Analysis Report RFQ 35465756.exe

ID:	412180
Product:	CloudBasic
Start time:	13:20:06
Start date:	12.05.2021
Sample:	RFQ 35465756.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a00e24b88a7ffa3e82d9fca15e0c46f1
SHA1:	acb2d22c4a94ffa77422868a24118fe943f7526e
SHA256:	0089a67b8891a809e2c7699b1d97e0d1286756c801aecc20a200a13b049ecb94
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Found malware configuration

Source: RFQ 35465756.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1tugb1Cx6PcCD1YoZNcA5MNpIX8ZFbd_s"}

Multi AV Scanner detection for submitted file

Source: RFQ 35465756.exe	Virustotal: Detection: 34%			Perma Link
Source: RFQ 35465756.exe	ReversingLabs: Detection: 71%

Compliance:

Uses 32bit PE files

Source: RFQ 35465756.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1tugb1Cx6PcCD1YoZNcA5MNpIX8ZFbd_s

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A33F8 NtProtectVirtualMemory,		0_2_022A33F8
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A1BF3 NtAllocateVirtualMemory,		0_2_022A1BF3

Detected potential crypto function

Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00407159		0_2_00407159
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00407175		0_2_00407175
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00401579		0_2_00401579
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_004071B4		0_2_004071B4
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00407262		0_2_00407262
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_0040720E		0_2_0040720E
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_004072B3		0_2_004072B3
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_0040734A		0_2_0040734A
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00401768		0_2_00401768
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00407368		0_2_00407368
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00407304		0_2_00407304
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_004073E8		0_2_004073E8
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00407391		0_2_00407391
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_004017B5		0_2_004017B5
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A3B0E		0_2_022A3B0E
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A3080		0_2_022A3080

Sample file is different than original file name gathered from version info

Source: RFQ 35465756.exe, 00000000.00000002.759133775.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSilure2.exe vs RFQ 35465756.exe
Source: RFQ 35465756.exe, 00000000.00000002.760663714.0000000002260000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs RFQ 35465756.exe
Source: RFQ 35465756.exe, 00000000.00000002.761291141.00000000022F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSilure2.exeFE2X vs RFQ 35465756.exe
Source: RFQ 35465756.exe	Binary or memory string: OriginalFilenameSilure2.exe vs RFQ 35465756.exe

Uses 32bit PE files

Source: RFQ 35465756.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Classification label

Source: classification engine

Classification label: mal92.troj.evad.winEXE@1/0@0/0

Creates temporary files

Source: C:\Users\user\Desktop\RFQ 35465756.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF0971D5C732263ABC.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: RFQ 35465756.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: RFQ 35465756.exe	Virustotal: Detection: 34%
Source: RFQ 35465756.exe	ReversingLabs: Detection: 71%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.761118187.00000000022A0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Source: Yara match	File source: RFQ 35465756.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.235938120.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759094776.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.RFQ 35465756.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ 35465756.exe.400000.0.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_00405C23 pushad ; retf		0_2_00405C2B
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_0040532B push eax; retf		0_2_0040534F
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A17A8 push 233953B7h; iretd		0_2_022A23A3
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A238A push 233953B7h; iretd		0_2_022A23A3

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\RFQ 35465756.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Code function: 0_2_022A0CE1

0_2_022A0CE1

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\RFQ 35465756.exe

RDTSC instruction interceptor: First address: 00000000022A1A08 second address: 00000000022A1A08 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6A8036D058h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test ecx, ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F6A8036D039h 0x00000028 push ecx 0x00000029 cmp dh, ah 0x0000002b cmp ebx, A3F7AFB9h 0x00000031 call 00007F6A8036D076h 0x00000036 call 00007F6A8036D068h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\RFQ 35465756.exe

RDTSC instruction interceptor: First address: 00000000022A1A08 second address: 00000000022A1A08 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6A8036D058h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test ecx, ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F6A8036D039h 0x00000028 push ecx 0x00000029 cmp dh, ah 0x0000002b cmp ebx, A3F7AFB9h 0x00000031 call 00007F6A8036D076h 0x00000036 call 00007F6A8036D068h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc

Source: C:\Users\user\Desktop\RFQ 35465756.exe

RDTSC instruction interceptor: First address: 00000000022A1ADD second address: 00000000022A1ADD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F6A804AF6A9h 0x0000001d popad 0x0000001e call 00007F6A804AE244h 0x00000023 lfence 0x00000026 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Code function: 0_2_022A1ADA rdtsc

0_2_022A1ADA

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Code function: 0_2_022A1ADA rdtsc

0_2_022A1ADA

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A2AB7 mov eax, dword ptr fs:[00000030h]		0_2_022A2AB7
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A0CE1 mov eax, dword ptr fs:[00000030h]		0_2_022A0CE1
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A2CCE mov eax, dword ptr fs:[00000030h]		0_2_022A2CCE
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A196F mov eax, dword ptr fs:[00000030h]		0_2_022A196F
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A116F mov eax, dword ptr fs:[00000030h]		0_2_022A116F
Source: C:\Users\user\Desktop\RFQ 35465756.exe	Code function: 0_2_022A3147 mov eax, dword ptr fs:[00000030h]		0_2_022A3147

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: RFQ 35465756.exe, 00000000.00000002.760072526.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: RFQ 35465756.exe, 00000000.00000002.760072526.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RFQ 35465756.exe, 00000000.00000002.760072526.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RFQ 35465756.exe, 00000000.00000002.760072526.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\RFQ 35465756.exe

Code function: 0_2_022A295F cpuid

0_2_022A295F