Loading ...

Play interactive tourEdit tour

Analysis Report samtidshistoriker.exe

Overview

General Information

Sample Name:samtidshistoriker.exe
Analysis ID:393904
MD5:780254149cfe37ce295a82588be31204
SHA1:c28ac373e62a87ae40ad378458d68adc0255558d
SHA256:74c9a0f54acec0d6579e9a43c75571f05eeb7393f43c13a5e790bfbb262dcb2e
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • samtidshistoriker.exe (PID: 5740 cmdline: 'C:\Users\user\Desktop\samtidshistoriker.exe' MD5: 780254149CFE37CE295A82588BE31204)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=14HidX9PYpF9MdDuU2Alpazy_Sg8A9xmd", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.742722854.0000000000500000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: samtidshistoriker.exe PID: 5740JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: samtidshistoriker.exe PID: 5740JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000000.00000002.742722854.0000000000500000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=14HidX9PYpF9MdDuU2Alpazy_Sg8A9xmd", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: samtidshistoriker.exeVirustotal: Detection: 23%Perma Link
        Source: samtidshistoriker.exeMetadefender: Detection: 14%Perma Link
        Source: samtidshistoriker.exeReversingLabs: Detection: 48%
        Machine Learning detection for sampleShow sources
        Source: samtidshistoriker.exeJoe Sandbox ML: detected
        Source: samtidshistoriker.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=14HidX9PYpF9MdDuU2Alpazy_Sg8A9xmd
        Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: String function: 004022AC appears 361 times
        Source: samtidshistoriker.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: samtidshistoriker.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: classification engineClassification label: mal92.troj.evad.winEXE@1/0@0/0
        Source: C:\Users\user\Desktop\samtidshistoriker.exeFile created: C:\Users\user\AppData\Local\Temp\~DFAFD63AE078E58750.TMPJump to behavior
        Source: samtidshistoriker.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\samtidshistoriker.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\Desktop\samtidshistoriker.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: samtidshistoriker.exeVirustotal: Detection: 23%
        Source: samtidshistoriker.exeMetadefender: Detection: 14%
        Source: samtidshistoriker.exeReversingLabs: Detection: 48%

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000000.00000002.742722854.0000000000500000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: samtidshistoriker.exe PID: 5740, type: MEMORY
        Yara detected VB6 Downloader GenericShow sources
        Source: Yara matchFile source: Process Memory Space: samtidshistoriker.exe PID: 5740, type: MEMORY
        Source: samtidshistoriker.exeStatic PE information: real checksum: 0x322ea should be: 0x39700
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_00408066 push edi; ret 0_2_004080C7
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_0040947C push ebx; retf 0_2_00409481
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_00407618 push ecx; retf 0_2_00407619
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_004050CC push esp; iretd 0_2_0040510F
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_004096D6 push eax; ret 0_2_004096D7
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_00404EAC push ds; retf 0_2_00404EE9
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_00403AAD push ecx; iretd 0_2_00403AAE
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_004062BB push FFFFFF81h; ret 0_2_004062CB
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_0040791D push ebx; iretd 0_2_00407F3E
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_0040611E push ebp; retf 0_2_00406121
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_0040552E push ebp; ret 0_2_0040552F
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_00409138 push ds; iretd 0_2_00409139
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_00409BC5 push 3975AA4Dh; ret 0_2_00409BCD
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_004099D4 push ds; retf 0_2_004099D5
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_00409BDA push edx; ret 0_2_00409BE7
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_004091E1 pushad ; iretd 0_2_004091E2
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_004099ED pushad ; iretd 0_2_00409A0E
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_00409BF3 push ebx; iretd 0_2_00409BFD
        Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 0_2_004071F6 push edx; ret 0_2_004071F7
        Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\samtidshistoriker.exeRDTSC instruction interceptor: First address: 0000000000505A0C second address: 0000000000505A0C instructions:
        Source: C:\Users\user\Desktop\samtidshistoriker.exeRDTSC instruction interceptor: First address: 0000000000505983 second address: 0000000000505983 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ebx 0x0000000c movzx ebx, byte ptr [esi] 0x0000000f cmp ch, 00000060h 0x00000012 add edx, ebx 0x00000014 add esi, 02h 0x00000017 cmp word ptr [esi], 0000h 0x0000001b jne 00007F92B4948732h 0x0000001d jmp 00007F92B494879Ah 0x0000001f pushad 0x00000020 mov bx, 9C89h 0x00000024 cmp bx, 9C89h 0x00000029 jne 00007F92B4943511h 0x0000002f popad 0x00000030 mov ebx, edx 0x00000032 test ch, bh 0x00000034 shl edx, 05h 0x00000037 pushad 0x00000038 rdtsc
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: samtidshistoriker.exe, 00000000.00000002.742722854.0000000000500000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\samtidshistoriker.exeRDTSC instruction interceptor: First address: 000000000040A5EF second address: 000000000040A5EF instructions: 0x00000000 rdtsc 0x00000002 cmp eax, 0000009Ah 0x00000007 cmp ebx, 000000BDh 0x0000000d cmp eax, 65h 0x00000010 cmp ebx, 000000B6h 0x00000016 cmp ebx, 37h 0x00000019 cmp eax, 000000C2h 0x0000001e pandn mm5, mm0 0x00000021 punpckhdq xmm3, xmm2 0x00000025 fyl2x 0x00000027 psubsw xmm7, xmm7 0x0000002b fninit 0x0000002d psubusb xmm2, xmm6 0x00000031 punpckhbw xmm5, xmm7 0x00000035 pcmpeqb xmm7, xmm0 0x00000039 fnclex 0x0000003b fpatan 0x0000003d jmp 00007F92B45C8A1Eh 0x0000003f cmp eax, 7Dh 0x00000042 cmp edi, 02EAFF40h 0x00000048 movd mm1, ebx 0x0000004b movd mm1, ebx 0x0000004e movd mm1, ebx 0x00000051 movd mm1, ebx 0x00000054 jne 00007F92B45C887Ah 0x0000005a inc edi 0x0000005b cmp eax, 000000D1h 0x00000060 cmp ebx, 000000D6h 0x00000066 cmp ebx, 49h 0x00000069 cmp eax, 1Eh 0x0000006c cmp ebx, 000000E0h 0x00000072 cmp ebx, 2Ah 0x00000075 psrlq xmm2, 46h 0x0000007a psrld mm2, B8h 0x0000007e fnop 0x00000080 fld1 0x00000082 fmulp st(6), st(0) 0x00000084 fldz 0x00000086 fldl2t 0x00000088 paddusw mm3, mm6 0x0000008b nop 0x0000008c pmullw xmm7, xmm3 0x00000090 jmp 00007F92B45C8A17h 0x00000092 cmp ebx, 58h 0x00000095 cmp ebx, 000000BDh 0x0000009b rdtsc
        Source: C:\Users\user\Desktop\samtidshistoriker.exeRDTSC instruction interceptor: First address: 00000000005059CA second address: 0000000000505A0C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test al, dl 0x0000000d cmp dh, ah 0x0000000f cmp cl, al 0x00000011 test ch, 00000032h 0x00000014 jmp 00007F92B494879Ah 0x00000016 pushad 0x00000017 mov bx, 5EFCh 0x0000001b cmp bx, 5EFCh 0x00000020 jne 00007F92B4943483h 0x00000026 popad 0x00000027 test ch, bh 0x00000029 pushad 0x0000002a rdtsc
        Source: C:\Users\user\Desktop\samtidshistoriker.exeRDTSC instruction interceptor: First address: 0000000000505A0C second address: 0000000000505A0C instructions:
        Source: C:\Users\user\Desktop\samtidshistoriker.exeRDTSC instruction interceptor: First address: 0000000000505983 second address: 0000000000505983 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ebx 0x0000000c movzx ebx, byte ptr [esi] 0x0000000f cmp ch, 00000060h 0x00000012 add edx, ebx 0x00000014 add esi, 02h 0x00000017 cmp word ptr [esi], 0000h 0x0000001b jne 00007F92B4948732h 0x0000001d jmp 00007F92B494879Ah 0x0000001f pushad 0x00000020 mov bx, 9C89h 0x00000024 cmp bx, 9C89h 0x00000029 jne 00007F92B4943511h 0x0000002f popad 0x00000030 mov ebx, edx 0x00000032 test ch, bh 0x00000034 shl edx, 05h 0x00000037 pushad 0x00000038 rdtsc
        Source: C:\Users\user\Desktop\samtidshistoriker.exeRDTSC instruction interceptor: First address: 00000000005030BA second address: 00000000005030BA instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F92B45C89E4h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F92B45C89DAh 0x0000001f test dh, ah 0x00000021 pop ecx 0x00000022 test bh, FFFFFFF5h 0x00000025 test eax, ecx 0x00000027 add edi, edx 0x00000029 test ax, ax 0x0000002c dec ecx 0x0000002d cmp bh, ch 0x0000002f cmp ecx, 00000000h 0x00000032 jne 00007F92B45C898Dh 0x00000034 push ecx 0x00000035 call 00007F92B45C8A20h 0x0000003a call 00007F92B45C89F4h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: samtidshistoriker.exe, 00000000.00000002.742722854.0000000000500000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

        Anti Debugging:

        barindex
        Found potential dummy code loops (likely to delay analysis)Show sources
        Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess Stats: CPU usage > 90% for more than 60s
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: samtidshistoriker.exe, 00000000.00000002.743136162.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: samtidshistoriker.exe, 00000000.00000002.743136162.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: samtidshistoriker.exe, 00000000.00000002.743136162.0000000000D00000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
        Source: samtidshistoriker.exe, 00000000.00000002.743136162.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
        Source: samtidshistoriker.exe, 00000000.00000002.743136162.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Progmanlock

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesData from Local SystemExfiltration Over Other Network MediumApplication Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.