Analysis Report udmugning.exe

Overview

General Information

Sample Name: udmugning.exe
Analysis ID: 395203
MD5: 3d04ed12388c92e15361681ef1921d7f
SHA1: 8820ff07e1f60121a057b0303dc7746ea4960617
SHA256: 99227f9bb099737a3f356f266c5b8d5e1f4313715f37a4b7b0b6c1ae65c00925
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: udmugning.exe Metadefender: Detection: 35% Perma Link
Source: udmugning.exe ReversingLabs: Detection: 79%
Machine Learning detection for sample
Source: udmugning.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: udmugning.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\udmugning.exe Code function: 1_2_0040994D 1_2_0040994D
Source: C:\Users\user\Desktop\udmugning.exe Code function: 1_2_004011CA 1_2_004011CA
Source: C:\Users\user\Desktop\udmugning.exe Code function: 1_2_004099E1 1_2_004099E1
Source: C:\Users\user\Desktop\udmugning.exe Code function: 1_2_00409A6E 1_2_00409A6E
PE file contains strange resources
Source: udmugning.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: udmugning.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: udmugning.exe, 00000001.00000002.474813749.0000000002300000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs udmugning.exe
Source: udmugning.exe, 00000001.00000002.485300567.0000000005090000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs udmugning.exe
Uses 32bit PE files
Source: udmugning.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal72.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\udmugning.exe File created: C:\Users\user\AppData\Local\Temp\~DF5440564B0D50F574.TMP Jump to behavior
Source: udmugning.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\udmugning.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: udmugning.exe Metadefender: Detection: 35%
Source: udmugning.exe ReversingLabs: Detection: 79%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: udmugning.exe, type: SAMPLE
Source: Yara match File source: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.206225191.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 1.0.udmugning.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.udmugning.exe.400000.0.unpack, type: UNPACKEDPE
PE file contains an invalid checksum
Source: udmugning.exe Static PE information: real checksum: 0x1fc2a should be: 0x22a75
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\udmugning.exe Code function: 1_2_0040414F push ebp; iretd 1_2_004041A3
Source: C:\Users\user\Desktop\udmugning.exe Code function: 1_2_0040C126 push 7600FFCEh; iretd 1_2_0040C12B
Source: C:\Users\user\Desktop\udmugning.exe Code function: 1_2_00409138 push eax; iretd 1_2_00409139
Source: C:\Users\user\Desktop\udmugning.exe Code function: 1_2_004011CA push 02A3CF73h; iretd 1_2_0040141C
Source: C:\Users\user\Desktop\udmugning.exe Code function: 1_2_004039D5 push esp; iretd 1_2_004039DB
Source: C:\Users\user\Desktop\udmugning.exe Code function: 1_2_0040877A push ebx; ret 1_2_00408782
Source: C:\Users\user\Desktop\udmugning.exe Code function: 1_2_0040C7DE pushad ; ret 1_2_0040C813
Source: C:\Users\user\Desktop\udmugning.exe Code function: 1_2_004067F8 push es; iretd 1_2_00406802

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (71).png
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\udmugning.exe Window / User API: threadDelayed 4610 Jump to behavior
Source: C:\Users\user\Desktop\udmugning.exe Window / User API: threadDelayed 5389 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\udmugning.exe Last function: Thread delayed

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\udmugning.exe Process Stats: CPU usage > 90% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 395203 Sample: udmugning.exe Startdate: 22/04/2021 Architecture: WINDOWS Score: 72 8 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 Machine Learning detection for sample 2->14 5 udmugning.exe 1 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16
No contacted IP infos