Analysis Report pansy.exe

Overview

General Information

Sample Name: pansy.exe
Analysis ID: 430639
MD5: be5a85f85d011252e63cab4566239280
SHA1: 72a8f524a3b449b3c459cdfe4a7b6c1c46b0dcdd
SHA256: 057144f38e786ee18295c76f3f06a975fc342358a5d6ba049000ca0fe44e8179
Tags: exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: pansy.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1k6joaGLkNYxFw0lOjR395hYutsonOF5Q"}

Compliance:

barindex
Uses 32bit PE files
Source: pansy.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1k6joaGLkNYxFw0lOjR395hYutsonOF5Q

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\pansy.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: pansy.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: pansy.exe, 00000000.00000002.1166613915.00000000020B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs pansy.exe
Uses 32bit PE files
Source: pansy.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0
Source: pansy.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pansy.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\pansy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: pansy.exe, type: SAMPLE
Source: Yara match File source: 0.2.pansy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.pansy.exe.400000.0.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\pansy.exe Code function: 0_2_0040662F push ss; ret 0_2_0040662E
Source: C:\Users\user\Desktop\pansy.exe Code function: 0_2_00406D73 pushfd ; retf 0_2_00406D74
Source: C:\Users\user\Desktop\pansy.exe Code function: 0_2_00407F0F push 0000005Ah; retf 0_2_00407F1D
Source: C:\Users\user\Desktop\pansy.exe Code function: 0_2_00406516 push ss; ret 0_2_0040662E
Source: C:\Users\user\Desktop\pansy.exe Code function: 0_2_0040EBF1 push cs; ret 0_2_0040EBFB
Source: C:\Users\user\Desktop\pansy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\pansy.exe RDTSC instruction interceptor: First address: 0000000002B6FACE second address: 0000000002B6FACE instructions:
Source: C:\Users\user\Desktop\pansy.exe RDTSC instruction interceptor: First address: 0000000002B725A5 second address: 0000000002B725A5 instructions:
Source: C:\Users\user\Desktop\pansy.exe RDTSC instruction interceptor: First address: 0000000002B69737 second address: 0000000002B697D9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edi, dword ptr [ebp+0000017Fh] 0x00000010 push cx 0x00000012 mov cx, 7167h 0x00000016 pop cx 0x00000018 cmp di, 3711h 0x0000001d call 00007F78F49BFB7Dh 0x00000022 call 00007F78F49BFB84h 0x00000027 lfence 0x0000002a mov edx, 464DB255h 0x0000002f xor edx, 60CB488Eh 0x00000035 xor edx, A32252D0h 0x0000003b xor edx, FA5AA81Fh 0x00000041 mov edx, dword ptr [edx] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\pansy.exe RDTSC instruction interceptor: First address: 0000000002B6FACE second address: 0000000002B6FACE instructions:
Source: C:\Users\user\Desktop\pansy.exe RDTSC instruction interceptor: First address: 0000000002B725A5 second address: 0000000002B725A5 instructions:
Source: C:\Users\user\Desktop\pansy.exe RDTSC instruction interceptor: First address: 0000000002B69737 second address: 0000000002B697D9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edi, dword ptr [ebp+0000017Fh] 0x00000010 push cx 0x00000012 mov cx, 7167h 0x00000016 pop cx 0x00000018 cmp di, 3711h 0x0000001d call 00007F78F49BFB7Dh 0x00000022 call 00007F78F49BFB84h 0x00000027 lfence 0x0000002a mov edx, 464DB255h 0x0000002f xor edx, 60CB488Eh 0x00000035 xor edx, A32252D0h 0x0000003b xor edx, FA5AA81Fh 0x00000041 mov edx, dword ptr [edx] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\pansy.exe Process Stats: CPU usage > 90% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: pansy.exe, 00000000.00000002.1166514064.0000000000CA0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: pansy.exe, 00000000.00000002.1166514064.0000000000CA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: pansy.exe, 00000000.00000002.1166514064.0000000000CA0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: pansy.exe, 00000000.00000002.1166514064.0000000000CA0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
No contacted IP infos