Analysis Report vbc.exe.vir

Overview

General Information

Sample Name: vbc.exe.vir (renamed file extension from vir to exe)
Analysis ID: 430987
MD5: 788016c9072423914b96f0d15a61812d
SHA1: 040f85b4ef512bb74990becfa1a5029f92eb65c7
SHA256: df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: vbc.exe.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://bara-seck.com/bin_YIuwAXdc211.bin, https://wizumiya.co.jp/html/user_data/"}

Compliance:

barindex
Uses 32bit PE files
Source: vbc.exe.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://bara-seck.com/bin_YIuwAXdc211.bin, https://wizumiya.co.jp/html/user_data/

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\vbc.exe.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\vbc.exe.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046699A NtAllocateVirtualMemory, 0_2_0046699A
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00466C02 NtAllocateVirtualMemory, 0_2_00466C02
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004669E4 NtAllocateVirtualMemory, 0_2_004669E4
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004669AE NtAllocateVirtualMemory, 0_2_004669AE
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00466A34 NtAllocateVirtualMemory, 0_2_00466A34
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00466AD4 NtAllocateVirtualMemory, 0_2_00466AD4
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00466A99 NtAllocateVirtualMemory, 0_2_00466A99
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00466B59 NtAllocateVirtualMemory, 0_2_00466B59
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00466BCC NtAllocateVirtualMemory, 0_2_00466BCC
Detected potential crypto function
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00405607 0_2_00405607
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004032F5 0_2_004032F5
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046699A 0_2_0046699A
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00464454 0_2_00464454
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00462452 0_2_00462452
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046245C 0_2_0046245C
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046B45D 0_2_0046B45D
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465466 0_2_00465466
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465069 0_2_00465069
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00464404 0_2_00464404
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465004 0_2_00465004
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A814 0_2_0046A814
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046B410 0_2_0046B410
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465418 0_2_00465418
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046582E 0_2_0046582E
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004624C7 0_2_004624C7
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046B4E0 0_2_0046B4E0
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A4F1 0_2_0046A4F1
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004638FC 0_2_004638FC
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004654FC 0_2_004654FC
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004650F8 0_2_004650F8
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00463895 0_2_00463895
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046B493 0_2_0046B493
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A890 0_2_0046A890
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465C99 0_2_00465C99
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004644B2 0_2_004644B2
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004658B8 0_2_004658B8
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00464544 0_2_00464544
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465578 0_2_00465578
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00464910 0_2_00464910
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046593E 0_2_0046593E
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004659CF 0_2_004659CF
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046B5CC 0_2_0046B5CC
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A5C8 0_2_0046A5C8
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004645D1 0_2_004645D1
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004669E4 0_2_004669E4
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004639E8 0_2_004639E8
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004651FA 0_2_004651FA
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00469984 0_2_00469984
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A580 0_2_0046A580
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465181 0_2_00465181
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00464988 0_2_00464988
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046B588 0_2_0046B588
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00463189 0_2_00463189
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004639A0 0_2_004639A0
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004669AE 0_2_004669AE
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00463249 0_2_00463249
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046B650 0_2_0046B650
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00463A62 0_2_00463A62
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465A68 0_2_00465A68
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465278 0_2_00465278
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046B608 0_2_0046B608
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00463209 0_2_00463209
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A614 0_2_0046A614
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465627 0_2_00465627
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00466A34 0_2_00466A34
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A2D8 0_2_0046A2D8
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004692EF 0_2_004692EF
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00464EF2 0_2_00464EF2
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A6F0 0_2_0046A6F0
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00463AF8 0_2_00463AF8
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465688 0_2_00465688
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046B69C 0_2_0046B69C
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A6A0 0_2_0046A6A0
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465B58 0_2_00465B58
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A76C 0_2_0046A76C
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00469768 0_2_00469768
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465302 0_2_00465302
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00463300 0_2_00463300
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465B08 0_2_00465B08
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465712 0_2_00465712
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00464F1C 0_2_00464F1C
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00462F27 0_2_00462F27
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A7C7 0_2_0046A7C7
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465BE7 0_2_00465BE7
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046B3F8 0_2_0046B3F8
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00465394 0_2_00465394
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00464F98 0_2_00464F98
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004657A5 0_2_004657A5
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004633AC 0_2_004633AC
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004643B8 0_2_004643B8
PE file contains strange resources
Source: vbc.exe.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: vbc.exe.exe, 00000000.00000002.3175842448.0000000000330000.00000008.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs vbc.exe.exe
Source: vbc.exe.exe, 00000000.00000000.2095192138.0000000000424000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSuperintellectually.exe vs vbc.exe.exe
Source: vbc.exe.exe Binary or memory string: OriginalFilenameSuperintellectually.exe vs vbc.exe.exe
Uses 32bit PE files
Source: vbc.exe.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0
Source: vbc.exe.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\vbc.exe.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: vbc.exe.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.2095163938.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3175874940.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0.0.vbc.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vbc.exe.exe.400000.1.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00403112 push dword ptr [ebp-44h]; ret 0_2_0041ECC4
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A965 push eax; ret 0_2_0046A956
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00464A3C push AFBDCFF2h; iretd 0_2_00464A2E
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00467F05 push edx; ret 0_2_00467F12
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00462B1B push ebp; retf 0_2_00462B0A
Source: C:\Users\user\Desktop\vbc.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00463895 0_2_00463895
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046BB26 0_2_0046BB26
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046BB2B 0_2_0046BB2B
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\vbc.exe.exe RDTSC instruction interceptor: First address: 0000000000469BBF second address: 0000000000469BBF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4A1014F8h 0x00000007 xor eax, 91CBACF6h 0x0000000c xor eax, 7F9DE2BDh 0x00000011 xor eax, A4465AB2h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FCE68367844h 0x0000001e lfence 0x00000021 mov edx, C49425E1h 0x00000026 xor edx, 40636495h 0x0000002c sub edx, D2D01692h 0x00000032 xor edx, CDD92AF6h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d jmp 00007FCE68367836h 0x0000003f test al, bl 0x00000041 cmp al, E3h 0x00000043 jmp 00007FCE68367836h 0x00000045 cmp ch, 0000006Dh 0x00000048 cmp bh, ah 0x0000004a ret 0x0000004b sub edx, esi 0x0000004d ret 0x0000004e add edi, edx 0x00000050 dec dword ptr [ebp+000000F8h] 0x00000056 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005d jne 00007FCE683677B4h 0x0000005f jmp 00007FCE68367836h 0x00000061 test ah, ch 0x00000063 call 00007FCE68367826h 0x00000068 call 00007FCE68367865h 0x0000006d lfence 0x00000070 mov edx, C49425E1h 0x00000075 xor edx, 40636495h 0x0000007b sub edx, D2D01692h 0x00000081 xor edx, CDD92AF6h 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c jmp 00007FCE68367836h 0x0000008e test al, bl 0x00000090 cmp al, E3h 0x00000092 jmp 00007FCE68367836h 0x00000094 cmp ch, 0000006Dh 0x00000097 cmp bh, ah 0x00000099 ret 0x0000009a mov esi, edx 0x0000009c pushad 0x0000009d rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00468C4F rdtsc 0_2_00468C4F
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\vbc.exe.exe API coverage: 7.0 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\vbc.exe.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00468C4F rdtsc 0_2_00468C4F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00469840 mov eax, dword ptr fs:[00000030h] 0_2_00469840
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00464454 mov eax, dword ptr fs:[00000030h] 0_2_00464454
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00464404 mov eax, dword ptr fs:[00000030h] 0_2_00464404
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046642D mov eax, dword ptr fs:[00000030h] 0_2_0046642D
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A4F1 mov eax, dword ptr fs:[00000030h] 0_2_0046A4F1
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00463895 mov eax, dword ptr fs:[00000030h] 0_2_00463895
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00468D1F mov eax, dword ptr fs:[00000030h] 0_2_00468D1F
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A5C8 mov eax, dword ptr fs:[00000030h] 0_2_0046A5C8
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A580 mov eax, dword ptr fs:[00000030h] 0_2_0046A580
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046A614 mov eax, dword ptr fs:[00000030h] 0_2_0046A614
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_004643B8 mov eax, dword ptr fs:[00000030h] 0_2_004643B8
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_00463FB8 mov eax, dword ptr fs:[00000030h] 0_2_00463FB8
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: vbc.exe.exe, 00000000.00000002.3175940908.00000000008C0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: vbc.exe.exe, 00000000.00000002.3175940908.00000000008C0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe.exe, 00000000.00000002.3175940908.00000000008C0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\vbc.exe.exe Code function: 0_2_0046BB2B cpuid 0_2_0046BB2B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430987 Sample: vbc.exe.vir Startdate: 08/06/2021 Architecture: WINDOWS Score: 80 8 Potential malicious icon found 2->8 10 Found malware configuration 2->10 12 Yara detected GuLoader 2->12 14 C2 URLs / IPs found in malware configuration 2->14 5 vbc.exe.exe 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Found potential dummy code loops (likely to delay analysis) 5->18 20 Tries to detect virtualization through RDTSC time measurements 5->20
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bara-seck.com/bin_YIuwAXdc211.bin, https://wizumiya.co.jp/html/user_data/ true
  • Avira URL Cloud: safe
 unknown