Analysis Report shipping Document and Bill Of Landing.exe

Overview

General Information

Sample Name: shipping Document and Bill Of Landing.exe
Analysis ID: 411858
MD5: 7196e6e67a39225a9b73af0c6f6b5b0e
SHA1: c0da8d54393e9365d1fa0f0a88cf4b52496992b1
SHA256: 4d5e7bff4f749a4f1a357c61098c19c345246b142308f4048aebc6dfdaf4fc73
Tags: GuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
PE file contains an invalid checksum
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000D.00000002.469283991.0000000000560000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://reachglobal-in.com/fdeb/bin_dXfiGRj156.bin"}
Multi AV Scanner detection for submitted file
Source: shipping Document and Bill Of Landing.exe Virustotal: Detection: 52% Perma Link
Source: shipping Document and Bill Of Landing.exe ReversingLabs: Detection: 29%
Machine Learning detection for sample
Source: shipping Document and Bill Of Landing.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_00413514 CryptDestroyHash, 1_2_00413514

Compliance:

barindex
Uses 32bit PE files
Source: shipping Document and Bill Of Landing.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://reachglobal-in.com/fdeb/bin_dXfiGRj156.bin
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: reachglobal-in.com replaycode: Server failure (2)
Source: unknown DNS traffic detected: queries for: reachglobal-in.com
Source: shipping Document and Bill Of Landing.exe, 0000000D.00000002.469283991.0000000000560000.00000040.00000001.sdmp String found in binary or memory: https://reachglobal-in.com/fdeb/bin_dXfiGRj156.bin

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Executable has a suspicious name (potential lure to open the executable)
Source: shipping Document and Bill Of Landing.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: shipping Document and Bill Of Landing.exe
Source: initial sample Static PE information: Filename: shipping Document and Bill Of Landing.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02296EB1 NtUnmapViewOfSection, 1_2_02296EB1
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02290715 EnumWindows,NtWriteVirtualMemory, 1_2_02290715
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_0229292A NtWriteVirtualMemory, 1_2_0229292A
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_0229350C NtAllocateVirtualMemory, 1_2_0229350C
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02296962 NtProtectVirtualMemory, 1_2_02296962
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02293636 NtAllocateVirtualMemory, 1_2_02293636
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_0229720A NtUnmapViewOfSection, 1_2_0229720A
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292A0C NtWriteVirtualMemory, 1_2_02292A0C
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02297277 NtUnmapViewOfSection, 1_2_02297277
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292A5C NtWriteVirtualMemory, 1_2_02292A5C
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02297257 NtUnmapViewOfSection, 1_2_02297257
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02296EBE NtUnmapViewOfSection, 1_2_02296EBE
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292A8B NtWriteVirtualMemory, 1_2_02292A8B
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_022972E0 NtUnmapViewOfSection, 1_2_022972E0
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292AD8 NtWriteVirtualMemory, 1_2_02292AD8
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02296F38 NtUnmapViewOfSection, 1_2_02296F38
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292B32 NtWriteVirtualMemory, 1_2_02292B32
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292B6F NtWriteVirtualMemory, 1_2_02292B6F
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02296F48 NtUnmapViewOfSection, 1_2_02296F48
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02296FEA NtUnmapViewOfSection, 1_2_02296FEA
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292BD4 NtWriteVirtualMemory, 1_2_02292BD4
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02293C23 NtWriteVirtualMemory, 1_2_02293C23
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292C0F NtWriteVirtualMemory, 1_2_02292C0F
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_0229700E NtUnmapViewOfSection, 1_2_0229700E
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292C56 NtWriteVirtualMemory, 1_2_02292C56
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292CAE NtWriteVirtualMemory, 1_2_02292CAE
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_022970B6 NtUnmapViewOfSection, 1_2_022970B6
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02297087 NtUnmapViewOfSection, 1_2_02297087
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_022970FB NtUnmapViewOfSection, 1_2_022970FB
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02297130 NtUnmapViewOfSection, 1_2_02297130
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_0229290F NtWriteVirtualMemory, 1_2_0229290F
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292D04 NtWriteVirtualMemory, 1_2_02292D04
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_0229351C NtAllocateVirtualMemory, 1_2_0229351C
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_0229194A NtWriteVirtualMemory, 1_2_0229194A
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_0229714E NtUnmapViewOfSection, 1_2_0229714E
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292943 NtWriteVirtualMemory, 1_2_02292943
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292D5C NtWriteVirtualMemory, 1_2_02292D5C
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02293554 NtAllocateVirtualMemory, 1_2_02293554
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292DA7 NtWriteVirtualMemory, 1_2_02292DA7
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_022935A6 NtAllocateVirtualMemory, 1_2_022935A6
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_022971BE NtUnmapViewOfSection, 1_2_022971BE
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_0229299B NtWriteVirtualMemory, 1_2_0229299B
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_022935E0 NtAllocateVirtualMemory, 1_2_022935E0
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_022935D1 NtAllocateVirtualMemory, 1_2_022935D1
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_022929D0 NtWriteVirtualMemory, 1_2_022929D0
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00566962 NtProtectVirtualMemory, 13_2_00566962
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_0056350C NtAllocateVirtualMemory, 13_2_0056350C
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_005609FB NtProtectVirtualMemory, 13_2_005609FB
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00566EB1 NtSetInformationThread, 13_2_00566EB1
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_0056700E NtSetInformationThread, 13_2_0056700E
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_005670FB NtSetInformationThread, 13_2_005670FB
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00567087 NtSetInformationThread, 13_2_00567087
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_005670B6 NtSetInformationThread, 13_2_005670B6
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00563554 NtAllocateVirtualMemory, 13_2_00563554
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_0056714E NtSetInformationThread, 13_2_0056714E
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_0056351C NtAllocateVirtualMemory, 13_2_0056351C
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00567130 NtSetInformationThread, 13_2_00567130
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_005635D1 NtAllocateVirtualMemory, 13_2_005635D1
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_005635E0 NtAllocateVirtualMemory, 13_2_005635E0
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_005671BE NtSetInformationThread, 13_2_005671BE
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_005635A6 NtAllocateVirtualMemory, 13_2_005635A6
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00567257 NtSetInformationThread, 13_2_00567257
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00567277 NtSetInformationThread, 13_2_00567277
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_0056720A NtSetInformationThread, 13_2_0056720A
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00563636 NtAllocateVirtualMemory, 13_2_00563636
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_005672E0 NtSetInformationThread, 13_2_005672E0
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00566EBE NtSetInformationThread, 13_2_00566EBE
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00566F48 NtSetInformationThread, 13_2_00566F48
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00566F38 NtSetInformationThread, 13_2_00566F38
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00560FFA NtProtectVirtualMemory, 13_2_00560FFA
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00566FEA NtSetInformationThread, 13_2_00566FEA
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00560FAC NtProtectVirtualMemory, 13_2_00560FAC
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00560FA8 NtProtectVirtualMemory, 13_2_00560FA8
Detected potential crypto function
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02295460 1_2_02295460
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00565460 13_2_00565460
PE file contains strange resources
Source: shipping Document and Bill Of Landing.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: shipping Document and Bill Of Landing.exe, 00000001.00000002.297195400.0000000002A10000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameThe.exeFE2X< vs shipping Document and Bill Of Landing.exe
Source: shipping Document and Bill Of Landing.exe, 00000001.00000002.296409915.0000000002210000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs shipping Document and Bill Of Landing.exe
Source: shipping Document and Bill Of Landing.exe, 00000001.00000002.296018416.000000000042F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameThe.exe vs shipping Document and Bill Of Landing.exe
Source: shipping Document and Bill Of Landing.exe, 0000000D.00000000.294760484.000000000042F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameThe.exe vs shipping Document and Bill Of Landing.exe
Source: shipping Document and Bill Of Landing.exe Binary or memory string: OriginalFilenameThe.exe vs shipping Document and Bill Of Landing.exe
Uses 32bit PE files
Source: shipping Document and Bill Of Landing.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@3/0@43/0
Source: shipping Document and Bill Of Landing.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: shipping Document and Bill Of Landing.exe Virustotal: Detection: 52%
Source: shipping Document and Bill Of Landing.exe ReversingLabs: Detection: 29%
Source: unknown Process created: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe 'C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe'
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Process created: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe 'C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe'
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Process created: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe 'C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe' Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 0000000D.00000002.469283991.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.296439672.0000000002290000.00000040.00000001.sdmp, type: MEMORY
PE file contains an invalid checksum
Source: shipping Document and Bill Of Landing.exe Static PE information: real checksum: 0x3be80 should be: 0x37542
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_00401CCC push edx; retf 2E00h 1_2_00401DE2
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_0040424D push ss; iretd 1_2_0040436D
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_00404334 push ss; iretd 1_2_0040436D
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02296628 push eax; ret 1_2_02296644
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00566628 push eax; ret 13_2_00566644

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe File created: \shipping document and bill of landing.exe
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe File created: \shipping document and bill of landing.exe Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02297644 1_2_02297644
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_0229765E 1_2_0229765E
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_0056765E 13_2_0056765E
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00567644 13_2_00567644
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe RDTSC instruction interceptor: First address: 0000000002295F8A second address: 0000000002295F8A instructions:
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe RDTSC instruction interceptor: First address: 0000000002296025 second address: 0000000002296025 instructions:
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe RDTSC instruction interceptor: First address: 0000000002295F27 second address: 0000000002295F27 instructions:
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe RDTSC instruction interceptor: First address: 0000000002295D71 second address: 0000000002295D71 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FDABC9E8338h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test cx, cx 0x00000020 test bh, dh 0x00000022 add edi, edx 0x00000024 cmp ah, dh 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dx, bx 0x0000002f cmp dword ptr [ebp+000000F8h], 00000000h 0x00000036 jne 00007FDABC9E830Fh 0x00000038 cmp ax, bx 0x0000003b call 00007FDABC9E837Eh 0x00000040 call 00007FDABC9E8348h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe RDTSC instruction interceptor: First address: 0000000002293DBD second address: 0000000002293DBD instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: shipping Document and Bill Of Landing.exe, 00000001.00000002.296445757.00000000022A0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: shipping Document and Bill Of Landing.exe, 00000001.00000002.296445757.00000000022A0000.00000004.00000001.sdmp, shipping Document and Bill Of Landing.exe, 0000000D.00000002.469952233.0000000000740000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: shipping Document and Bill Of Landing.exe, 0000000D.00000002.469952233.0000000000740000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe RDTSC instruction interceptor: First address: 0000000002295F8A second address: 0000000002295F8A instructions:
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe RDTSC instruction interceptor: First address: 0000000002296025 second address: 0000000002296025 instructions:
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe RDTSC instruction interceptor: First address: 0000000002295F27 second address: 0000000002295F27 instructions:
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe RDTSC instruction interceptor: First address: 0000000002295D71 second address: 0000000002295D71 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FDABC9E8338h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test cx, cx 0x00000020 test bh, dh 0x00000022 add edi, edx 0x00000024 cmp ah, dh 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dx, bx 0x0000002f cmp dword ptr [ebp+000000F8h], 00000000h 0x00000036 jne 00007FDABC9E830Fh 0x00000038 cmp ax, bx 0x0000003b call 00007FDABC9E837Eh 0x00000040 call 00007FDABC9E8348h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe RDTSC instruction interceptor: First address: 0000000002295DB1 second address: 0000000002295DB1 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FDABC9BB85Eh 0x0000001d popad 0x0000001e call 00007FDABC9BB41Bh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe RDTSC instruction interceptor: First address: 0000000002293DBD second address: 0000000002293DBD instructions:
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe RDTSC instruction interceptor: First address: 0000000000565DB1 second address: 0000000000565DB1 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FDABC9BB85Eh 0x0000001d popad 0x0000001e call 00007FDABC9BB41Bh 0x00000023 lfence 0x00000026 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_0229350C rdtsc 1_2_0229350C
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Last function: Thread delayed
Source: shipping Document and Bill Of Landing.exe, 0000000D.00000002.469952233.0000000000740000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=wininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: shipping Document and Bill Of Landing.exe, 00000001.00000002.296445757.00000000022A0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: shipping Document and Bill Of Landing.exe, 00000001.00000002.296445757.00000000022A0000.00000004.00000001.sdmp, shipping Document and Bill Of Landing.exe, 0000000D.00000002.469952233.0000000000740000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_0229350C rdtsc 1_2_0229350C
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02294174 LdrInitializeThunk, 1_2_02294174
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02295A88 mov eax, dword ptr fs:[00000030h] 1_2_02295A88
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_022952C8 mov eax, dword ptr fs:[00000030h] 1_2_022952C8
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_022952DA mov eax, dword ptr fs:[00000030h] 1_2_022952DA
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_022923FC mov eax, dword ptr fs:[00000030h] 1_2_022923FC
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_022963F1 mov eax, dword ptr fs:[00000030h] 1_2_022963F1
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_022963F4 mov eax, dword ptr fs:[00000030h] 1_2_022963F4
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02291BC7 mov eax, dword ptr fs:[00000030h] 1_2_02291BC7
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292415 mov eax, dword ptr fs:[00000030h] 1_2_02292415
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02296416 mov eax, dword ptr fs:[00000030h] 1_2_02296416
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_0229644C mov eax, dword ptr fs:[00000030h] 1_2_0229644C
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_02292440 mov eax, dword ptr fs:[00000030h] 1_2_02292440
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 1_2_022930E0 mov eax, dword ptr fs:[00000030h] 1_2_022930E0
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00562440 mov eax, dword ptr fs:[00000030h] 13_2_00562440
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_0056644C mov eax, dword ptr fs:[00000030h] 13_2_0056644C
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00566416 mov eax, dword ptr fs:[00000030h] 13_2_00566416
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00562415 mov eax, dword ptr fs:[00000030h] 13_2_00562415
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_005630E0 mov eax, dword ptr fs:[00000030h] 13_2_005630E0
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_005652DA mov eax, dword ptr fs:[00000030h] 13_2_005652DA
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_005652C8 mov eax, dword ptr fs:[00000030h] 13_2_005652C8
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00565A88 mov eax, dword ptr fs:[00000030h] 13_2_00565A88
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_00561BC7 mov eax, dword ptr fs:[00000030h] 13_2_00561BC7
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_005663F4 mov eax, dword ptr fs:[00000030h] 13_2_005663F4
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_005663F1 mov eax, dword ptr fs:[00000030h] 13_2_005663F1
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Code function: 13_2_005623FC mov eax, dword ptr fs:[00000030h] 13_2_005623FC

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe Process created: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe 'C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe' Jump to behavior
Source: shipping Document and Bill Of Landing.exe, 0000000D.00000002.470425237.0000000000EF0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: shipping Document and Bill Of Landing.exe, 0000000D.00000002.470425237.0000000000EF0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: shipping Document and Bill Of Landing.exe, 0000000D.00000002.470425237.0000000000EF0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: shipping Document and Bill Of Landing.exe, 0000000D.00000002.470425237.0000000000EF0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 411858 Sample: shipping Document and Bill ... Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 14 reachglobal-in.com 2->14 18 Potential malicious icon found 2->18 20 Found malware configuration 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 9 other signatures 2->24 7 shipping Document and Bill Of Landing.exe 2->7         started        signatures3 process4 signatures5 26 Tries to detect Any.run 7->26 28 Hides threads from debuggers 7->28 10 shipping Document and Bill Of Landing.exe 6 7->10         started        process6 dnsIp7 16 reachglobal-in.com 10->16 30 Tries to detect Any.run 10->30 32 Hides threads from debuggers 10->32 signatures8
No contacted IP infos

Contacted Domains

Name IP Active
reachglobal-in.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://reachglobal-in.com/fdeb/bin_dXfiGRj156.bin true
  • Avira URL Cloud: safe
 unknown