Loading ...

Play interactive tourEdit tour

Analysis Report 2FQhmYZME4.exe

Overview

General Information

Sample Name:2FQhmYZME4.exe
Analysis ID:431752
MD5:196b3c910b8d74c5916029f6eb037d5d
SHA1:37968cade61e54ce0c4ec24e83c35fadd583019f
SHA256:4f6b4079a3f1b56421cbca34d112ba6a867ff8a6bd706010bfe931ac6d635361
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 2FQhmYZME4.exe (PID: 6960 cmdline: 'C:\Users\user\Desktop\2FQhmYZME4.exe' MD5: 196B3C910B8D74C5916029F6EB037D5D)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://myurl/myfile.bin"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
2FQhmYZME4.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000000.645109161.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000001.00000002.1167637296.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.0.2FQhmYZME4.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
          1.2.2FQhmYZME4.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000001.00000002.1168698485.0000000002C00000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://myurl/myfile.bin"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: 2FQhmYZME4.exeVirustotal: Detection: 26%Perma Link
            Source: 2FQhmYZME4.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://myurl/myfile.bin
            Source: 2FQhmYZME4.exe, 00000001.00000002.1167821842.00000000006AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06AA2 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06AA7 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06BB7 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06B1B NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06CCD NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06AA2 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06C71 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_0040560F
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_00401C10
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06AA2
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05AD5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C056DD
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C012F1
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6F1
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C032F5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C00EF7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C046A1
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6A5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06AA7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C016A9
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6AA
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C072AF
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C066B0
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C09EB3
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C052B7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C066BB
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C04645
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0AA45
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C01E4B
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05A4E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0565F
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C03A6A
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C01E6D
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0AA7E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0521E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0162D
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C07231
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A63C
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C037D5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C037D7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05BE0
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C013E9
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C03BEF
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6A5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05B85
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A796
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C053B9
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A7BA
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A752
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05763
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C03B66
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0136A
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06F78
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05300
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0AB0D
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C03B0E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C01729
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0333E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C008C8
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C038C9
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A8D9
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C058E4
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C070E6
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C044EA
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C058F6
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06AA2
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C07085
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0108B
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05099
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C054B0
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C014B5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A842
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C01446
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C03846
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C08453
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05C6C
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C07077
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0587D
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C01001
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05812
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0543B
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C055C5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C00DCB
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C071CE
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C039D3
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C071D5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0B5E7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C011ED
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C00DFF
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05185
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C07194
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C045A3
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C015AF
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A9B7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C059BD
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A942
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05555
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0B55A
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0395D
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C01562
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0B56A
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C01179
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05D06
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A90B
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C04515
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0111D
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0AD1E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05923
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05125
            Source: 2FQhmYZME4.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 2FQhmYZME4.exe, 00000001.00000002.1168321386.00000000023C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 2FQhmYZME4.exe
            Source: 2FQhmYZME4.exe, 00000001.00000002.1167671564.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameChanneled1.exe vs 2FQhmYZME4.exe
            Source: 2FQhmYZME4.exeBinary or memory string: OriginalFilenameChanneled1.exe vs 2FQhmYZME4.exe
            Source: 2FQhmYZME4.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal92.rans.troj.evad.winEXE@1/0@0/0
            Source: 2FQhmYZME4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: 2FQhmYZME4.exeVirustotal: Detection: 26%

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 2FQhmYZME4.exe, type: SAMPLE
            Source: Yara matchFile source: 00000001.00000000.645109161.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1167637296.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.0.2FQhmYZME4.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.2FQhmYZME4.exe.400000.0.unpack, type: UNPACKEDPE
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_00409E58 push eax; retf
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_00406826 push ebx; ret
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_004094F4 pushfd ; ret
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_00408355 push edx; ret
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_00408B1F push edx; ret
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_00406580 push ebx; retf
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_004031A9 push dword ptr [ebp-44h]; ret
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C032F5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6A5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C052B7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C03A6A
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0521E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C037D5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C037D7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6A5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05300
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C038C9
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05099
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C03846
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C08453
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C00DCB
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C039D3
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05185
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0AD9B
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0395D
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0AD1E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05125
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeRDTSC instruction interceptor: First address: 0000000002C09FB8 second address: 0000000002C09FB8 instructions:
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeRDTSC instruction interceptor: First address: 0000000002C098FF second address: 0000000002C098FF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov byte ptr [edx+ecx], al 0x0000000e inc ecx 0x0000000f jne 00007F366037329Dh 0x00000011 mov al, byte ptr [edx+ecx] 0x00000014 add ebx, esi 0x00000016 xor al, byte ptr [ebx] 0x00000018 sub ebx, esi 0x0000001a inc ebx 0x0000001b jne 00007F36603732C6h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeRDTSC instruction interceptor: First address: 0000000002C09FB8 second address: 0000000002C09FB8 instructions:
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeRDTSC instruction interceptor: First address: 0000000002C09CD6 second address: 0000000002C09CD6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 35C87548h 0x00000007 xor eax, 95C7301Ch 0x0000000c add eax, 0F544615h 0x00000011 add eax, 509C7498h 0x00000016 cpuid 0x00000018 jmp 00007F36603732FAh 0x0000001a cmp cl, cl 0x0000001c popad 0x0000001d call 00007F36603732C8h 0x00000022 lfence 0x00000025 mov edx, D838CC93h 0x0000002a add edx, 4B48768Eh 0x00000030 add edx, CBB48C4Bh 0x00000036 xor edx, 90CBCF78h 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 jmp 00007F36603732FAh 0x00000043 cmp edx, C46AF604h 0x00000049 ret 0x0000004a sub edx, esi 0x0000004c ret 0x0000004d cmp bx, bx 0x00000050 add edi, edx 0x00000052 dec dword ptr [ebp+000000F8h] 0x00000058 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005f jne 00007F36603732A9h 0x00000061 call 00007F3660373322h 0x00000066 call 00007F3660373325h 0x0000006b lfence 0x0000006e mov edx, D838CC93h 0x00000073 add edx, 4B48768Eh 0x00000079 add edx, CBB48C4Bh 0x0000007f xor edx, 90CBCF78h 0x00000085 mov edx, dword ptr [edx] 0x00000087 lfence 0x0000008a jmp 00007F36603732FAh 0x0000008c cmp edx, C46AF604h 0x00000092 ret 0x00000093 mov esi, edx 0x00000095 pushad 0x00000096 rdtsc
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0B6C1 rdtsc
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

            Anti Debugging:

            barindex
            Found potential dummy code loops (likely to delay analysis)Show sources
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeProcess Stats: CPU usage > 90% for more than 60s
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0B6C1 rdtsc
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6F1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6AA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A63C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C08FC3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C037D5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A796 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A752 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C044EA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C09956 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06570 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C04515 mov eax, dword ptr fs:[00000030h]
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C09968 cpuid

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery41Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            2FQhmYZME4.exe26%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://myurl/myfile.bin0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://myurl/myfile.bintrue
            • Avira URL Cloud: safe
            low

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:32.0.0 Black Diamond
            Analysis ID:431752
            Start date:09.06.2021
            Start time:08:48:15
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 7m 32s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:2FQhmYZME4.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:19
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal92.rans.troj.evad.winEXE@1/0@0/0
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            • Override analysis time to 240s for sample files taking high CPU consumption
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):5.650237570705559
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.15%
            • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:2FQhmYZME4.exe
            File size:147456
            MD5:196b3c910b8d74c5916029f6eb037d5d
            SHA1:37968cade61e54ce0c4ec24e83c35fadd583019f
            SHA256:4f6b4079a3f1b56421cbca34d112ba6a867ff8a6bd706010bfe931ac6d635361
            SHA512:94197b2135bf0317494a30c1e800b3dba1fcc0a76299627f2361cfadafbf245dca47b8abbe9530d94f1b65013d5eccffe1e11af241c44425870553be6660d95c
            SSDEEP:1536:IFXJHkDZ+2HdXrK5feyoSP+6a3bQQ6GaXSt4lY5YGw12IjqQRsk:CJiUEXrKIIPcl6o4lBGw12IuMsk
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......M.....................0............... ....@................

            File Icon

            Icon Hash:20047c7c70f0e004

            Static PE Info

            General

            Entrypoint:0x401c10
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            DLL Characteristics:
            Time Stamp:0x4DF9EBE1 [Thu Jun 16 11:41:21 2011 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:9b8686288ab82fdbf8ede30bc55c83b7

            Entrypoint Preview

            Instruction
            push 00401FE0h
            call 00007F3660A839B5h
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            xor byte ptr [eax], al
            add byte ptr [eax], al
            inc eax
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax-79h], bh
            daa
            mov ecx, 458AEB90h
            xchg eax, esp
            mov ecx, 6720C397h
            lodsb
            sbb al, byte ptr [eax]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [ecx], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add al, bh
            je 00007F3660A839BBh
            add dh, byte ptr [esi+61h]
            outsb
            jbe 00007F3660A83A35h
            imul esi, dword ptr [ebx+76h], 61h
            outsb
            add byte ptr fs:[eax], cl
            inc ecx
            add byte ptr [eax], al
            add byte ptr [eax], al
            add bh, bh
            int3
            xor dword ptr [eax], eax
            bswap edi
            into
            insd
            outsd
            or dh, ah
            movsb
            inc edi
            test eax, 7072E7DFh
            inc ecx
            xchg eax, esp
            jle 00007F3660A83962h
            pop eax
            xor byte ptr [ecx-32h], cl
            jle 00007F3660A83A04h
            scasd
            mov word ptr [ecx], gs
            pop ds
            xchg eax, esp
            jbe 00007F3660A83A09h
            cmp cl, byte ptr [edi-53h]
            xor ebx, dword ptr [ecx-48EE309Ah]
            or al, 00h
            stosb
            add byte ptr [eax-2Dh], ah
            xchg eax, ebx
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            mov esi, 61000002h
            add byte ptr [eax], al
            add byte ptr [eax], al
            or dword ptr [eax], eax
            push edi
            inc ebp
            inc ecx
            dec esp
            push esp
            dec eax
            inc esi
            push ebp
            dec esp
            add byte ptr [53001501h], cl
            push esp
            push edx
            pop ecx
            dec ebx

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x20ea40x28.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000x950.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
            IMAGE_DIRECTORY_ENTRY_IAT0x10000x1c4.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x205680x21000False0.359463778409data5.90249486753IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .data0x220000x12500x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .rsrc0x240000x9500x1000False0.17138671875data2.02462742549IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x248200x130data
            RT_ICON0x245380x2e8data
            RT_ICON0x244100x128GLS_BINARY_LSB_FIRST
            RT_GROUP_ICON0x243e00x30data
            RT_VERSION0x241500x290MS Windows COFF PA-RISC object fileEnglishUnited States

            Imports

            DLLImport
            MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaLateMemCallLd, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

            Version Infos

            DescriptionData
            Translation0x0409 0x04b0
            InternalNameChanneled1
            FileVersion1.00
            CompanyNameMortagage
            CommentsMortagage
            ProductNameMortagage
            ProductVersion1.00
            FileDescriptionMortagage
            OriginalFilenameChanneled1.exe

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Code Manipulations

            Statistics

            System Behavior

            General

            Start time:08:49:02
            Start date:09/06/2021
            Path:C:\Users\user\Desktop\2FQhmYZME4.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\2FQhmYZME4.exe'
            Imagebase:0x400000
            File size:147456 bytes
            MD5 hash:196B3C910B8D74C5916029F6EB037D5D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:Visual Basic
            Yara matches:
            • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000000.645109161.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000002.1167637296.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:low

            Disassembly

            Code Analysis

            Reset < >