Loading ...

Play interactive tourEdit tour

Analysis Report samtidshistoriker.exe

Overview

General Information

Sample Name:samtidshistoriker.exe
Analysis ID:393906
MD5:780254149cfe37ce295a82588be31204
SHA1:c28ac373e62a87ae40ad378458d68adc0255558d
SHA256:74c9a0f54acec0d6579e9a43c75571f05eeb7393f43c13a5e790bfbb262dcb2e
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • samtidshistoriker.exe (PID: 7080 cmdline: 'C:\Users\user\Desktop\samtidshistoriker.exe' MD5: 780254149CFE37CE295A82588BE31204)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=14HidX9PYpF9MdDuU2Alpazy_Sg8A9xmd", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1163761913.0000000000540000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000001.00000002.1163761913.0000000000540000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=14HidX9PYpF9MdDuU2Alpazy_Sg8A9xmd", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
    Multi AV Scanner detection for submitted fileShow sources
    Source: samtidshistoriker.exeVirustotal: Detection: 23%Perma Link
    Source: samtidshistoriker.exeMetadefender: Detection: 14%Perma Link
    Source: samtidshistoriker.exeReversingLabs: Detection: 48%
    Machine Learning detection for sampleShow sources
    Source: samtidshistoriker.exeJoe Sandbox ML: detected
    Source: samtidshistoriker.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=14HidX9PYpF9MdDuU2Alpazy_Sg8A9xmd
    Source: samtidshistoriker.exe, 00000001.00000002.1163895685.000000000069A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: String function: 004022AC appears 361 times
    Source: samtidshistoriker.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: samtidshistoriker.exe, 00000001.00000002.1163862323.0000000000660000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs samtidshistoriker.exe
    Source: samtidshistoriker.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal84.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\samtidshistoriker.exeFile created: C:\Users\user\AppData\Local\Temp\~DF9860C7993842CF33.TMPJump to behavior
    Source: samtidshistoriker.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\samtidshistoriker.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\samtidshistoriker.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: samtidshistoriker.exeVirustotal: Detection: 23%
    Source: samtidshistoriker.exeMetadefender: Detection: 14%
    Source: samtidshistoriker.exeReversingLabs: Detection: 48%

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000001.00000002.1163761913.0000000000540000.00000040.00000001.sdmp, type: MEMORY
    Source: samtidshistoriker.exeStatic PE information: real checksum: 0x322ea should be: 0x39700
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_00408066 push edi; ret 1_2_004080C7
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_0040947C push ebx; retf 1_2_00409481
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_00407618 push ecx; retf 1_2_00407619
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_004050CC push esp; iretd 1_2_0040510F
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_004096D6 push eax; ret 1_2_004096D7
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_00404EAC push ds; retf 1_2_00404EE9
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_00403AAD push ecx; iretd 1_2_00403AAE
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_004062BB push FFFFFF81h; ret 1_2_004062CB
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_0040791D push ebx; iretd 1_2_00407F3E
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_0040611E push ebp; retf 1_2_00406121
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_0040552E push ebp; ret 1_2_0040552F
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_00409138 push ds; iretd 1_2_00409139
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_00409BC5 push 3975AA4Dh; ret 1_2_00409BCD
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_004099D4 push ds; retf 1_2_004099D5
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_00409BDA push edx; ret 1_2_00409BE7
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_004091E1 pushad ; iretd 1_2_004091E2
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_004099ED pushad ; iretd 1_2_00409A0E
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_00409BF3 push ebx; iretd 1_2_00409BFD
    Source: C:\Users\user\Desktop\samtidshistoriker.exeCode function: 1_2_004071F6 push edx; ret 1_2_004071F7
    Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\samtidshistoriker.exeRDTSC instruction interceptor: First address: 0000000000545A0C second address: 0000000000545A0C instructions:
    Source: C:\Users\user\Desktop\samtidshistoriker.exeRDTSC instruction interceptor: First address: 0000000000545983 second address: 0000000000545983 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ebx 0x0000000c movzx ebx, byte ptr [esi] 0x0000000f cmp ch, 00000060h 0x00000012 add edx, ebx 0x00000014 add esi, 02h 0x00000017 cmp word ptr [esi], 0000h 0x0000001b jne 00007FD7BCE45442h 0x0000001d jmp 00007FD7BCE454AAh 0x0000001f pushad 0x00000020 mov bx, 9C89h 0x00000024 cmp bx, 9C89h 0x00000029 jne 00007FD7BCE40221h 0x0000002f popad 0x00000030 mov ebx, edx 0x00000032 test ch, bh 0x00000034 shl edx, 05h 0x00000037 pushad 0x00000038 rdtsc
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\samtidshistoriker.exeRDTSC instruction interceptor: First address: 000000000040A5EF second address: 000000000040A5EF instructions: 0x00000000 rdtsc 0x00000002 cmp eax, 0000009Ah 0x00000007 cmp ebx, 000000BDh 0x0000000d cmp eax, 65h 0x00000010 cmp ebx, 000000B6h 0x00000016 cmp ebx, 37h 0x00000019 cmp eax, 000000C2h 0x0000001e pandn mm5, mm0 0x00000021 punpckhdq xmm3, xmm2 0x00000025 fyl2x 0x00000027 psubsw xmm7, xmm7 0x0000002b fninit 0x0000002d psubusb xmm2, xmm6 0x00000031 punpckhbw xmm5, xmm7 0x00000035 pcmpeqb xmm7, xmm0 0x00000039 fnclex 0x0000003b fpatan 0x0000003d jmp 00007FD7BCCA429Eh 0x0000003f cmp eax, 7Dh 0x00000042 cmp edi, 02EAFF40h 0x00000048 movd mm1, ebx 0x0000004b movd mm1, ebx 0x0000004e movd mm1, ebx 0x00000051 movd mm1, ebx 0x00000054 jne 00007FD7BCCA40FAh 0x0000005a inc edi 0x0000005b cmp eax, 000000D1h 0x00000060 cmp ebx, 000000D6h 0x00000066 cmp ebx, 49h 0x00000069 cmp eax, 1Eh 0x0000006c cmp ebx, 000000E0h 0x00000072 cmp ebx, 2Ah 0x00000075 psrlq xmm2, 46h 0x0000007a psrld mm2, B8h 0x0000007e fnop 0x00000080 fld1 0x00000082 fmulp st(6), st(0) 0x00000084 fldz 0x00000086 fldl2t 0x00000088 paddusw mm3, mm6 0x0000008b nop 0x0000008c pmullw xmm7, xmm3 0x00000090 jmp 00007FD7BCCA4297h 0x00000092 cmp ebx, 58h 0x00000095 cmp ebx, 000000BDh 0x0000009b rdtsc
    Source: C:\Users\user\Desktop\samtidshistoriker.exeRDTSC instruction interceptor: First address: 00000000005459CA second address: 0000000000545A0C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test al, dl 0x0000000d cmp dh, ah 0x0000000f cmp cl, al 0x00000011 test ch, 00000032h 0x00000014 jmp 00007FD7BCE454AAh 0x00000016 pushad 0x00000017 mov bx, 5EFCh 0x0000001b cmp bx, 5EFCh 0x00000020 jne 00007FD7BCE40193h 0x00000026 popad 0x00000027 test ch, bh 0x00000029 pushad 0x0000002a rdtsc
    Source: C:\Users\user\Desktop\samtidshistoriker.exeRDTSC instruction interceptor: First address: 0000000000545A0C second address: 0000000000545A0C instructions:
    Source: C:\Users\user\Desktop\samtidshistoriker.exeRDTSC instruction interceptor: First address: 0000000000545983 second address: 0000000000545983 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ebx 0x0000000c movzx ebx, byte ptr [esi] 0x0000000f cmp ch, 00000060h 0x00000012 add edx, ebx 0x00000014 add esi, 02h 0x00000017 cmp word ptr [esi], 0000h 0x0000001b jne 00007FD7BCE45442h 0x0000001d jmp 00007FD7BCE454AAh 0x0000001f pushad 0x00000020 mov bx, 9C89h 0x00000024 cmp bx, 9C89h 0x00000029 jne 00007FD7BCE40221h 0x0000002f popad 0x00000030 mov ebx, edx 0x00000032 test ch, bh 0x00000034 shl edx, 05h 0x00000037 pushad 0x00000038 rdtsc
    Source: C:\Users\user\Desktop\samtidshistoriker.exeRDTSC instruction interceptor: First address: 00000000005430BA second address: 00000000005430BA instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD7BCCA4264h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007FD7BCCA425Ah 0x0000001f test dh, ah 0x00000021 pop ecx 0x00000022 test bh, FFFFFFF5h 0x00000025 test eax, ecx 0x00000027 add edi, edx 0x00000029 test ax, ax 0x0000002c dec ecx 0x0000002d cmp bh, ch 0x0000002f cmp ecx, 00000000h 0x00000032 jne 00007FD7BCCA420Dh 0x00000034 push ecx 0x00000035 call 00007FD7BCCA42A0h 0x0000003a call 00007FD7BCCA4274h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\samtidshistoriker.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: samtidshistoriker.exe, 00000001.00000002.1163945973.0000000000E20000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: samtidshistoriker.exe, 00000001.00000002.1163945973.0000000000E20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: samtidshistoriker.exe, 00000001.00000002.1163945973.0000000000E20000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: samtidshistoriker.exe, 00000001.00000002.1163945973.0000000000E20000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery3Remote ServicesInput Capture1Exfiltration Over Other Network MediumApplication Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.