Analysis Report transferencia

Overview

General Information

Sample Name:	transferencia (renamed file extension from none to exe)
Analysis ID:	395283
MD5:	718116c2cc15e564db71b3bda3f966e5
SHA1:	d14a54807e58e625dc18c6210c08bc553e474d41
SHA256:	573a35a2e7644c067c6ce60c344fbe291be24d85e6cecbee256a37e1219f7a83
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Found large amount of non-executed APIs

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1UJvRluFmYD39H3TjOMIaVwZTdLhauoPu", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Multi AV Scanner detection for submitted file

Source: transferencia.exe	Virustotal: Detection: 46%			Perma Link
Source: transferencia.exe	ReversingLabs: Detection: 34%

Compliance:

Uses 32bit PE files

Source: transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1UJvRluFmYD39H3TjOMIaVwZTdLhauoPu

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\transferencia.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\transferencia.exe

Code function: 0_2_023051D1 NtProtectVirtualMemory,

0_2_023051D1

Detected potential crypto function

Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D8D	0_2_00403D8D
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00404A43	0_2_00404A43
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00404646	0_2_00404646
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00404847	0_2_00404847
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00404233	0_2_00404233
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0040443C	0_2_0040443C
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004046C1	0_2_004046C1
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004044C5	0_2_004044C5
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004048D1	0_2_004048D1
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004040BF	0_2_004040BF
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0040474A	0_2_0040474A
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0040454B	0_2_0040454B
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00404139	0_2_00404139
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0040433B	0_2_0040433B
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004049C9	0_2_004049C9
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004045CD	0_2_004045CD
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004047D0	0_2_004047D0
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004041B5	0_2_004041B5
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004043B6	0_2_004043B6

Sample file is different than original file name gathered from version info

Source: transferencia.exe, 00000000.00000000.329335806.0000000000413000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWoodburyt.exe vs transferencia.exe
Source: transferencia.exe	Binary or memory string: OriginalFilenameWoodburyt.exe vs transferencia.exe

Uses 32bit PE files

Source: transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\transferencia.exe

File created: C:\Users\user\AppData\Local\Temp\~DF5CA7D5DF6D4DEBEB.TMP

Jump to behavior

Source: transferencia.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\transferencia.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\transferencia.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: transferencia.exe	Virustotal: Detection: 46%
Source: transferencia.exe	ReversingLabs: Detection: 34%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: transferencia.exe PID: 6424, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: transferencia.exe PID: 6424, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0040EE14 push dword ptr [ebp-08h]; ret	0_2_0040F0A3
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00409A3C push esi; iretd	0_2_00409A58
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00409CD7 push ecx; iretd	0_2_00409D0D
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403CEE push ebp; ret	0_2_00403D38
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00409C9C push ecx; iretd	0_2_00409D0D
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D42 push ebp; ret	0_2_00403D44
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D45 push ebp; ret	0_2_00403D47
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D48 push ebp; ret	0_2_00403D4A
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D4B push ebp; ret	0_2_00403D4D
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D4E push ebp; ret	0_2_00403D50
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D51 push ebp; ret	0_2_00403D53
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D54 push ebp; ret	0_2_00403D56
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D57 push ebp; ret	0_2_00403D59
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D5A push ebp; ret	0_2_00403D5C
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D5D push ebp; ret	0_2_00403D5F
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D60 push ebp; ret	0_2_00403D62
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D63 push ebp; ret	0_2_00403D65
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D66 push ebp; ret	0_2_00403D68
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D69 push ebp; ret	0_2_00403D6B
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D6C push ebp; ret	0_2_00403D6E
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D6F push ebp; ret	0_2_00403D71
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D72 push ebp; ret	0_2_00403D74
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D75 push ebp; ret	0_2_00403D77
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D78 push ebp; ret	0_2_00403D7A
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D7B push ebp; ret	0_2_00403D7D
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D7E push ebp; ret	0_2_00403D80
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0040590E push eax; ret	0_2_0040590F
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D39 push ebp; ret	0_2_00403D3B
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D3C push ebp; ret	0_2_00403D3E
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D3F push ebp; ret	0_2_00403D41
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00408BE3 push ecx; iretd	0_2_00408E85

Source: C:\Users\user\Desktop\transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: transferencia.exe, 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\transferencia.exe

RDTSC instruction interceptor: First address: 00000000023025D2 second address: 00000000023025D2 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FED9C71556Bh 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007FED9C715551h 0x00000026 cmp dl, bl 0x00000028 push ecx 0x00000029 call 00007FED9C71561Fh 0x0000002e call 00007FED9C71557Bh 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\transferencia.exe

Code function: 0_2_02301057 rdtsc

0_2_02301057

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\transferencia.exe

API coverage: 8.9 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: transferencia.exe, 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\transferencia.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\transferencia.exe

Code function: 0_2_02301057 rdtsc

0_2_02301057

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D8D mov ebx, dword ptr fs:[00000030h]	0_2_00403D8D
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00404233 mov ebx, dword ptr fs:[00000030h]	0_2_00404233
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004040BF mov ebx, dword ptr fs:[00000030h]	0_2_004040BF
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00404139 mov ebx, dword ptr fs:[00000030h]	0_2_00404139
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004041B5 mov ebx, dword ptr fs:[00000030h]	0_2_004041B5
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_02301808 mov eax, dword ptr fs:[00000030h]	0_2_02301808
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_02301609 mov eax, dword ptr fs:[00000030h]	0_2_02301609
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_02304474 mov eax, dword ptr fs:[00000030h]	0_2_02304474
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_02304078 mov eax, dword ptr fs:[00000030h]	0_2_02304078
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0230245C mov eax, dword ptr fs:[00000030h]	0_2_0230245C
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0230115F mov eax, dword ptr fs:[00000030h]	0_2_0230115F
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_023049B4 mov eax, dword ptr fs:[00000030h]	0_2_023049B4

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\transferencia.exe

Code function: 0_2_0230435E cpuid

0_2_0230435E

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	395283
Product:	CloudBasic
Start time:	11:36:59
Start date:	22.04.2021
Sample:	transferencia
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	718116c2cc15e564db71b3bda3f966e5
SHA1:	d14a54807e58e625dc18c6210c08bc553e474d41
SHA256:	573a35a2e7644c067c6ce60c344fbe291be24d85e6cecbee256a37e1219f7a83
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report transferencia

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map