Analysis Report Lista produkt#U00f3w.exe

Overview

General Information

Sample Name:	Lista produkt#U00f3w.exe
Analysis ID:	411100
MD5:	c7f305d2e4f5e91e8118ac32ec796b0c
SHA1:	c477a3d238b96c2a58e77bb7c818775e23f7d656
SHA256:	0d28b94959edb70309a2754a83f2c9230b3176618ab571995d81955751ca2dbe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: Lista produkt#U00f3w.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=17FenSUBd1a7PqzhRX-elu4bxZvs0LF9Y"}

Multi AV Scanner detection for submitted file

Source: Lista produkt#U00f3w.exe	Virustotal: Detection: 34%			Perma Link
Source: Lista produkt#U00f3w.exe	ReversingLabs: Detection: 17%

Compliance:

Uses 32bit PE files

Source: Lista produkt#U00f3w.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=17FenSUBd1a7PqzhRX-elu4bxZvs0LF9Y

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B1B3F NtAllocateVirtualMemory,		0_2_022B1B3F
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B33E1 NtProtectVirtualMemory,		0_2_022B33E1

Detected potential crypto function

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00407206	0_2_00407206
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00407246	0_2_00407246
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_0040176F	0_2_0040176F
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00401580	0_2_00401580
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_004017BC	0_2_004017BC

Sample file is different than original file name gathered from version info

Source: Lista produkt#U00f3w.exe, 00000000.00000000.209614944.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFarveskrmene.exe vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.1290593504.0000000002280000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.1292000983.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFarveskrmene.exeFE2X~~ vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe	Binary or memory string: OriginalFilenameFarveskrmene.exe vs Lista produkt#U00f3w.exe

Uses 32bit PE files

Source: Lista produkt#U00f3w.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4627E9014B595615.TMP

Jump to behavior

Source: Lista produkt#U00f3w.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Lista produkt#U00f3w.exe	Virustotal: Detection: 34%
Source: Lista produkt#U00f3w.exe	ReversingLabs: Detection: 17%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00406613 push edx; ret	0_2_00406614
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00405A15 push esp; ret	0_2_00405A20
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00405889 push eax; ret	0_2_0040588C
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_0040576B push edi; retf	0_2_004057A0
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00404B1B push esp; retn 0000h	0_2_00404B1D
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_0040459E pushfd ; ret	0_2_004045A0
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B1B3F pushfd ; iretd	0_2_022B1CAC
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B1CA1 pushfd ; iretd	0_2_022B1CAC

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B0C5E	0_2_022B0C5E
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B1301	0_2_022B1301
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B0511	0_2_022B0511
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B0D16	0_2_022B0D16

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

RDTSC instruction interceptor: First address: 00000000022B1972 second address: 00000000022B1972 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD3E4D6E2EAh 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 cmp bx, ax 0x00000023 dec ecx 0x00000024 cmp dh, ah 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007FD3E4D6E2CAh 0x0000002b push ecx 0x0000002c cmp bl, al 0x0000002e cmp bl, cl 0x00000030 call 00007FD3E4D6E2FFh 0x00000035 call 00007FD3E4D6E2FAh 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Code function: 0_2_022B122C rdtsc

0_2_022B122C

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Code function: 0_2_022B122C rdtsc

0_2_022B122C

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B30ED mov eax, dword ptr fs:[00000030h]	0_2_022B30ED
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B18E2 mov eax, dword ptr fs:[00000030h]	0_2_022B18E2
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B111A mov eax, dword ptr fs:[00000030h]	0_2_022B111A
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B0D16 mov eax, dword ptr fs:[00000030h]	0_2_022B0D16
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B2D69 mov eax, dword ptr fs:[00000030h]	0_2_022B2D69
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B2B82 mov eax, dword ptr fs:[00000030h]	0_2_022B2B82

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Lista produkt#U00f3w.exe, 00000000.00000002.1289894220.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Lista produkt#U00f3w.exe, 00000000.00000002.1289894220.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Lista produkt#U00f3w.exe, 00000000.00000002.1289894220.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Lista produkt#U00f3w.exe, 00000000.00000002.1289894220.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Code function: 0_2_022B1B3F cpuid

0_2_022B1B3F

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	411100
Product:	CloudBasic
Start time:	16:24:18
Start date:	11.05.2021
Sample:	Lista produkt#U00f3w.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c7f305d2e4f5e91e8118ac32ec796b0c
SHA1:	c477a3d238b96c2a58e77bb7c818775e23f7d656
SHA256:	0d28b94959edb70309a2754a83f2c9230b3176618ab571995d81955751ca2dbe
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report Lista produkt#U00f3w.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map