Loading ...

Play interactive tourEdit tour

Analysis Report pansy.exe

Overview

General Information

Sample Name:pansy.exe
Analysis ID:430639
MD5:be5a85f85d011252e63cab4566239280
SHA1:72a8f524a3b449b3c459cdfe4a7b6c1c46b0dcdd
SHA256:057144f38e786ee18295c76f3f06a975fc342358a5d6ba049000ca0fe44e8179
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • pansy.exe (PID: 7068 cmdline: 'C:\Users\user\Desktop\pansy.exe' MD5: BE5A85F85D011252E63CAB4566239280)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1k6joaGLkNYxFw0lOjR395hYutsonOF5Q"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
pansy.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: pansy.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1k6joaGLkNYxFw0lOjR395hYutsonOF5Q"}
    Source: pansy.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1k6joaGLkNYxFw0lOjR395hYutsonOF5Q

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\pansy.exeProcess Stats: CPU usage > 98%
    Source: pansy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: pansy.exe, 00000000.00000002.1166613915.00000000020B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs pansy.exe
    Source: pansy.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal80.rans.troj.evad.winEXE@1/0@0/0
    Source: pansy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\pansy.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\pansy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: pansy.exe, type: SAMPLE
    Source: Yara matchFile source: 0.2.pansy.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.0.pansy.exe.400000.0.unpack, type: UNPACKEDPE
    Source: C:\Users\user\Desktop\pansy.exeCode function: 0_2_0040662F push ss; ret 0_2_0040662E
    Source: C:\Users\user\Desktop\pansy.exeCode function: 0_2_00406D73 pushfd ; retf 0_2_00406D74
    Source: C:\Users\user\Desktop\pansy.exeCode function: 0_2_00407F0F push 0000005Ah; retf 0_2_00407F1D
    Source: C:\Users\user\Desktop\pansy.exeCode function: 0_2_00406516 push ss; ret 0_2_0040662E
    Source: C:\Users\user\Desktop\pansy.exeCode function: 0_2_0040EBF1 push cs; ret 0_2_0040EBFB
    Source: C:\Users\user\Desktop\pansy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\pansy.exeRDTSC instruction interceptor: First address: 0000000002B6FACE second address: 0000000002B6FACE instructions:
    Source: C:\Users\user\Desktop\pansy.exeRDTSC instruction interceptor: First address: 0000000002B725A5 second address: 0000000002B725A5 instructions:
    Source: C:\Users\user\Desktop\pansy.exeRDTSC instruction interceptor: First address: 0000000002B69737 second address: 0000000002B697D9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edi, dword ptr [ebp+0000017Fh] 0x00000010 push cx 0x00000012 mov cx, 7167h 0x00000016 pop cx 0x00000018 cmp di, 3711h 0x0000001d call 00007F78F49BFB7Dh 0x00000022 call 00007F78F49BFB84h 0x00000027 lfence 0x0000002a mov edx, 464DB255h 0x0000002f xor edx, 60CB488Eh 0x00000035 xor edx, A32252D0h 0x0000003b xor edx, FA5AA81Fh 0x00000041 mov edx, dword ptr [edx] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\pansy.exeRDTSC instruction interceptor: First address: 0000000002B6FACE second address: 0000000002B6FACE instructions:
    Source: C:\Users\user\Desktop\pansy.exeRDTSC instruction interceptor: First address: 0000000002B725A5 second address: 0000000002B725A5 instructions:
    Source: C:\Users\user\Desktop\pansy.exeRDTSC instruction interceptor: First address: 0000000002B69737 second address: 0000000002B697D9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edi, dword ptr [ebp+0000017Fh] 0x00000010 push cx 0x00000012 mov cx, 7167h 0x00000016 pop cx 0x00000018 cmp di, 3711h 0x0000001d call 00007F78F49BFB7Dh 0x00000022 call 00007F78F49BFB84h 0x00000027 lfence 0x0000002a mov edx, 464DB255h 0x0000002f xor edx, 60CB488Eh 0x00000035 xor edx, A32252D0h 0x0000003b xor edx, FA5AA81Fh 0x00000041 mov edx, dword ptr [edx] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\pansy.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: pansy.exe, 00000000.00000002.1166514064.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: pansy.exe, 00000000.00000002.1166514064.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: pansy.exe, 00000000.00000002.1166514064.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: pansy.exe, 00000000.00000002.1166514064.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery3Remote ServicesData from Local SystemExfiltration Over Other Network MediumApplication Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.