Analysis Report 2FQhmYZME4.exe

Overview

General Information

Sample Name:	2FQhmYZME4.exe
Analysis ID:	431752
MD5:	196b3c910b8d74c5916029f6eb037d5d
SHA1:	37968cade61e54ce0c4ec24e83c35fadd583019f
SHA256:	4f6b4079a3f1b56421cbca34d112ba6a867ff8a6bd706010bfe931ac6d635361
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000001.00000002.1168698485.0000000002C00000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://myurl/myfile.bin"}

Multi AV Scanner detection for submitted file

Source: 2FQhmYZME4.exe

Virustotal: Detection: 26%

Perma Link

Compliance:

Uses 32bit PE files

Source: 2FQhmYZME4.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://myurl/myfile.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: 2FQhmYZME4.exe, 00000001.00000002.1167821842.00000000006AA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06AA2 NtAllocateVirtualMemory,	1_2_02C06AA2
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06AA7 NtAllocateVirtualMemory,	1_2_02C06AA7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06BB7 NtAllocateVirtualMemory,	1_2_02C06BB7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06B1B NtAllocateVirtualMemory,	1_2_02C06B1B
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06CCD NtAllocateVirtualMemory,	1_2_02C06CCD
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06AA2 NtAllocateVirtualMemory,	1_2_02C06AA2
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06C71 NtAllocateVirtualMemory,	1_2_02C06C71

Detected potential crypto function

Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_0040560F	1_2_0040560F
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_00401C10	1_2_00401C10
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06AA2	1_2_02C06AA2
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05AD5	1_2_02C05AD5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C056DD	1_2_02C056DD
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C012F1	1_2_02C012F1
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6F1	1_2_02C0A6F1
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C032F5	1_2_02C032F5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C00EF7	1_2_02C00EF7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C046A1	1_2_02C046A1
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6A5	1_2_02C0A6A5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06AA7	1_2_02C06AA7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C016A9	1_2_02C016A9
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6AA	1_2_02C0A6AA
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C072AF	1_2_02C072AF
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C066B0	1_2_02C066B0
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C09EB3	1_2_02C09EB3
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C052B7	1_2_02C052B7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C066BB	1_2_02C066BB
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C04645	1_2_02C04645
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0AA45	1_2_02C0AA45
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C01E4B	1_2_02C01E4B
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05A4E	1_2_02C05A4E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0565F	1_2_02C0565F
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C03A6A	1_2_02C03A6A
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C01E6D	1_2_02C01E6D
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0AA7E	1_2_02C0AA7E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0521E	1_2_02C0521E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0162D	1_2_02C0162D
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C07231	1_2_02C07231
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A63C	1_2_02C0A63C
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C037D5	1_2_02C037D5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C037D7	1_2_02C037D7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05BE0	1_2_02C05BE0
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C013E9	1_2_02C013E9
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C03BEF	1_2_02C03BEF
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6A5	1_2_02C0A6A5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05B85	1_2_02C05B85
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A796	1_2_02C0A796
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C053B9	1_2_02C053B9
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A7BA	1_2_02C0A7BA
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A752	1_2_02C0A752
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05763	1_2_02C05763
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C03B66	1_2_02C03B66
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0136A	1_2_02C0136A
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06F78	1_2_02C06F78
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05300	1_2_02C05300
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0AB0D	1_2_02C0AB0D
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C03B0E	1_2_02C03B0E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C01729	1_2_02C01729
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0333E	1_2_02C0333E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C008C8	1_2_02C008C8
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C038C9	1_2_02C038C9
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A8D9	1_2_02C0A8D9
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C058E4	1_2_02C058E4
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C070E6	1_2_02C070E6
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C044EA	1_2_02C044EA
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C058F6	1_2_02C058F6
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06AA2	1_2_02C06AA2
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C07085	1_2_02C07085
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0108B	1_2_02C0108B
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05099	1_2_02C05099
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C054B0	1_2_02C054B0
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C014B5	1_2_02C014B5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A842	1_2_02C0A842
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C01446	1_2_02C01446
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C03846	1_2_02C03846
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C08453	1_2_02C08453
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05C6C	1_2_02C05C6C
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C07077	1_2_02C07077
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0587D	1_2_02C0587D
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C01001	1_2_02C01001
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05812	1_2_02C05812
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0543B	1_2_02C0543B
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C055C5	1_2_02C055C5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C00DCB	1_2_02C00DCB
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C071CE	1_2_02C071CE
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C039D3	1_2_02C039D3
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C071D5	1_2_02C071D5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0B5E7	1_2_02C0B5E7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C011ED	1_2_02C011ED
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C00DFF	1_2_02C00DFF
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05185	1_2_02C05185
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C07194	1_2_02C07194
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C045A3	1_2_02C045A3
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C015AF	1_2_02C015AF
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A9B7	1_2_02C0A9B7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C059BD	1_2_02C059BD
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A942	1_2_02C0A942
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05555	1_2_02C05555
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0B55A	1_2_02C0B55A
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0395D	1_2_02C0395D
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C01562	1_2_02C01562
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0B56A	1_2_02C0B56A
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C01179	1_2_02C01179
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05D06	1_2_02C05D06
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A90B	1_2_02C0A90B
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C04515	1_2_02C04515
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0111D	1_2_02C0111D
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0AD1E	1_2_02C0AD1E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05923	1_2_02C05923
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05125	1_2_02C05125

PE file contains strange resources

Source: 2FQhmYZME4.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: 2FQhmYZME4.exe, 00000001.00000002.1168321386.00000000023C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 2FQhmYZME4.exe
Source: 2FQhmYZME4.exe, 00000001.00000002.1167671564.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameChanneled1.exe vs 2FQhmYZME4.exe
Source: 2FQhmYZME4.exe	Binary or memory string: OriginalFilenameChanneled1.exe vs 2FQhmYZME4.exe

Uses 32bit PE files

Source: 2FQhmYZME4.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal92.rans.troj.evad.winEXE@1/0@0/0

Source: 2FQhmYZME4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2FQhmYZME4.exe

Virustotal: Detection: 26%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 2FQhmYZME4.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000000.645109161.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1167637296.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.0.2FQhmYZME4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.2FQhmYZME4.exe.400000.0.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_00409E58 push eax; retf	1_2_00409E61
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_00406826 push ebx; ret	1_2_00406830
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_004094F4 pushfd ; ret	1_2_004094F5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_00408355 push edx; ret	1_2_0040835C
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_00408B1F push edx; ret	1_2_00408B58
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_00406580 push ebx; retf	1_2_00406590
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_004031A9 push dword ptr [ebp-44h]; ret	1_2_0041EC24

Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C032F5	1_2_02C032F5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6A5	1_2_02C0A6A5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C052B7	1_2_02C052B7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C03A6A	1_2_02C03A6A
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0521E	1_2_02C0521E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C037D5	1_2_02C037D5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C037D7	1_2_02C037D7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6A5	1_2_02C0A6A5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05300	1_2_02C05300
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C038C9	1_2_02C038C9
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05099	1_2_02C05099
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C03846	1_2_02C03846
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C08453	1_2_02C08453
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C00DCB	1_2_02C00DCB
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C039D3	1_2_02C039D3
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05185	1_2_02C05185
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0AD9B	1_2_02C0AD9B
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0395D	1_2_02C0395D
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0AD1E	1_2_02C0AD1E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05125	1_2_02C05125

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

RDTSC instruction interceptor: First address: 0000000002C09FB8 second address: 0000000002C09FB8 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\2FQhmYZME4.exe	RDTSC instruction interceptor: First address: 0000000002C098FF second address: 0000000002C098FF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov byte ptr [edx+ecx], al 0x0000000e inc ecx 0x0000000f jne 00007F366037329Dh 0x00000011 mov al, byte ptr [edx+ecx] 0x00000014 add ebx, esi 0x00000016 xor al, byte ptr [ebx] 0x00000018 sub ebx, esi 0x0000001a inc ebx 0x0000001b jne 00007F36603732C6h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	RDTSC instruction interceptor: First address: 0000000002C09FB8 second address: 0000000002C09FB8 instructions:
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	RDTSC instruction interceptor: First address: 0000000002C09CD6 second address: 0000000002C09CD6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 35C87548h 0x00000007 xor eax, 95C7301Ch 0x0000000c add eax, 0F544615h 0x00000011 add eax, 509C7498h 0x00000016 cpuid 0x00000018 jmp 00007F36603732FAh 0x0000001a cmp cl, cl 0x0000001c popad 0x0000001d call 00007F36603732C8h 0x00000022 lfence 0x00000025 mov edx, D838CC93h 0x0000002a add edx, 4B48768Eh 0x00000030 add edx, CBB48C4Bh 0x00000036 xor edx, 90CBCF78h 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 jmp 00007F36603732FAh 0x00000043 cmp edx, C46AF604h 0x00000049 ret 0x0000004a sub edx, esi 0x0000004c ret 0x0000004d cmp bx, bx 0x00000050 add edi, edx 0x00000052 dec dword ptr [ebp+000000F8h] 0x00000058 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005f jne 00007F36603732A9h 0x00000061 call 00007F3660373322h 0x00000066 call 00007F3660373325h 0x0000006b lfence 0x0000006e mov edx, D838CC93h 0x00000073 add edx, 4B48768Eh 0x00000079 add edx, CBB48C4Bh 0x0000007f xor edx, 90CBCF78h 0x00000085 mov edx, dword ptr [edx] 0x00000087 lfence 0x0000008a jmp 00007F36603732FAh 0x0000008c cmp edx, C46AF604h 0x00000092 ret 0x00000093 mov esi, edx 0x00000095 pushad 0x00000096 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

Code function: 1_2_02C0B6C1 rdtsc

1_2_02C0B6C1

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

Code function: 1_2_02C0B6C1 rdtsc

1_2_02C0B6C1

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6F1 mov eax, dword ptr fs:[00000030h]	1_2_02C0A6F1
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6A5 mov eax, dword ptr fs:[00000030h]	1_2_02C0A6A5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6AA mov eax, dword ptr fs:[00000030h]	1_2_02C0A6AA
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A63C mov eax, dword ptr fs:[00000030h]	1_2_02C0A63C
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C08FC3 mov eax, dword ptr fs:[00000030h]	1_2_02C08FC3
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C037D5 mov eax, dword ptr fs:[00000030h]	1_2_02C037D5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6A5 mov eax, dword ptr fs:[00000030h]	1_2_02C0A6A5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A796 mov eax, dword ptr fs:[00000030h]	1_2_02C0A796
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A752 mov eax, dword ptr fs:[00000030h]	1_2_02C0A752
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C044EA mov eax, dword ptr fs:[00000030h]	1_2_02C044EA
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C09956 mov eax, dword ptr fs:[00000030h]	1_2_02C09956
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06570 mov eax, dword ptr fs:[00000030h]	1_2_02C06570
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C04515 mov eax, dword ptr fs:[00000030h]	1_2_02C04515

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

Code function: 1_2_02C09968 cpuid

1_2_02C09968

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://myurl/myfile.bin	true	Avira URL Cloud: safe	low

AV Detection:

Found malware configuration

Source: 00000001.00000002.1168698485.0000000002C00000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://myurl/myfile.bin"}

Multi AV Scanner detection for submitted file

Source: 2FQhmYZME4.exe

Virustotal: Detection: 26%

Perma Link

Compliance:

Uses 32bit PE files

Source: 2FQhmYZME4.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://myurl/myfile.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: 2FQhmYZME4.exe, 00000001.00000002.1167821842.00000000006AA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06AA2 NtAllocateVirtualMemory,	1_2_02C06AA2
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06AA7 NtAllocateVirtualMemory,	1_2_02C06AA7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06BB7 NtAllocateVirtualMemory,	1_2_02C06BB7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06B1B NtAllocateVirtualMemory,	1_2_02C06B1B
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06CCD NtAllocateVirtualMemory,	1_2_02C06CCD
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06AA2 NtAllocateVirtualMemory,	1_2_02C06AA2
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06C71 NtAllocateVirtualMemory,	1_2_02C06C71

Detected potential crypto function

Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_0040560F	1_2_0040560F
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_00401C10	1_2_00401C10
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06AA2	1_2_02C06AA2
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05AD5	1_2_02C05AD5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C056DD	1_2_02C056DD
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C012F1	1_2_02C012F1
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6F1	1_2_02C0A6F1
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C032F5	1_2_02C032F5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C00EF7	1_2_02C00EF7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C046A1	1_2_02C046A1
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6A5	1_2_02C0A6A5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06AA7	1_2_02C06AA7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C016A9	1_2_02C016A9
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6AA	1_2_02C0A6AA
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C072AF	1_2_02C072AF
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C066B0	1_2_02C066B0
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C09EB3	1_2_02C09EB3
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C052B7	1_2_02C052B7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C066BB	1_2_02C066BB
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C04645	1_2_02C04645
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0AA45	1_2_02C0AA45
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C01E4B	1_2_02C01E4B
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05A4E	1_2_02C05A4E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0565F	1_2_02C0565F
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C03A6A	1_2_02C03A6A
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C01E6D	1_2_02C01E6D
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0AA7E	1_2_02C0AA7E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0521E	1_2_02C0521E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0162D	1_2_02C0162D
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C07231	1_2_02C07231
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A63C	1_2_02C0A63C
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C037D5	1_2_02C037D5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C037D7	1_2_02C037D7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05BE0	1_2_02C05BE0
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C013E9	1_2_02C013E9
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C03BEF	1_2_02C03BEF
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6A5	1_2_02C0A6A5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05B85	1_2_02C05B85
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A796	1_2_02C0A796
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C053B9	1_2_02C053B9
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A7BA	1_2_02C0A7BA
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A752	1_2_02C0A752
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05763	1_2_02C05763
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C03B66	1_2_02C03B66
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0136A	1_2_02C0136A
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06F78	1_2_02C06F78
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05300	1_2_02C05300
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0AB0D	1_2_02C0AB0D
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C03B0E	1_2_02C03B0E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C01729	1_2_02C01729
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0333E	1_2_02C0333E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C008C8	1_2_02C008C8
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C038C9	1_2_02C038C9
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A8D9	1_2_02C0A8D9
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C058E4	1_2_02C058E4
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C070E6	1_2_02C070E6
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C044EA	1_2_02C044EA
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C058F6	1_2_02C058F6
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06AA2	1_2_02C06AA2
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C07085	1_2_02C07085
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0108B	1_2_02C0108B
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05099	1_2_02C05099
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C054B0	1_2_02C054B0
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C014B5	1_2_02C014B5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A842	1_2_02C0A842
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C01446	1_2_02C01446
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C03846	1_2_02C03846
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C08453	1_2_02C08453
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05C6C	1_2_02C05C6C
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C07077	1_2_02C07077
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0587D	1_2_02C0587D
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C01001	1_2_02C01001
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05812	1_2_02C05812
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0543B	1_2_02C0543B
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C055C5	1_2_02C055C5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C00DCB	1_2_02C00DCB
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C071CE	1_2_02C071CE
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C039D3	1_2_02C039D3
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C071D5	1_2_02C071D5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0B5E7	1_2_02C0B5E7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C011ED	1_2_02C011ED
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C00DFF	1_2_02C00DFF
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05185	1_2_02C05185
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C07194	1_2_02C07194
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C045A3	1_2_02C045A3
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C015AF	1_2_02C015AF
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A9B7	1_2_02C0A9B7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C059BD	1_2_02C059BD
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A942	1_2_02C0A942
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05555	1_2_02C05555
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0B55A	1_2_02C0B55A
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0395D	1_2_02C0395D
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C01562	1_2_02C01562
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0B56A	1_2_02C0B56A
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C01179	1_2_02C01179
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05D06	1_2_02C05D06
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A90B	1_2_02C0A90B
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C04515	1_2_02C04515
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0111D	1_2_02C0111D
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0AD1E	1_2_02C0AD1E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05923	1_2_02C05923
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05125	1_2_02C05125

PE file contains strange resources

Source: 2FQhmYZME4.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: 2FQhmYZME4.exe, 00000001.00000002.1168321386.00000000023C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 2FQhmYZME4.exe
Source: 2FQhmYZME4.exe, 00000001.00000002.1167671564.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameChanneled1.exe vs 2FQhmYZME4.exe
Source: 2FQhmYZME4.exe	Binary or memory string: OriginalFilenameChanneled1.exe vs 2FQhmYZME4.exe

Uses 32bit PE files

Source: 2FQhmYZME4.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal92.rans.troj.evad.winEXE@1/0@0/0

Source: 2FQhmYZME4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2FQhmYZME4.exe

Virustotal: Detection: 26%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 2FQhmYZME4.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000000.645109161.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1167637296.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.0.2FQhmYZME4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.2FQhmYZME4.exe.400000.0.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_00409E58 push eax; retf	1_2_00409E61
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_00406826 push ebx; ret	1_2_00406830
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_004094F4 pushfd ; ret	1_2_004094F5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_00408355 push edx; ret	1_2_0040835C
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_00408B1F push edx; ret	1_2_00408B58
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_00406580 push ebx; retf	1_2_00406590
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_004031A9 push dword ptr [ebp-44h]; ret	1_2_0041EC24

Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C032F5	1_2_02C032F5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6A5	1_2_02C0A6A5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C052B7	1_2_02C052B7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C03A6A	1_2_02C03A6A
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0521E	1_2_02C0521E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C037D5	1_2_02C037D5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C037D7	1_2_02C037D7
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6A5	1_2_02C0A6A5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05300	1_2_02C05300
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C038C9	1_2_02C038C9
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05099	1_2_02C05099
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C03846	1_2_02C03846
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C08453	1_2_02C08453
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C00DCB	1_2_02C00DCB
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C039D3	1_2_02C039D3
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05185	1_2_02C05185
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0AD9B	1_2_02C0AD9B
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0395D	1_2_02C0395D
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0AD1E	1_2_02C0AD1E
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C05125	1_2_02C05125

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

RDTSC instruction interceptor: First address: 0000000002C09FB8 second address: 0000000002C09FB8 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\2FQhmYZME4.exe	RDTSC instruction interceptor: First address: 0000000002C098FF second address: 0000000002C098FF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov byte ptr [edx+ecx], al 0x0000000e inc ecx 0x0000000f jne 00007F366037329Dh 0x00000011 mov al, byte ptr [edx+ecx] 0x00000014 add ebx, esi 0x00000016 xor al, byte ptr [ebx] 0x00000018 sub ebx, esi 0x0000001a inc ebx 0x0000001b jne 00007F36603732C6h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	RDTSC instruction interceptor: First address: 0000000002C09FB8 second address: 0000000002C09FB8 instructions:
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	RDTSC instruction interceptor: First address: 0000000002C09CD6 second address: 0000000002C09CD6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 35C87548h 0x00000007 xor eax, 95C7301Ch 0x0000000c add eax, 0F544615h 0x00000011 add eax, 509C7498h 0x00000016 cpuid 0x00000018 jmp 00007F36603732FAh 0x0000001a cmp cl, cl 0x0000001c popad 0x0000001d call 00007F36603732C8h 0x00000022 lfence 0x00000025 mov edx, D838CC93h 0x0000002a add edx, 4B48768Eh 0x00000030 add edx, CBB48C4Bh 0x00000036 xor edx, 90CBCF78h 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 jmp 00007F36603732FAh 0x00000043 cmp edx, C46AF604h 0x00000049 ret 0x0000004a sub edx, esi 0x0000004c ret 0x0000004d cmp bx, bx 0x00000050 add edi, edx 0x00000052 dec dword ptr [ebp+000000F8h] 0x00000058 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005f jne 00007F36603732A9h 0x00000061 call 00007F3660373322h 0x00000066 call 00007F3660373325h 0x0000006b lfence 0x0000006e mov edx, D838CC93h 0x00000073 add edx, 4B48768Eh 0x00000079 add edx, CBB48C4Bh 0x0000007f xor edx, 90CBCF78h 0x00000085 mov edx, dword ptr [edx] 0x00000087 lfence 0x0000008a jmp 00007F36603732FAh 0x0000008c cmp edx, C46AF604h 0x00000092 ret 0x00000093 mov esi, edx 0x00000095 pushad 0x00000096 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

Code function: 1_2_02C0B6C1 rdtsc

1_2_02C0B6C1

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

Code function: 1_2_02C0B6C1 rdtsc

1_2_02C0B6C1

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6F1 mov eax, dword ptr fs:[00000030h]	1_2_02C0A6F1
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6A5 mov eax, dword ptr fs:[00000030h]	1_2_02C0A6A5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6AA mov eax, dword ptr fs:[00000030h]	1_2_02C0A6AA
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A63C mov eax, dword ptr fs:[00000030h]	1_2_02C0A63C
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C08FC3 mov eax, dword ptr fs:[00000030h]	1_2_02C08FC3
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C037D5 mov eax, dword ptr fs:[00000030h]	1_2_02C037D5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A6A5 mov eax, dword ptr fs:[00000030h]	1_2_02C0A6A5
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A796 mov eax, dword ptr fs:[00000030h]	1_2_02C0A796
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C0A752 mov eax, dword ptr fs:[00000030h]	1_2_02C0A752
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C044EA mov eax, dword ptr fs:[00000030h]	1_2_02C044EA
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C09956 mov eax, dword ptr fs:[00000030h]	1_2_02C09956
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C06570 mov eax, dword ptr fs:[00000030h]	1_2_02C06570
Source: C:\Users\user\Desktop\2FQhmYZME4.exe	Code function: 1_2_02C04515 mov eax, dword ptr fs:[00000030h]	1_2_02C04515

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\2FQhmYZME4.exe

Code function: 1_2_02C09968 cpuid

1_2_02C09968

ID:	431752
Product:	CloudBasic
Start time:	08:48:15
Start date:	09.06.2021
Sample:	2FQhmYZME4.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	196b3c910b8d74c5916029f6eb037d5d
SHA1:	37968cade61e54ce0c4ec24e83c35fadd583019f
SHA256:	4f6b4079a3f1b56421cbca34d112ba6a867ff8a6bd706010bfe931ac6d635361
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report 2FQhmYZME4.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted URLs