Loading ...

Play interactive tourEdit tour

Analysis Report Facturas Pagadas Al Vencimiento.exe

Overview

General Information

Sample Name:Facturas Pagadas Al Vencimiento.exe
Analysis ID:431502
MD5:882a1c19dc7f3ac4fadac702125649c0
SHA1:9566eae6967084d05f21d614686eaa28a3b66a8d
SHA256:ebf355b0e58fcf5b9cf1718b6fd09003932fe3b7ed5b08ffc9ac2f987e0d189d
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1j7lPzKHjaJ361TpkvK1-2kTy_ducVUTL"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Facturas Pagadas Al Vencimiento.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: Facturas Pagadas Al Vencimiento.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1j7lPzKHjaJ361TpkvK1-2kTy_ducVUTL"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Facturas Pagadas Al Vencimiento.exeVirustotal: Detection: 52%Perma Link
    Source: Facturas Pagadas Al Vencimiento.exeReversingLabs: Detection: 30%
    Source: Facturas Pagadas Al Vencimiento.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1j7lPzKHjaJ361TpkvK1-2kTy_ducVUTL

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4A6F0_2_024C4A6F
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C34250_2_024C3425
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C34230_2_024C3423
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4C230_2_024C4C23
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4C350_2_024C4C35
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C40EA0_2_024C40EA
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C349D0_2_024C349D
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024CA5550_2_024CA555
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4B0E0_2_024C4B0E
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C49300_2_024C4930
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C49C80_2_024C49C8
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024D0D8D0_2_024D0D8D
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C49830_2_024C4983
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4B9A0_2_024C4B9A
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4BA20_2_024C4BA2
    Source: Facturas Pagadas Al Vencimiento.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.646223178.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKoordineredes.exe vs Facturas Pagadas Al Vencimiento.exe
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168544909.00000000022C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Facturas Pagadas Al Vencimiento.exe
    Source: Facturas Pagadas Al Vencimiento.exeBinary or memory string: OriginalFilenameKoordineredes.exe vs Facturas Pagadas Al Vencimiento.exe
    Source: Facturas Pagadas Al Vencimiento.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal92.rans.troj.evad.winEXE@1/0@0/0
    Source: Facturas Pagadas Al Vencimiento.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Facturas Pagadas Al Vencimiento.exeVirustotal: Detection: 52%
    Source: Facturas Pagadas Al Vencimiento.exeReversingLabs: Detection: 30%

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: Facturas Pagadas Al Vencimiento.exe, type: SAMPLE
    Source: Yara matchFile source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Facturas Pagadas Al Vencimiento.exe.400000.0.unpack, type: UNPACKEDPE
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040C88E push esi; iretd 0_2_0040C890
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_00409C9A pushfd ; retf 0_2_00409C9E
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040C4A6 pushfd ; retf 0_2_0040C4A9
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_004050B3 push edi; iretd 0_2_00405165
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040CE7A pushfd ; ret 0_2_0040CE85
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040CADE push esi; iretd 0_2_0040CAE8
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040CAE9 push esi; iretd 0_2_0040CB08
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040A2F6 push esi; iretd 0_2_0040A300
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040CE86 push esp; ret 0_2_0040CE89
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040A356 push esi; iretd 0_2_0040A358
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040C7F8 push cs; ret 0_2_0040C88D
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_004087FB push ebp; iretd 0_2_004087FD
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C08EC push edi; retf 0_2_024C08ED
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C09F6 push es; ret 0_2_024C09F8
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024D0D8D 0_2_024D0D8D
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeRDTSC instruction interceptor: First address: 00000000024CF386 second address: 00000000024CF386 instructions:
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeRDTSC instruction interceptor: First address: 00000000024C0A8B second address: 00000000024C0A8B instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeRDTSC instruction interceptor: First address: 00000000024CF386 second address: 00000000024CF386 instructions:
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeRDTSC instruction interceptor: First address: 00000000024C0A66 second address: 00000000024C0A8B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push 22DF60AAh 0x00000008 test dx, dx 0x0000000b push 3FAA25DDh 0x00000010 cmp ebx, B089EE68h 0x00000016 push 988351A5h 0x0000001b test ax, 00009A75h 0x0000001f push 541CB5A6h 0x00000024 pushad 0x00000025 rdtsc
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeRDTSC instruction interceptor: First address: 00000000024C0A8B second address: 00000000024C0A8B instructions:
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeRDTSC instruction interceptor: First address: 00000000024C9D4C second address: 00000000024C9D4C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 049510E3h 0x00000007 xor eax, 4F70CED7h 0x0000000c xor eax, 2D367B3Ch 0x00000011 add eax, 992C5AF9h 0x00000016 cpuid 0x00000018 jmp 00007F788CBA4ADEh 0x0000001a test dh, bh 0x0000001c popad 0x0000001d call 00007F788CBA4B14h 0x00000022 lfence 0x00000025 mov edx, D77D1D8Eh 0x0000002a add edx, 01BEBE33h 0x00000030 xor edx, A8C558E2h 0x00000036 xor edx, 0E008337h 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 ret 0x00000042 sub edx, esi 0x00000044 ret 0x00000045 test ecx, ecx 0x00000047 pop ecx 0x00000048 add edi, edx 0x0000004a dec ecx 0x0000004b cmp ecx, 00000000h 0x0000004e jne 00007F788CBA4A62h 0x00000050 test ebx, ecx 0x00000052 mov dword ptr [ebp+000001F7h], esi 0x00000058 mov esi, ecx 0x0000005a pushad 0x0000005b mov cl, 3Fh 0x0000005d cmp cl, 0000003Fh 0x00000060 jne 00007F788CBA48FDh 0x00000066 popad 0x00000067 push esi 0x00000068 mov esi, dword ptr [ebp+000001F7h] 0x0000006e cmp bh, ch 0x00000070 call 00007F788CBA4B10h 0x00000075 call 00007F788CBA4B85h 0x0000007a lfence 0x0000007d mov edx, D77D1D8Eh 0x00000082 add edx, 01BEBE33h 0x00000088 xor edx, A8C558E2h 0x0000008e xor edx, 0E008337h 0x00000094 mov edx, dword ptr [edx] 0x00000096 lfence 0x00000099 ret 0x0000009a mov esi, edx 0x0000009c pushad 0x0000009d rdtsc
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4058 rdtsc 0_2_024C4058
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4058 rdtsc 0_2_024C4058
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024CF080 mov eax, dword ptr fs:[00000030h]0_2_024CF080
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C9ABD mov eax, dword ptr fs:[00000030h]0_2_024C9ABD
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024CF7E2 mov eax, dword ptr fs:[00000030h]0_2_024CF7E2
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024D0D8D mov eax, dword ptr fs:[00000030h]0_2_024D0D8D
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery31Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.