Loading ...

Play interactive tourEdit tour

Analysis Report transferencia

Overview

General Information

Sample Name:transferencia (renamed file extension from none to exe)
Analysis ID:395283
MD5:718116c2cc15e564db71b3bda3f966e5
SHA1:d14a54807e58e625dc18c6210c08bc553e474d41
SHA256:573a35a2e7644c067c6ce60c344fbe291be24d85e6cecbee256a37e1219f7a83
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Found large amount of non-executed APIs
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • transferencia.exe (PID: 6424 cmdline: 'C:\Users\user\Desktop\transferencia.exe' MD5: 718116C2CC15E564DB71B3BDA3F966E5)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1UJvRluFmYD39H3TjOMIaVwZTdLhauoPu", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: transferencia.exe PID: 6424JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: transferencia.exe PID: 6424JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1UJvRluFmYD39H3TjOMIaVwZTdLhauoPu", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: transferencia.exeVirustotal: Detection: 46%Perma Link
        Source: transferencia.exeReversingLabs: Detection: 34%
        Source: transferencia.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1UJvRluFmYD39H3TjOMIaVwZTdLhauoPu
        Source: C:\Users\user\Desktop\transferencia.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_023051D1 NtProtectVirtualMemory,0_2_023051D1
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D8D0_2_00403D8D
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00404A430_2_00404A43
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004046460_2_00404646
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004048470_2_00404847
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004042330_2_00404233
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_0040443C0_2_0040443C
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004046C10_2_004046C1
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004044C50_2_004044C5
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004048D10_2_004048D1
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004040BF0_2_004040BF
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_0040474A0_2_0040474A
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_0040454B0_2_0040454B
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004041390_2_00404139
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_0040433B0_2_0040433B
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004049C90_2_004049C9
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004045CD0_2_004045CD
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004047D00_2_004047D0
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004041B50_2_004041B5
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004043B60_2_004043B6
        Source: transferencia.exe, 00000000.00000000.329335806.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWoodburyt.exe vs transferencia.exe
        Source: transferencia.exeBinary or memory string: OriginalFilenameWoodburyt.exe vs transferencia.exe
        Source: transferencia.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: classification engineClassification label: mal84.troj.evad.winEXE@1/0@0/0
        Source: C:\Users\user\Desktop\transferencia.exeFile created: C:\Users\user\AppData\Local\Temp\~DF5CA7D5DF6D4DEBEB.TMPJump to behavior
        Source: transferencia.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\transferencia.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\Desktop\transferencia.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: transferencia.exeVirustotal: Detection: 46%
        Source: transferencia.exeReversingLabs: Detection: 34%

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: transferencia.exe PID: 6424, type: MEMORY
        Yara detected VB6 Downloader GenericShow sources
        Source: Yara matchFile source: Process Memory Space: transferencia.exe PID: 6424, type: MEMORY
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_0040EE14 push dword ptr [ebp-08h]; ret 0_2_0040F0A3
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00409A3C push esi; iretd 0_2_00409A58
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00409CD7 push ecx; iretd 0_2_00409D0D
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403CEE push ebp; ret 0_2_00403D38
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00409C9C push ecx; iretd 0_2_00409D0D
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D42 push ebp; ret 0_2_00403D44
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D45 push ebp; ret 0_2_00403D47
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D48 push ebp; ret 0_2_00403D4A
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D4B push ebp; ret 0_2_00403D4D
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D4E push ebp; ret 0_2_00403D50
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D51 push ebp; ret 0_2_00403D53
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D54 push ebp; ret 0_2_00403D56
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D57 push ebp; ret 0_2_00403D59
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D5A push ebp; ret 0_2_00403D5C
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D5D push ebp; ret 0_2_00403D5F
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D60 push ebp; ret 0_2_00403D62
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D63 push ebp; ret 0_2_00403D65
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D66 push ebp; ret 0_2_00403D68
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D69 push ebp; ret 0_2_00403D6B
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D6C push ebp; ret 0_2_00403D6E
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D6F push ebp; ret 0_2_00403D71
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D72 push ebp; ret 0_2_00403D74
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D75 push ebp; ret 0_2_00403D77
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D78 push ebp; ret 0_2_00403D7A
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D7B push ebp; ret 0_2_00403D7D
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D7E push ebp; ret 0_2_00403D80
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_0040590E push eax; ret 0_2_0040590F
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D39 push ebp; ret 0_2_00403D3B
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D3C push ebp; ret 0_2_00403D3E
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D3F push ebp; ret 0_2_00403D41
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00408BE3 push ecx; iretd 0_2_00408E85
        Source: C:\Users\user\Desktop\transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: transferencia.exe, 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\transferencia.exeRDTSC instruction interceptor: First address: 00000000023025D2 second address: 00000000023025D2 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FED9C71556Bh 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007FED9C715551h 0x00000026 cmp dl, bl 0x00000028 push ecx 0x00000029 call 00007FED9C71561Fh 0x0000002e call 00007FED9C71557Bh 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_02301057 rdtsc 0_2_02301057
        Source: C:\Users\user\Desktop\transferencia.exeAPI coverage: 8.9 %
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: transferencia.exe, 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

        Anti Debugging:

        barindex
        Found potential dummy code loops (likely to delay analysis)Show sources
        Source: C:\Users\user\Desktop\transferencia.exeProcess Stats: CPU usage > 90% for more than 60s
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_02301057 rdtsc 0_2_02301057
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00403D8D mov ebx, dword ptr fs:[00000030h]0_2_00403D8D
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00404233 mov ebx, dword ptr fs:[00000030h]0_2_00404233
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004040BF mov ebx, dword ptr fs:[00000030h]0_2_004040BF
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_00404139 mov ebx, dword ptr fs:[00000030h]0_2_00404139
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_004041B5 mov ebx, dword ptr fs:[00000030h]0_2_004041B5
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_02301808 mov eax, dword ptr fs:[00000030h]0_2_02301808
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_02301609 mov eax, dword ptr fs:[00000030h]0_2_02301609
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_02304474 mov eax, dword ptr fs:[00000030h]0_2_02304474
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_02304078 mov eax, dword ptr fs:[00000030h]0_2_02304078
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_0230245C mov eax, dword ptr fs:[00000030h]0_2_0230245C
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_0230115F mov eax, dword ptr fs:[00000030h]0_2_0230115F
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_023049B4 mov eax, dword ptr fs:[00000030h]0_2_023049B4
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmpBinary or memory string: &Program Manager
        Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\transferencia.exeCode function: 0_2_0230435E cpuid 0_2_0230435E
        Source: C:\Users\user\Desktop\transferencia.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\transferencia.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\transferencia.exeQueries volume information: C:\ VolumeInformationJump to behavior

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery311Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery121Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.