Analysis Report NP__000009116_11-05-2021_08_40_37.exe

Overview

General Information

Sample Name: NP__000009116_11-05-2021_08_40_37.exe
Analysis ID: 410830
MD5: 3f695fa46992bd20300728e9245c87f8
SHA1: 83d7a6cb77eff285ed7b1950438fa3573d5b31fd
SHA256: e0f53d67eb5d4a5bab2f6d0bbaff502896e12572b97bf0350c88cfac3fcc5b8f
Tags: GuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: NP__000009116_11-05-2021_08_40_37.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1RnNEBf_Y19f_pduK4zvHqPJHGwMdQKtO"}
Multi AV Scanner detection for submitted file
Source: NP__000009116_11-05-2021_08_40_37.exe Virustotal: Detection: 25% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: NP__000009116_11-05-2021_08_40_37.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1RnNEBf_Y19f_pduK4zvHqPJHGwMdQKtO

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.762821302.00000000006FA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F1B8C NtAllocateVirtualMemory, 1_2_029F1B8C
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F33B5 NtProtectVirtualMemory, 1_2_029F33B5
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F375D NtProtectVirtualMemory, 1_2_029F375D
Detected potential crypto function
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_0040157B 1_2_0040157B
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_0040176A 1_2_0040176A
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_004017B7 1_2_004017B7
Sample file is different than original file name gathered from version info
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000000.237164633.0000000000414000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamerammier.exe vs NP__000009116_11-05-2021_08_40_37.exe
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763380076.0000000002110000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs NP__000009116_11-05-2021_08_40_37.exe
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.767126185.0000000002A10000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamerammier.exeFE2X vs NP__000009116_11-05-2021_08_40_37.exe
Source: NP__000009116_11-05-2021_08_40_37.exe Binary or memory string: OriginalFilenamerammier.exe vs NP__000009116_11-05-2021_08_40_37.exe
Uses 32bit PE files
Source: NP__000009116_11-05-2021_08_40_37.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe File created: C:\Users\user\AppData\Local\Temp\~DFAFF35D8849DF2CC2.TMP Jump to behavior
Source: NP__000009116_11-05-2021_08_40_37.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: NP__000009116_11-05-2021_08_40_37.exe Virustotal: Detection: 25%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_00405570 push ecx; ret 1_2_00405580
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_004067EB push esi; iretd 1_2_004067ED
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F1EC9 1_2_029F1EC9
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F1E0F 1_2_029F1E0F
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F2DBA 1_2_029F2DBA
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe RDTSC instruction interceptor: First address: 00000000029F18AB second address: 00000000029F18AB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, 00001000h 0x0000000f test edx, ebx 0x00000011 div ecx 0x00000013 cmp edx, 00000000h 0x00000016 jne 00007F37C500D3A2h 0x00000018 dec ebx 0x00000019 xor edx, edx 0x0000001b cmp bl, al 0x0000001d mov eax, ebx 0x0000001f pushad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe RDTSC instruction interceptor: First address: 00000000029F2C6B second address: 00000000029F2C6B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl eax, 05h 0x0000000d add eax, ebx 0x0000000f movzx ecx, byte ptr [esi] 0x00000012 cmp edx, eax 0x00000014 add eax, ecx 0x00000016 xor eax, A06C3E3Fh 0x0000001b cmp edx, F2FD7140h 0x00000021 inc esi 0x00000022 cmp byte ptr [esi], 00000000h 0x00000025 jne 00007F37C443C430h 0x00000027 cmp byte ptr [esi], FFFFFFA4h 0x0000002a jnc 00007F37C443C49Fh 0x0000002c test bx, ax 0x0000002f mov ebx, eax 0x00000031 pushad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe RDTSC instruction interceptor: First address: 00000000029F2BAA second address: 00000000029F2BAA instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe RDTSC instruction interceptor: First address: 00000000029F2AB4 second address: 00000000029F2AB4 instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe RDTSC instruction interceptor: First address: 00000000029F1D14 second address: 00000000029F1D14 instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe RDTSC instruction interceptor: First address: 00000000029F2DBE second address: 00000000029F2DBE instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe RDTSC instruction interceptor: First address: 00000000029F2E84 second address: 00000000029F2E84 instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe RDTSC instruction interceptor: First address: 00000000029F18AB second address: 00000000029F18AB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, 00001000h 0x0000000f test edx, ebx 0x00000011 div ecx 0x00000013 cmp edx, 00000000h 0x00000016 jne 00007F37C500D3A2h 0x00000018 dec ebx 0x00000019 xor edx, edx 0x0000001b cmp bl, al 0x0000001d mov eax, ebx 0x0000001f pushad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe RDTSC instruction interceptor: First address: 00000000029F2C6B second address: 00000000029F2C6B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl eax, 05h 0x0000000d add eax, ebx 0x0000000f movzx ecx, byte ptr [esi] 0x00000012 cmp edx, eax 0x00000014 add eax, ecx 0x00000016 xor eax, A06C3E3Fh 0x0000001b cmp edx, F2FD7140h 0x00000021 inc esi 0x00000022 cmp byte ptr [esi], 00000000h 0x00000025 jne 00007F37C443C430h 0x00000027 cmp byte ptr [esi], FFFFFFA4h 0x0000002a jnc 00007F37C443C49Fh 0x0000002c test bx, ax 0x0000002f mov ebx, eax 0x00000031 pushad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe RDTSC instruction interceptor: First address: 00000000029F2BAA second address: 00000000029F2BAA instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe RDTSC instruction interceptor: First address: 00000000029F2AB4 second address: 00000000029F2AB4 instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe RDTSC instruction interceptor: First address: 00000000029F1D14 second address: 00000000029F1D14 instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe RDTSC instruction interceptor: First address: 00000000029F2DBE second address: 00000000029F2DBE instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe RDTSC instruction interceptor: First address: 00000000029F2E84 second address: 00000000029F2E84 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F2C97 rdtsc 1_2_029F2C97
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F2C97 rdtsc 1_2_029F2C97
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F1885 mov eax, dword ptr fs:[00000030h] 1_2_029F1885
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F2AD8 mov eax, dword ptr fs:[00000030h] 1_2_029F2AD8
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F0CE5 mov eax, dword ptr fs:[00000030h] 1_2_029F0CE5
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F3118 mov eax, dword ptr fs:[00000030h] 1_2_029F3118
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F1127 mov eax, dword ptr fs:[00000030h] 1_2_029F1127
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F2D21 mov eax, dword ptr fs:[00000030h] 1_2_029F2D21
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe Code function: 1_2_029F2C97 cpuid 1_2_029F2C97
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 410830 Sample: NP__000009116_11-05-2021_08... Startdate: 11/05/2021 Architecture: WINDOWS Score: 84 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 C2 URLs / IPs found in malware configuration 2->14 5 NP__000009116_11-05-2021_08_40_37.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->18 20 Found potential dummy code loops (likely to delay analysis) 5->20 22 Tries to detect virtualization through RDTSC time measurements 5->22
No contacted IP infos