Analysis Report Facturas Pagadas Al Vencimiento.exe

Overview

General Information

Sample Name: Facturas Pagadas Al Vencimiento.exe
Analysis ID: 431502
MD5: 882a1c19dc7f3ac4fadac702125649c0
SHA1: 9566eae6967084d05f21d614686eaa28a3b66a8d
SHA256: ebf355b0e58fcf5b9cf1718b6fd09003932fe3b7ed5b08ffc9ac2f987e0d189d
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: Facturas Pagadas Al Vencimiento.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1j7lPzKHjaJ361TpkvK1-2kTy_ducVUTL"}
Multi AV Scanner detection for submitted file
Source: Facturas Pagadas Al Vencimiento.exe Virustotal: Detection: 52% Perma Link
Source: Facturas Pagadas Al Vencimiento.exe ReversingLabs: Detection: 30%

Compliance:

barindex
Uses 32bit PE files
Source: Facturas Pagadas Al Vencimiento.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1j7lPzKHjaJ361TpkvK1-2kTy_ducVUTL

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C4A6F 0_2_024C4A6F
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C3425 0_2_024C3425
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C3423 0_2_024C3423
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C4C23 0_2_024C4C23
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C4C35 0_2_024C4C35
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C40EA 0_2_024C40EA
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C349D 0_2_024C349D
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024CA555 0_2_024CA555
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C4B0E 0_2_024C4B0E
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C4930 0_2_024C4930
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C49C8 0_2_024C49C8
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024D0D8D 0_2_024D0D8D
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C4983 0_2_024C4983
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C4B9A 0_2_024C4B9A
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C4BA2 0_2_024C4BA2
PE file contains strange resources
Source: Facturas Pagadas Al Vencimiento.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.646223178.0000000000424000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameKoordineredes.exe vs Facturas Pagadas Al Vencimiento.exe
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168544909.00000000022C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Facturas Pagadas Al Vencimiento.exe
Source: Facturas Pagadas Al Vencimiento.exe Binary or memory string: OriginalFilenameKoordineredes.exe vs Facturas Pagadas Al Vencimiento.exe
Uses 32bit PE files
Source: Facturas Pagadas Al Vencimiento.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal92.rans.troj.evad.winEXE@1/0@0/0
Source: Facturas Pagadas Al Vencimiento.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Facturas Pagadas Al Vencimiento.exe Virustotal: Detection: 52%
Source: Facturas Pagadas Al Vencimiento.exe ReversingLabs: Detection: 30%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Facturas Pagadas Al Vencimiento.exe, type: SAMPLE
Source: Yara match File source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Facturas Pagadas Al Vencimiento.exe.400000.0.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040C88E push esi; iretd 0_2_0040C890
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_00409C9A pushfd ; retf 0_2_00409C9E
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040C4A6 pushfd ; retf 0_2_0040C4A9
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_004050B3 push edi; iretd 0_2_00405165
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040CE7A pushfd ; ret 0_2_0040CE85
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040CADE push esi; iretd 0_2_0040CAE8
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040CAE9 push esi; iretd 0_2_0040CB08
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040A2F6 push esi; iretd 0_2_0040A300
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040CE86 push esp; ret 0_2_0040CE89
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040A356 push esi; iretd 0_2_0040A358
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040C7F8 push cs; ret 0_2_0040C88D
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_004087FB push ebp; iretd 0_2_004087FD
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C08EC push edi; retf 0_2_024C08ED
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C09F6 push es; ret 0_2_024C09F8
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024D0D8D 0_2_024D0D8D
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe RDTSC instruction interceptor: First address: 00000000024CF386 second address: 00000000024CF386 instructions:
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe RDTSC instruction interceptor: First address: 00000000024C0A8B second address: 00000000024C0A8B instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe RDTSC instruction interceptor: First address: 00000000024CF386 second address: 00000000024CF386 instructions:
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe RDTSC instruction interceptor: First address: 00000000024C0A66 second address: 00000000024C0A8B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push 22DF60AAh 0x00000008 test dx, dx 0x0000000b push 3FAA25DDh 0x00000010 cmp ebx, B089EE68h 0x00000016 push 988351A5h 0x0000001b test ax, 00009A75h 0x0000001f push 541CB5A6h 0x00000024 pushad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe RDTSC instruction interceptor: First address: 00000000024C0A8B second address: 00000000024C0A8B instructions:
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe RDTSC instruction interceptor: First address: 00000000024C9D4C second address: 00000000024C9D4C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 049510E3h 0x00000007 xor eax, 4F70CED7h 0x0000000c xor eax, 2D367B3Ch 0x00000011 add eax, 992C5AF9h 0x00000016 cpuid 0x00000018 jmp 00007F788CBA4ADEh 0x0000001a test dh, bh 0x0000001c popad 0x0000001d call 00007F788CBA4B14h 0x00000022 lfence 0x00000025 mov edx, D77D1D8Eh 0x0000002a add edx, 01BEBE33h 0x00000030 xor edx, A8C558E2h 0x00000036 xor edx, 0E008337h 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 ret 0x00000042 sub edx, esi 0x00000044 ret 0x00000045 test ecx, ecx 0x00000047 pop ecx 0x00000048 add edi, edx 0x0000004a dec ecx 0x0000004b cmp ecx, 00000000h 0x0000004e jne 00007F788CBA4A62h 0x00000050 test ebx, ecx 0x00000052 mov dword ptr [ebp+000001F7h], esi 0x00000058 mov esi, ecx 0x0000005a pushad 0x0000005b mov cl, 3Fh 0x0000005d cmp cl, 0000003Fh 0x00000060 jne 00007F788CBA48FDh 0x00000066 popad 0x00000067 push esi 0x00000068 mov esi, dword ptr [ebp+000001F7h] 0x0000006e cmp bh, ch 0x00000070 call 00007F788CBA4B10h 0x00000075 call 00007F788CBA4B85h 0x0000007a lfence 0x0000007d mov edx, D77D1D8Eh 0x00000082 add edx, 01BEBE33h 0x00000088 xor edx, A8C558E2h 0x0000008e xor edx, 0E008337h 0x00000094 mov edx, dword ptr [edx] 0x00000096 lfence 0x00000099 ret 0x0000009a mov esi, edx 0x0000009c pushad 0x0000009d rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C4058 rdtsc 0_2_024C4058
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C4058 rdtsc 0_2_024C4058
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024CF080 mov eax, dword ptr fs:[00000030h] 0_2_024CF080
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024C9ABD mov eax, dword ptr fs:[00000030h] 0_2_024C9ABD
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024CF7E2 mov eax, dword ptr fs:[00000030h] 0_2_024CF7E2
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_024D0D8D mov eax, dword ptr fs:[00000030h] 0_2_024D0D8D
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 431502 Sample: Facturas Pagadas Al Vencimi... Startdate: 08/06/2021 Architecture: WINDOWS Score: 92 7 Potential malicious icon found 2->7 9 Found malware configuration 2->9 11 Multi AV Scanner detection for submitted file 2->11 13 6 other signatures 2->13 5 Facturas Pagadas Al Vencimiento.exe 2->5         started        process3
No contacted IP infos