Loading ...

Play interactive tourEdit tour

Analysis Report Aflytter2.exe

Overview

General Information

Sample Name:Aflytter2.exe
Analysis ID:379126
MD5:327bdd165c67a077606d414d038ecda9
SHA1:b9b3803795af6f6c3c7e8a6c06a23652bb07769f
SHA256:be630a75cb81b3ed6624660e3c909867771e810e0733faa6dc8a571defa590d3
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains an invalid checksum
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Aflytter2.exe (PID: 7120 cmdline: 'C:\Users\user\Desktop\Aflytter2.exe' MD5: 327BDD165C67A077606D414D038ECDA9)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Aflytter2.exe PID: 7120JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: Aflytter2.exe PID: 7120JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: Aflytter2.exeAvira: detected
      Multi AV Scanner detection for submitted fileShow sources
      Source: Aflytter2.exeReversingLabs: Detection: 25%
      Machine Learning detection for sampleShow sources
      Source: Aflytter2.exeJoe Sandbox ML: detected
      Source: Aflytter2.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: Aflytter2.exe, 00000000.00000002.1172614302.000000000073A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: C:\Users\user\Desktop\Aflytter2.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_00408F840_2_00408F84
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_00408FEF0_2_00408FEF
      Source: Aflytter2.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal88.troj.evad.winEXE@1/0@0/0
      Source: C:\Users\user\Desktop\Aflytter2.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD7FD3B0C05107E2A.TMPJump to behavior
      Source: Aflytter2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Aflytter2.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Aflytter2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Aflytter2.exeReversingLabs: Detection: 25%

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Aflytter2.exe PID: 7120, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Aflytter2.exe PID: 7120, type: MEMORY
      Source: Aflytter2.exeStatic PE information: real checksum: 0x25dde should be: 0x25236
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004080B4 pushfd ; retf 0_2_004080B5
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_00404594 push ebx; ret 0_2_00404595
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F1006 push esp; iretd 0_2_004F55B9
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F103E push esp; iretd 0_2_004F55B9
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F10D8 push esp; iretd 0_2_004F55B9
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F54EC push esp; iretd 0_2_004F55B9
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F54EA push esp; iretd 0_2_004F55B9
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F1165 push esp; iretd 0_2_004F55B9
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F090B push esp; iretd 0_2_004F55B9
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F111F push esp; iretd 0_2_004F55B9
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F0FCD push esp; iretd 0_2_004F55B9
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F0FC5 push esp; iretd 0_2_004F55B9
      Source: C:\Users\user\Desktop\Aflytter2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Aflytter2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Aflytter2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F090B 0_2_004F090B
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F092C 0_2_004F092C
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F09C6 0_2_004F09C6
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F0983 0_2_004F0983
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F0A06 0_2_004F0A06
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F0A04 0_2_004F0A04
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F0A36 0_2_004F0A36
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F0A31 0_2_004F0A31
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F0AC6 0_2_004F0AC6
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F0A82 0_2_004F0A82
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F0B4D 0_2_004F0B4D
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F0B23 0_2_004F0B23
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Aflytter2.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Aflytter2.exeRDTSC instruction interceptor: First address: 000000000040931D second address: 000000000040931D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 29h 0x00000005 cmp eax, 000000B6h 0x0000000a cmp eax, 000000EEh 0x0000000f cmp ebx, 000000FDh 0x00000015 cmp ebx, 000000B4h 0x0000001b cmp eax, 00000092h 0x00000020 fprem 0x00000022 fxch st(0), st(1) 0x00000024 psubd xmm5, xmm1 0x00000028 fmulp st(1), st(0) 0x0000002a fldlg2 0x0000002c fsub st(0), st(0) 0x0000002e jmp 00007F576C967319h 0x00000030 cmp eax, 2Ch 0x00000033 cmp eax, 1Ah 0x00000036 cmp eax, 000000ACh 0x0000003b cmp edi, 02EAFF40h 0x00000041 movd mm1, ebx 0x00000044 movd mm1, ebx 0x00000047 movd mm1, ebx 0x0000004a movd mm1, ebx 0x0000004d psrlw mm7, DAh 0x00000051 lfence 0x00000054 emms 0x00000056 fst st(5) 0x00000058 fyl2x 0x0000005a fmulp st(0), st(0) 0x0000005c wait 0x0000005d fninit 0x0000005f jmp 00007F576C967318h 0x00000061 jne 00007F576C967127h 0x00000067 inc edi 0x00000068 cmp ebx, 70h 0x0000006b cmp eax, 25h 0x0000006e cmp ebx, 000000BFh 0x00000074 cmp ebx, 000000CEh 0x0000007a cmp ebx, 07h 0x0000007d cmp eax, 000000DDh 0x00000082 punpckhwd mm3, mm4 0x00000085 fsincos 0x00000087 pcmpgtd xmm0, xmm2 0x0000008b fscale 0x0000008d punpckhbw mm3, mm4 0x00000090 psubusb xmm7, xmm2 0x00000094 psrad mm6, mm2 0x00000097 jmp 00007F576C967318h 0x00000099 cmp eax, 27h 0x0000009c rdtsc
      Source: C:\Users\user\Desktop\Aflytter2.exeRDTSC instruction interceptor: First address: 00000000004F0508 second address: 00000000004F5E9B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007F576C956E2Ah 0x00000005 cmp dh, ah 0x00000007 push 7F21185Bh 0x0000000c jmp 00007F576C956E2Ah 0x0000000e cmp dh, dh 0x00000010 push 3E17ADE6h 0x00000015 jmp 00007F576C956E2Ah 0x00000017 cmp edx, eax 0x00000019 push F21FD920h 0x0000001e test ebx, ecx 0x00000020 push 27AA3188h 0x00000025 test bx, cx 0x00000028 test eax, ebx 0x0000002a push DFCB8F12h 0x0000002f jmp 00007F576C956E2Ah 0x00000031 test bx, dx 0x00000034 cmp edx, ecx 0x00000036 test ax, cx 0x00000039 push 2D9CC76Ch 0x0000003e call 00007F576C95C6D7h 0x00000043 cmp ah, FFFFFFE7h 0x00000046 test edx, edx 0x00000048 cmp dh, ch 0x0000004a cmp bh, 00000014h 0x0000004d jmp 00007F576C956E2Ah 0x0000004f cmp dh, 0000003Ch 0x00000052 test cx, ax 0x00000055 pushad 0x00000056 lfence 0x00000059 rdtsc
      Source: C:\Users\user\Desktop\Aflytter2.exeRDTSC instruction interceptor: First address: 00000000004F5EE8 second address: 00000000004F5F39 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esp, 00000100h 0x00000011 mov edi, esp 0x00000013 cmp ah, FFFFFFE8h 0x00000016 add esp, 00000100h 0x0000001c test edx, edx 0x0000001e mov dword ptr [edi+28h], eax 0x00000021 cmp dh, ch 0x00000023 mov esi, 0000F000h 0x00000028 jmp 00007F576C9672DAh 0x0000002a test ax, cx 0x0000002d test ebx, 05E8210Ch 0x00000033 test bl, cl 0x00000035 pushad 0x00000036 lfence 0x00000039 rdtsc
      Source: C:\Users\user\Desktop\Aflytter2.exeRDTSC instruction interceptor: First address: 00000000004F5F39 second address: 00000000004F5F90 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp ah, FFFFFF85h 0x0000000e add esi, 00001000h 0x00000014 test edx, edx 0x00000016 cmp esi, 0000F000h 0x0000001c je 00007F576C9570C7h 0x00000022 cmp dh, ch 0x00000024 cmp bh, FFFFFFF6h 0x00000027 jmp 00007F576C956E2Ah 0x00000029 cmp dh, FFFFFFCCh 0x0000002c cmp esi, 7FFFF000h 0x00000032 je 00007F576C957099h 0x00000038 test cx, ax 0x0000003b pushad 0x0000003c lfence 0x0000003f rdtsc
      Source: C:\Users\user\Desktop\Aflytter2.exeRDTSC instruction interceptor: First address: 00000000004F5F90 second address: 00000000004F5FD5 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 00000000h 0x0000000d cmp ah, FFFFFFDCh 0x00000010 test edx, edx 0x00000012 push 0000001Ch 0x00000014 cmp dh, ch 0x00000016 push edi 0x00000017 cmp bh, FFFFFFA3h 0x0000001a cmp al, al 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f push FFFFFFFFh 0x00000021 jmp 00007F576C9672DAh 0x00000023 cmp edi, 25C79B16h 0x00000029 pushad 0x0000002a lfence 0x0000002d rdtsc
      Source: C:\Users\user\Desktop\Aflytter2.exeRDTSC instruction interceptor: First address: 00000000004F33A5 second address: 00000000004F33A5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F576C956E34h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp ecx, ecx 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F576C956E2Ah 0x00000024 cmp bh, FFFFFFDCh 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F576C956DDDh 0x0000002d test cx, 237Ch 0x00000032 test dl, dl 0x00000034 push ecx 0x00000035 call 00007F576C956E4Bh 0x0000003a call 00007F576C956E44h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_00408F84 rdtsc 0_2_00408F84
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: Aflytter2.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Found potential dummy code loops (likely to delay analysis)Show sources
      Source: C:\Users\user\Desktop\Aflytter2.exeProcess Stats: CPU usage > 90% for more than 60s
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_00408F84 rdtsc 0_2_00408F84
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F54C2 mov eax, dword ptr fs:[00000030h]0_2_004F54C2
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F5D5D mov eax, dword ptr fs:[00000030h]0_2_004F5D5D
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F31F8 mov eax, dword ptr fs:[00000030h]0_2_004F31F8
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F664B mov eax, dword ptr fs:[00000030h]0_2_004F664B
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F660D mov eax, dword ptr fs:[00000030h]0_2_004F660D
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F6632 mov eax, dword ptr fs:[00000030h]0_2_004F6632
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F22EC mov eax, dword ptr fs:[00000030h]0_2_004F22EC
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F22E6 mov eax, dword ptr fs:[00000030h]0_2_004F22E6
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F2285 mov eax, dword ptr fs:[00000030h]0_2_004F2285
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F231F mov eax, dword ptr fs:[00000030h]0_2_004F231F
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\Aflytter2.exeCode function: 0_2_004F0FC5 cpuid 0_2_004F0FC5

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery411Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery211Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.