Analysis Report NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Overview

General Information

Sample Name:	NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe
Analysis ID:	385245
MD5:	69273783da83c97ff021e1002243dd8b
SHA1:	c1f879d4c66d53ae682b870f3e9e0e016929e220
SHA256:	81980be7abe0eb985644d9c867fe8ad4820d9d6a2c9538011d67251dd9378170
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Found potential dummy code loops (likely to delay analysis)

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Found large amount of non-executed APIs

PE file contains strange resources

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.1166657549.0000000002230000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1vOQNsh0Cmxl5hty4ZPc18pGNKUD5RTVY"}

Multi AV Scanner detection for submitted file

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Virustotal: Detection: 61%	Perma Link
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Metadefender: Detection: 32%	Perma Link
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	ReversingLabs: Detection: 60%

Compliance:

Uses 32bit PE files

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1vOQNsh0Cmxl5hty4ZPc18pGNKUD5RTVY

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Code function: 0_2_0041153C OpenClipboard,

0_2_0041153C

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Code function: 0_2_00406CA0

0_2_00406CA0

PE file contains strange resources

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe, 00000000.00000000.643666689.000000000041B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStringet3.exe vs NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Binary or memory string: OriginalFilenameStringet3.exe vs NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Uses 32bit PE files

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

File created: C:\Users\user\AppData\Local\Temp\~DFC8581C4ED5AF02EC.TMP

Jump to behavior

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Virustotal: Detection: 61%
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Metadefender: Detection: 32%
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	ReversingLabs: Detection: 60%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe PID: 7100, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe PID: 7100, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040245C pushfd ; iretd	0_2_0040248B
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00408824 pushfd ; iretd	0_2_00408987
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00409083 push ecx; retf	0_2_00409086
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040248C pushfd ; iretd	0_2_0040248F
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_004094B3 push ecx; retf	0_2_0040952E
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040A949 push ecx; retf	0_2_0040A94A
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00408963 pushfd ; iretd	0_2_00408987
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00409501 push ecx; retf	0_2_0040952E
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040812A push ecx; retf	0_2_0040812E
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_004089C4 push ecx; iretd	0_2_004089EE
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_004051D6 pushfd ; iretd	0_2_004051D7
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040898C push ecx; iretd	0_2_004089EE
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040A9A5 push ecx; iretd	0_2_0040A9AA
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00403278 push dword ptr [edi-4B012F33h]; retf	0_2_0040328B
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00408A19 push ecx; iretd	0_2_00408A22
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040962B push ecx; retf	0_2_00409632
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00407EE5 push ecx; iretd	0_2_00407EE6
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040A2F1 push ecx; retf	0_2_0040A2F2
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_004036FA push fs; ret	0_2_00403793
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00402690 pushfd ; iretd	0_2_00402693
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040A2B5 push ecx; retf	0_2_0040A2B6
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00407F47 push ecx; retf	0_2_00407F4A
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00402F67 pushfd ; iretd	0_2_00402F6F
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00403320 pushfd ; iretd	0_2_00403323
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00408B23 pushad ; iretd	0_2_00408B26
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00408B28 push ecx; iretd	0_2_00408B3A
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_004043D7 pushfd ; iretd	0_2_004043DB
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00408FB3 push ecx; iretd	0_2_00408FC2
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_02233AF3 push FFFFFFB9h; retf	0_2_02233AF5
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_02234ED0 push eax; ret	0_2_02234ED1

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

RDTSC instruction interceptor: First address: 0000000002234171 second address: 0000000002234171 instructions:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 0000000002234900 second address: 0000000002234171 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp dh, FFFFFF96h 0x0000000e cmp cx, FBFCh 0x00000013 cmp bl, dl 0x00000015 mov eax, 00000539h 0x0000001a mov ecx, dword ptr [ebp+1Ch] 0x0000001d cmp dl, FFFFFFD9h 0x00000020 mov edx, 8802EDACh 0x00000025 call 00007F9D583648CCh 0x0000002a push esi 0x0000002b push edx 0x0000002c jmp 00007F9D583651BDh 0x00000031 pushad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 0000000002234171 second address: 0000000002234171 instructions:
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 000000000223474E second address: 000000000223474E instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F9D5836512Eh 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007F9D5836510Ch 0x0000002e call 00007F9D58365156h 0x00000033 call 00007F9D5836513Eh 0x00000038 lfence 0x0000003b mov edx, dword ptr [7FFE0014h] 0x00000041 lfence 0x00000044 ret 0x00000045 mov esi, edx 0x00000047 pushad 0x00000048 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Code function: 0_2_02234771 rdtsc

0_2_02234771

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

API coverage: 1.2 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Code function: 0_2_02234771 rdtsc

0_2_02234771

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_02231868 mov eax, dword ptr fs:[00000030h]	0_2_02231868
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_022340BB mov eax, dword ptr fs:[00000030h]	0_2_022340BB
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_02234523 mov eax, dword ptr fs:[00000030h]	0_2_02234523
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_02231530 mov eax, dword ptr fs:[00000030h]	0_2_02231530
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_022325D3 mov eax, dword ptr fs:[00000030h]	0_2_022325D3

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe, 00000000.00000002.1166538080.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe, 00000000.00000002.1166538080.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe, 00000000.00000002.1166538080.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe, 00000000.00000002.1166538080.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Code function: 0_2_02233972 cpuid

0_2_02233972

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	385245
Product:	CloudBasic
Start time:	08:57:32
Start date:	12.04.2021
Sample:	NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	69273783da83c97ff021e1002243dd8b
SHA1:	c1f879d4c66d53ae682b870f3e9e0e016929e220
SHA256:	81980be7abe0eb985644d9c867fe8ad4820d9d6a2c9538011d67251dd9378170
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map