Analysis Report Remodeller8.exe

Overview

General Information

Sample Name: Remodeller8.exe
Analysis ID: 384221
MD5: 147eeed85d599916758d6bba7d86b434
SHA1: 15a85b8d36ec5baeac941a32450026d610358961
SHA256: 60bc4eef19e2c547add07b45bdbd4aeb00ca75fe7269cac5fa71a8ceb87e5cb9
Tags: exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Remodeller8.exe Virustotal: Detection: 52% Perma Link
Source: Remodeller8.exe ReversingLabs: Detection: 56%
Machine Learning detection for sample
Source: Remodeller8.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Remodeller8.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Remodeller8.exe, 00000001.00000002.848068433.00000000006CA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Remodeller8.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\Remodeller8.exe Code function: 1_2_0040905F 1_2_0040905F
Source: C:\Users\user\Desktop\Remodeller8.exe Code function: 1_2_004090A7 1_2_004090A7
PE file contains strange resources
Source: Remodeller8.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Remodeller8.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Remodeller8.exe, 00000001.00000002.848261257.0000000002370000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Remodeller8.exe
Uses 32bit PE files
Source: Remodeller8.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal72.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Remodeller8.exe File created: C:\Users\user\AppData\Local\Temp\~DFB617D45F1B8ED128.TMP Jump to behavior
Source: Remodeller8.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Remodeller8.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Remodeller8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Remodeller8.exe Virustotal: Detection: 52%
Source: Remodeller8.exe ReversingLabs: Detection: 56%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.847967336.0000000000530000.00000040.00000001.sdmp, type: MEMORY
PE file contains an invalid checksum
Source: Remodeller8.exe Static PE information: real checksum: 0x1ec6a should be: 0x2826d
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Remodeller8.exe Code function: 1_2_0040201B pushfd ; ret 1_2_00402054
Source: C:\Users\user\Desktop\Remodeller8.exe Code function: 1_2_004040CB pushfd ; retf 1_2_004040CD
Source: C:\Users\user\Desktop\Remodeller8.exe Code function: 1_2_00408083 push ebx; ret 1_2_00408084
Source: C:\Users\user\Desktop\Remodeller8.exe Code function: 1_2_00405086 push ds; retf 1_2_0040508F
Source: C:\Users\user\Desktop\Remodeller8.exe Code function: 1_2_00403168 pushfd ; retf 1_2_00403169
Source: C:\Users\user\Desktop\Remodeller8.exe Code function: 1_2_00403E66 pushfd ; ret 1_2_00403E6C
Source: C:\Users\user\Desktop\Remodeller8.exe Code function: 1_2_0040BB37 push 7600FFCEh; iretd 1_2_0040BB3C
Source: C:\Users\user\Desktop\Remodeller8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Remodeller8.exe RDTSC instruction interceptor: First address: 00000000005362CD second address: 00000000005362CD instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Remodeller8.exe RDTSC instruction interceptor: First address: 000000000040926C second address: 000000000040926C instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 31h 0x00000005 packsswb mm5, mm1 0x00000008 pcmpgtw xmm2, xmm3 0x0000000c psrlq xmm1, 0Fh 0x00000011 packssdw mm2, mm4 0x00000014 pxor mm1, mm4 0x00000017 fcomp st(0), st(2) 0x00000019 jmp 00007F09007A6E5Ch 0x0000001b cmp eax, 20h 0x0000001e cmp eax, 000000FBh 0x00000023 cmp ebx, 00000090h 0x00000029 cmp ebx, 000000C3h 0x0000002f cmp ebx, 000000A1h 0x00000035 cmp ebx, 00000090h 0x0000003b cmp ebx, 52h 0x0000003e cmp edi, 02EAFF40h 0x00000044 psrad xmm7, xmm6 0x00000048 paddb xmm5, xmm0 0x0000004c fsqrt 0x0000004e pause 0x00000050 fsubp st(6), st(0) 0x00000052 fld1 0x00000054 jmp 00007F09007A6E5Dh 0x00000056 movd mm1, ebx 0x00000059 movd mm1, ebx 0x0000005c movd mm1, ebx 0x0000005f movd mm1, ebx 0x00000062 jne 00007F09007A6C4Dh 0x00000068 inc edi 0x00000069 cmp ebx, 000000ACh 0x0000006f cmp ebx, 40h 0x00000072 cmp ebx, 4Eh 0x00000075 cmp ebx, 26h 0x00000078 xchg esi, esi 0x0000007a fpatan 0x0000007c punpckhbw mm7, mm3 0x0000007f movd xmm3, ebx 0x00000083 wait 0x00000084 wait 0x00000085 pcmpeqd xmm3, xmm0 0x00000089 jmp 00007F09007A6E5Dh 0x0000008b cmp ebx, 000000E7h 0x00000091 cmp eax, 000000D5h 0x00000096 cmp eax, 000000F4h 0x0000009b cmp eax, 3Bh 0x0000009e cmp eax, 000000ACh 0x000000a3 cmp ebx, 000000B2h 0x000000a9 rdtsc
Source: C:\Users\user\Desktop\Remodeller8.exe RDTSC instruction interceptor: First address: 00000000005362CD second address: 00000000005362CD instructions:
Source: C:\Users\user\Desktop\Remodeller8.exe RDTSC instruction interceptor: First address: 0000000000533353 second address: 0000000000533353 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0900793425h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test cl, 00000017h 0x00000020 pop ecx 0x00000021 jmp 00007F090079341Ah 0x00000023 cmp bx, 41F8h 0x00000028 cmp eax, ecx 0x0000002a add edi, edx 0x0000002c dec ecx 0x0000002d cmp ecx, 00000000h 0x00000030 jne 00007F09007933C7h 0x00000032 test dx, dx 0x00000035 test ah, dh 0x00000037 push ecx 0x00000038 cld 0x00000039 test ah, ah 0x0000003b call 00007F0900793462h 0x00000040 call 00007F0900793435h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Remodeller8.exe Code function: 1_2_0040905F rdtsc 1_2_0040905F
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Remodeller8.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Remodeller8.exe Code function: 1_2_0040905F rdtsc 1_2_0040905F
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Remodeller8.exe, 00000001.00000002.848153018.0000000000E50000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Remodeller8.exe, 00000001.00000002.848153018.0000000000E50000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Remodeller8.exe, 00000001.00000002.848153018.0000000000E50000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: Remodeller8.exe, 00000001.00000002.848153018.0000000000E50000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 384221 Sample: Remodeller8.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 72 8 Multi AV Scanner detection for submitted file 2->8 10 Yara detected GuLoader 2->10 12 Machine Learning detection for sample 2->12 5 Remodeller8.exe 1 2->5         started        process3 signatures4 14 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->14 16 Found potential dummy code loops (likely to delay analysis) 5->16 18 Tries to detect virtualization through RDTSC time measurements 5->18
No contacted IP infos