Analysis Report documentos.exe

Overview

General Information

Sample Name: documentos.exe
Analysis ID: 383467
MD5: 71d102249808e46de207ba5d1e1441ee
SHA1: b0538afec6fe730a0e01b8fd81febf68e03d2f54
SHA256: 1b1622ce9c633a2c53dac43aaea43712544b7385d457b05574d4754cf850293c
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Executable has a suspicious name (potential lure to open the executable)
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: documentos.exe Virustotal: Detection: 31% Perma Link
Source: documentos.exe ReversingLabs: Detection: 10%

Compliance:

barindex
Uses 32bit PE files
Source: documentos.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Executable has a suspicious name (potential lure to open the executable)
Source: documentos.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: documentos.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\documentos.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\documentos.exe Code function: 0_2_00401564 0_2_00401564
PE file contains strange resources
Source: documentos.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: documentos.exe, 00000000.00000002.1170338790.00000000020A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs documentos.exe
Source: documentos.exe, 00000000.00000000.644285775.0000000000426000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameOutpiped.exe vs documentos.exe
Source: documentos.exe Binary or memory string: OriginalFilenameOutpiped.exe vs documentos.exe
Uses 32bit PE files
Source: documentos.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal88.rans.troj.evad.winEXE@1/0@0/0
Source: documentos.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\documentos.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\documentos.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: documentos.exe Virustotal: Detection: 31%
Source: documentos.exe ReversingLabs: Detection: 10%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: documentos.exe PID: 7124, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: documentos.exe PID: 7124, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\documentos.exe Code function: 0_2_00403E6C push ss; retf 0_2_00403E6D
Source: C:\Users\user\Desktop\documentos.exe Code function: 0_2_00406E3F push FFFFFFF6h; iretd 0_2_00406E41
Source: C:\Users\user\Desktop\documentos.exe Code function: 0_2_00406DA7 push FFFFFFF6h; iretd 0_2_00406DA9
Source: C:\Users\user\Desktop\documentos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: documentos.exe, 00000000.00000002.1170152810.0000000000500000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\documentos.exe RDTSC instruction interceptor: First address: 0000000000502BB1 second address: 0000000000502BB1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ecx 0x00000005 inc esi 0x00000006 cmp byte ptr [esi], 00000000h 0x00000009 jne 00007FB6847551BBh 0x0000000b cmp al, bl 0x0000000d cmp byte ptr [esi], FFFFFFA4h 0x00000010 jnc 00007FB684755207h 0x00000012 fnop 0x00000014 mov ebx, eax 0x00000016 test ax, ax 0x00000019 shl eax, 05h 0x0000001c add eax, ebx 0x0000001e movzx ecx, byte ptr [esi] 0x00000021 pushad 0x00000022 mov eax, 0000007Ah 0x00000027 rdtsc
Source: C:\Users\user\Desktop\documentos.exe RDTSC instruction interceptor: First address: 0000000000502D46 second address: 0000000000502D83 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add esi, 00001000h 0x00000009 test dl, bl 0x0000000b cmp esi, 0000F000h 0x00000011 je 00007FB684B851D4h 0x00000017 cmp edx, C6B28C40h 0x0000001d cmp esi, 7FFFF000h 0x00000023 je 00007FB684B851C2h 0x00000029 push 00000000h 0x0000002b push 0000001Ch 0x0000002d cmp al, bl 0x0000002f fnop 0x00000031 push edi 0x00000032 test ax, ax 0x00000035 push 00000000h 0x00000037 pushad 0x00000038 mov eax, 0000004Fh 0x0000003d rdtsc
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\documentos.exe API coverage: 2.6 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: documentos.exe, 00000000.00000002.1170152810.0000000000500000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\documentos.exe Process Stats: CPU usage > 90% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: documentos.exe, 00000000.00000002.1170281468.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: documentos.exe, 00000000.00000002.1170281468.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: documentos.exe, 00000000.00000002.1170281468.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: documentos.exe, 00000000.00000002.1170281468.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383467 Sample: documentos.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 88 8 Potential malicious icon found 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 4 other signatures 2->14 5 documentos.exe 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16 18 Tries to detect virtualization through RDTSC time measurements 5->18
No contacted IP infos