Analysis Report cotizacion.exe

Overview

General Information

Sample Name: cotizacion.exe
Analysis ID: 395265
MD5: 35f5d83dbc44b907d379c5ab35f725f8
SHA1: 745ba0ab77e726e01d3f2fca4506383948906e24
SHA256: daf8d6de50e27c49b372d6cb0a7c6b7cd7a0946f959d13d3d3eb8d5d892c9eb7
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Machine Learning detection for sample
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: cotizacion.exe Virustotal: Detection: 62% Perma Link
Source: cotizacion.exe Metadefender: Detection: 32% Perma Link
Source: cotizacion.exe ReversingLabs: Detection: 70%
Machine Learning detection for sample
Source: cotizacion.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: cotizacion.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
PE file contains strange resources
Source: cotizacion.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cotizacion.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: cotizacion.exe, 00000000.00000002.493866250.00000000020A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs cotizacion.exe
Source: cotizacion.exe, 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameForkvakledes.exe vs cotizacion.exe
Source: cotizacion.exe, 00000000.00000002.502916759.0000000004FA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs cotizacion.exe
Source: cotizacion.exe, 00000000.00000002.494036894.0000000002200000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameForkvakledes.exeFE2XCluster-CCluster-C vs cotizacion.exe
Source: cotizacion.exe Binary or memory string: OriginalFilenameForkvakledes.exe vs cotizacion.exe
Uses 32bit PE files
Source: cotizacion.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal68.troj.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\cotizacion.exe File created: C:\Users\user~1\AppData\Local\Temp\~DF8BE9C0E48D19B38F.TMP Jump to behavior
Source: cotizacion.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cotizacion.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: cotizacion.exe Virustotal: Detection: 62%
Source: cotizacion.exe Metadefender: Detection: 32%
Source: cotizacion.exe ReversingLabs: Detection: 70%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: cotizacion.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.229099820.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0.0.cotizacion.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cotizacion.exe.400000.0.unpack, type: UNPACKEDPE
PE file contains an invalid checksum
Source: cotizacion.exe Static PE information: real checksum: 0x279ca should be: 0x1d63d
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_00407C52 push es; ret 0_2_00407CB9
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_00401275 push 02A3CF73h; iretd 0_2_0040141C
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_00406E16 pushad ; ret 0_2_00406E19
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_0040261A push es; retf 0_2_0040265D
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_004078E3 pushad ; ret 0_2_004078E5
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_004092E9 push es; ret 0_2_004092F1
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_00409C8F push esi; iretd 0_2_00409C93
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_00406C97 push cs; ret 0_2_00406CD9
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_00405140 push ss; retf 0_2_00405141
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_00407D73 pushad ; retf 0_2_00407D75
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_00404D04 push es; ret 0_2_00404D05
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_00405310 push ecx; ret 0_2_00405311
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_00403D1F push eax; ret 0_2_00403D21
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_00404BD3 push es; retf 0_2_00404BD5
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_0040298C push ecx; retf 0_2_0040298D
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_00403792 push eax; ret 0_2_00403795
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_004037AE push eax; ret 0_2_004037B1
Source: C:\Users\user\Desktop\cotizacion.exe Code function: 0_2_004029B7 push es; retf 0_2_004029B9

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (71).png
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\cotizacion.exe Window / User API: threadDelayed 8041 Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe Window / User API: threadDelayed 1959 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\cotizacion.exe Last function: Thread delayed

Anti Debugging:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: cotizacion.exe, 00000000.00000002.493462189.0000000000C20000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: cotizacion.exe, 00000000.00000002.493462189.0000000000C20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: cotizacion.exe, 00000000.00000002.493462189.0000000000C20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: cotizacion.exe, 00000000.00000002.493462189.0000000000C20000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 395265 Sample: cotizacion.exe Startdate: 22/04/2021 Architecture: WINDOWS Score: 68 7 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 Machine Learning detection for sample 2->13 5 cotizacion.exe 1 2->5         started        process3
No contacted IP infos