Loading ...

Play interactive tourEdit tour

Analysis Report faktura_fk.exe

Overview

General Information

Sample Name:faktura_fk.exe
Analysis ID:394244
MD5:66fb235f133e2f690184675fe27bcc32
SHA1:12f471ad9d4f8ef90cc548d1e0eb498c12ed0230
SHA256:168ca422e4a4dc429c9fb4a65cdd1b3f1f32119475581b3d00c94ff6e4a82f77
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • faktura_fk.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\faktura_fk.exe' MD5: 66FB235F133E2F690184675FE27BCC32)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1O7Zrj0oTVUPxo7h5leOqWms2QfQkCgBK", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1276915802.0000000000510000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: faktura_fk.exe PID: 6352JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: faktura_fk.exe PID: 6352JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000001.00000002.1276915802.0000000000510000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1O7Zrj0oTVUPxo7h5leOqWms2QfQkCgBK", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: faktura_fk.exeVirustotal: Detection: 17%Perma Link
        Source: faktura_fk.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1O7Zrj0oTVUPxo7h5leOqWms2QfQkCgBK

        System Summary:

        barindex
        Potential malicious icon foundShow sources
        Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess Stats: CPU usage > 98%
        Source: faktura_fk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: faktura_fk.exe, 00000001.00000002.1277430799.00000000020C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs faktura_fk.exe
        Source: faktura_fk.exe, 00000001.00000000.194842792.0000000000433000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKnudepunkternes2.exe vs faktura_fk.exe
        Source: faktura_fk.exe, 00000001.00000002.1277776072.00000000021F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKnudepunkternes2.exeFE2XeSafe SolutionseSafe Solutions vs faktura_fk.exe
        Source: faktura_fk.exe, 00000001.00000002.1277776072.00000000021F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKnudepunkternes2.exeFE2XeSafe Solutions vs faktura_fk.exe
        Source: faktura_fk.exe, 00000001.00000002.1277776072.00000000021F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKnudepunkternes2.exeFE2X vs faktura_fk.exe
        Source: faktura_fk.exe, 00000001.00000002.1277776072.00000000021F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKnudepunkternes2.exeFE2XeSafe Solutionsi~C vs faktura_fk.exe
        Source: faktura_fk.exe, 00000001.00000002.1277776072.00000000021F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKnudepunkternes2.exeFE2XeSafe Solutionsf`L vs faktura_fk.exe
        Source: faktura_fk.exeBinary or memory string: OriginalFilenameKnudepunkternes2.exe vs faktura_fk.exe
        Source: faktura_fk.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: classification engineClassification label: mal96.rans.troj.evad.winEXE@1/0@0/0
        Source: faktura_fk.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\faktura_fk.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\Desktop\faktura_fk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: faktura_fk.exeVirustotal: Detection: 17%

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000001.00000002.1276915802.0000000000510000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: faktura_fk.exe PID: 6352, type: MEMORY
        Yara detected VB6 Downloader GenericShow sources
        Source: Yara matchFile source: Process Memory Space: faktura_fk.exe PID: 6352, type: MEMORY
        Source: C:\Users\user\Desktop\faktura_fk.exeCode function: 1_2_00407828 push ds; ret 1_2_00407833
        Source: C:\Users\user\Desktop\faktura_fk.exeCode function: 1_2_004063F3 push 85E0C3F5h; retf 1_2_00406412
        Source: C:\Users\user\Desktop\faktura_fk.exeCode function: 1_2_00407792 push es; ret 1_2_0040779B
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000005129E9 second address: 00000000005129E9 instructions:
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000005129AA second address: 00000000005129AA instructions:
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 000000000051284C second address: 00000000005128CA instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [eax+1Ch] 0x0000000d test ah, ah 0x0000000f mov dword ptr [ebp+14h], ecx 0x00000012 fnop 0x00000014 mov ecx, dword ptr [eax+24h] 0x00000017 mov dword ptr [ebp+10h], ecx 0x0000001a mov esi, dword ptr [eax+20h] 0x0000001d add esi, dword ptr [ebp+04h] 0x00000020 xor ecx, ecx 0x00000022 test edx, edx 0x00000024 mov edx, dword ptr [esi] 0x00000026 test ebx, ebx 0x00000028 add edx, dword ptr [ebp+04h] 0x0000002b push ecx 0x0000002c test dh, ch 0x0000002e push esi 0x0000002f push edx 0x00000030 test bl, cl 0x00000032 call 00007FD3A88B113Bh 0x00000037 pushad 0x00000038 rdtsc
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000005128CA second address: 00000000005128CA instructions:
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 0000000000512886 second address: 0000000000512886 instructions:
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: faktura_fk.exe, 00000001.00000002.1276915802.0000000000510000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE9
        Source: faktura_fk.exe, 00000001.00000002.1276915802.0000000000510000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000005129E9 second address: 00000000005129E9 instructions:
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000005129AA second address: 00000000005129AA instructions:
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 000000000051284C second address: 00000000005128CA instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [eax+1Ch] 0x0000000d test ah, ah 0x0000000f mov dword ptr [ebp+14h], ecx 0x00000012 fnop 0x00000014 mov ecx, dword ptr [eax+24h] 0x00000017 mov dword ptr [ebp+10h], ecx 0x0000001a mov esi, dword ptr [eax+20h] 0x0000001d add esi, dword ptr [ebp+04h] 0x00000020 xor ecx, ecx 0x00000022 test edx, edx 0x00000024 mov edx, dword ptr [esi] 0x00000026 test ebx, ebx 0x00000028 add edx, dword ptr [ebp+04h] 0x0000002b push ecx 0x0000002c test dh, ch 0x0000002e push esi 0x0000002f push edx 0x00000030 test bl, cl 0x00000032 call 00007FD3A88B113Bh 0x00000037 pushad 0x00000038 rdtsc
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 00000000005128CA second address: 00000000005128CA instructions:
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 0000000000512886 second address: 0000000000512886 instructions:
        Source: C:\Users\user\Desktop\faktura_fk.exeRDTSC instruction interceptor: First address: 000000000051187C second address: 000000000051187C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD3A8DDBAFAh 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp edx, ecx 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp eax, eax 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007FD3A8DDBADCh 0x0000002a push ecx 0x0000002b test ah, FFFFFF84h 0x0000002e call 00007FD3A8DDBB11h 0x00000033 call 00007FD3A8DDBB0Ah 0x00000038 lfence 0x0000003b mov edx, dword ptr [7FFE0014h] 0x00000041 lfence 0x00000044 ret 0x00000045 mov esi, edx 0x00000047 pushad 0x00000048 rdtsc
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: faktura_fk.exe, 00000001.00000002.1276915802.0000000000510000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe9
        Source: faktura_fk.exe, 00000001.00000002.1276915802.0000000000510000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

        Anti Debugging:

        barindex
        Found potential dummy code loops (likely to delay analysis)Show sources
        Source: C:\Users\user\Desktop\faktura_fk.exeProcess Stats: CPU usage > 90% for more than 60s
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: faktura_fk.exe, 00000001.00000002.1277213879.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: faktura_fk.exe, 00000001.00000002.1277213879.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: faktura_fk.exe, 00000001.00000002.1277213879.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: faktura_fk.exe, 00000001.00000002.1277213879.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progmanlock

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesData from Local SystemExfiltration Over Other Network MediumApplication Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.