp eax, 27h 0x0000009c rdtsc
Source: C:\Users\user\Desktop\Aflytter2.exe RDTSC instruction interceptor: First address: 00000000004F0508 second address: 00000000004F5E9B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007F576C956E2Ah 0x00000005 cmp dh, ah 0x00000007 push 7F21185Bh 0x0000000c jmp 00007F576C956E2Ah 0x0000000e cmp dh, dh 0x00000010 push 3E17ADE6h 0x00000015 jmp 00007F576C956E2Ah 0x00000017 cmp edx, eax 0x00000019 push F21FD920h 0x0000001e test ebx, ecx 0x00000020 push 27AA3188h 0x00000025 test bx, cx 0x00000028 test eax, ebx 0x0000002a push DFCB8F12h 0x0000002f jmp 00007F576C956E2Ah 0x00000031 test bx, dx 0x00000034 cmp edx, ecx 0x00000036 test ax, cx 0x00000039 push 2D9CC76Ch 0x0000003e call 00007F576C95C6D7h 0x00000043 cmp ah, FFFFFFE7h 0x00000046 test edx, edx 0x00000048 cmp dh, ch 0x0000004a cmp bh, 00000014h 0x0000004d jmp 00007F576C956E2Ah 0x0000004f cmp dh, 0000003Ch 0x00000052 test cx, ax 0x00000055 pushad 0x00000056 lfence 0x00000059 rdtsc
Source: C:\Users\user\Desktop\Aflytter2.exe RDTSC instruction interceptor: First address: 00000000004F5EE8 second address: 00000000004F5F39 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esp, 00000100h 0x00000011 mov edi, esp 0x00000013 cmp ah, FFFFFFE8h 0x00000016 add esp, 00000100h 0x0000001c test edx, edx 0x0000001e mov dword ptr [edi+28h], eax 0x00000021 cmp dh, ch 0x00000023 mov esi, 0000F000h 0x00000028 jmp 00007F576C9672DAh 0x0000002a test ax, cx 0x0000002d test ebx, 05E8210Ch 0x00000033 test bl, cl 0x00000035 pushad 0x00000036 lfence 0x00000039 rdtsc
Source: C:\Users\user\Desktop\Aflytter2.exe RDTSC instruction interceptor: First address: 00000000004F5F39 second address: 00000000004F5F90 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp ah, FFFFFF85h 0x0000000e add esi, 00001000h 0x00000014 test edx, edx 0x00000016 cmp esi, 0000F000h 0x0000001c je 00007F576C9570C7h 0x00000022 cmp dh, ch 0x00000024 cmp bh, FFFFFFF6h 0x00000027 jmp 00007F576C956E2Ah 0x00000029 cmp dh, FFFFFFCCh 0x0000002c cmp esi, 7FFFF000h 0x00000032 je 00007F576C957099h 0x00000038 test cx, ax 0x0000003b pushad 0x0000003c lfence 0x0000003f rdtsc
Source: C:\Users\user\Desktop\Aflytter2.exe RDTSC instruction interceptor: First address: 00000000004F5F90 second address: 00000000004F5FD5 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 00000000h 0x0000000d cmp ah, FFFFFFDCh 0x00000010 test edx, edx 0x00000012 push 0000001Ch 0x00000014 cmp dh, ch 0x00000016 push edi 0x00000017 cmp bh, FFFFFFA3h 0x0000001a cmp al, al 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f push FFFFFFFFh 0x00000021 jmp 00007F576C9672DAh 0x00000023 cmp edi, 25C79B16h 0x00000029 pushad 0x0000002a lfence 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Aflytter2.exe RDTSC instruction interceptor: First address: 00000000004F33A5 second address: 00000000004F33A5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F576C956E34h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp ecx, ecx 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F576C956E2Ah 0x00000024 cmp bh, FFFFFFDCh 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F576C956DDDh 0x0000002d test cx, 237Ch 0x00000032 test dl, dl 0x00000034 push ecx 0x00000035 call 00007F576C956E4Bh 0x0000003a call 00007F576C956E44h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_00408F84 rdtsc 0_2_00408F84
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Aflytter2.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Aflytter2.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_00408F84 rdtsc 0_2_00408F84
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F54C2 mov eax, dword ptr fs:[00000030h] 0_2_004F54C2
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F5D5D mov eax, dword ptr fs:[00000030h] 0_2_004F5D5D
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F31F8 mov eax, dword ptr fs:[00000030h] 0_2_004F31F8
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F664B mov eax, dword ptr fs:[00000030h] 0_2_004F664B
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F660D mov eax, dword ptr fs:[00000030h] 0_2_004F660D
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F6632 mov eax, dword ptr fs:[00000030h] 0_2_004F6632
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F22EC mov eax, dword ptr fs:[00000030h] 0_2_004F22EC
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F22E6 mov eax, dword ptr fs:[00000030h] 0_2_004F22E6
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F2285 mov eax, dword ptr fs:[00000030h] 0_2_004F2285
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F231F mov eax, dword ptr fs:[00000030h] 0_2_004F231F
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Aflytter2.exe Code function: 0_2_004F0FC5 cpuid 0_2_004F0FC5
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 379126 Sample: Aflytter2.exe Startdate: 31/03/2021 Architecture: WINDOWS Score: 88 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 3 other signatures 2->14 5 Aflytter2.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Found potential dummy code loops (likely to delay analysis) 5->18 20 Tries to detect virtualization through RDTSC time measurements 5->20
No contacted IP infos