Analysis Report d81yNmZHaE.exe

Overview

General Information

Sample Name:	d81yNmZHaE.exe
Analysis ID:	432593
MD5:	74b1969d9f41c94a1a07431b65bbf390
SHA1:	54935d5f7a59384ba8d1b26e25bbbc394e91922a
SHA256:	f50e2cbd23d058c6f0b1b147c1ee77ccd969b9f895375aed3c42ccbab0bbbe15
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://genitoriborgosatollo.it/main/client_sOcehs220.bin, http://amandaduquenoy."}

Multi AV Scanner detection for submitted file

Source: d81yNmZHaE.exe	Virustotal: Detection: 33%			Perma Link
Source: d81yNmZHaE.exe	ReversingLabs: Detection: 39%

Compliance:

Uses 32bit PE files

Source: d81yNmZHaE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://genitoriborgosatollo.it/main/client_sOcehs220.bin, http://amandaduquenoy.

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\d81yNmZHaE.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6827 NtAllocateVirtualMemory,	0_2_022D6827
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6A71 NtAllocateVirtualMemory,	0_2_022D6A71
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6884 NtAllocateVirtualMemory,	0_2_022D6884
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D68C9 NtAllocateVirtualMemory,	0_2_022D68C9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6911 NtAllocateVirtualMemory,	0_2_022D6911
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6955 NtAllocateVirtualMemory,	0_2_022D6955

Detected potential crypto function

Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_00401C10	0_2_00401C10
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_004055DB	0_2_004055DB
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6827	0_2_022D6827
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D3209	0_2_022D3209
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D327D	0_2_022D327D
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D334F	0_2_022D334F
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D33BC	0_2_022D33BC
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D5040	0_2_022D5040
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D512C	0_2_022D512C
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D31AB	0_2_022D31AB
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D91DD	0_2_022D91DD
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D3624	0_2_022D3624
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DB46C	0_2_022DB46C
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D36AD	0_2_022D36AD
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D46A5	0_2_022D46A5
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DA68D	0_2_022DA68D
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D46FD	0_2_022D46FD
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DA6D9	0_2_022DA6D9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D2702	0_2_022D2702
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D1765	0_2_022D1765
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DA74C	0_2_022DA74C
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D47A9	0_2_022D47A9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DA7BD	0_2_022DA7BD
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D47CF	0_2_022D47CF
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D346D	0_2_022D346D
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DB46C	0_2_022DB46C
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D5471	0_2_022D5471
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D3451	0_2_022D3451
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D3531	0_2_022D3531
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D65BD	0_2_022D65BD
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6584	0_2_022D6584
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DBA0B	0_2_022DBA0B
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D2A4A	0_2_022D2A4A
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4A88	0_2_022D4A88
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4AF4	0_2_022D4AF4
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4B81	0_2_022D4B81
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D88B9	0_2_022D88B9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6884	0_2_022D6884
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D68C9	0_2_022D68C9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6911	0_2_022D6911
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4969	0_2_022D4969
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6955	0_2_022D6955
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D49EC	0_2_022D49EC
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4EC9	0_2_022D4EC9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D1F7F	0_2_022D1F7F
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D3F94	0_2_022D3F94
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D1FE4	0_2_022D1FE4
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4C25	0_2_022D4C25
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D2C99	0_2_022D2C99
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D2D32	0_2_022D2D32
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4D5C	0_2_022D4D5C
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D2DAD	0_2_022D2DAD
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4DB5	0_2_022D4DB5

PE file contains strange resources

Source: d81yNmZHaE.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: d81yNmZHaE.exe, 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBlver.exe vs d81yNmZHaE.exe
Source: d81yNmZHaE.exe, 00000000.00000002.761074940.00000000021F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs d81yNmZHaE.exe
Source: d81yNmZHaE.exe	Binary or memory string: OriginalFilenameBlver.exe vs d81yNmZHaE.exe

Uses 32bit PE files

Source: d81yNmZHaE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.rans.troj.evad.winEXE@1/0@0/0

Source: d81yNmZHaE.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\d81yNmZHaE.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\d81yNmZHaE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: d81yNmZHaE.exe	Virustotal: Detection: 33%
Source: d81yNmZHaE.exe	ReversingLabs: Detection: 39%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: d81yNmZHaE.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.234240857.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.d81yNmZHaE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d81yNmZHaE.exe.400000.0.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_004030EE push dword ptr [ebp-44h]; ret	0_2_0041E804
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_00408957 push ecx; retf	0_2_00408A01
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_0040953D push es; retf	0_2_0040953E
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D72B9 push ebx; iretd	0_2_022D72C7
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D0041 push cs; iretd	0_2_022D004B
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D00C0 push cs; iretd	0_2_022D00CA
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D678D push cs; iretd	0_2_022D678E
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D5A5A push ebp; retf	0_2_022D5A62

Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6827 NtAllocateVirtualMemory,	0_2_022D6827
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D31AB	0_2_022D31AB
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D46A5	0_2_022D46A5
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D46FD	0_2_022D46FD
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D2702	0_2_022D2702
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D47A9	0_2_022D47A9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D47CF	0_2_022D47CF
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DBA0B	0_2_022DBA0B
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4A88	0_2_022D4A88
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4AF4	0_2_022D4AF4
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4B81	0_2_022D4B81
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D88B9	0_2_022D88B9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4969	0_2_022D4969
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D49EC	0_2_022D49EC
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4C25	0_2_022D4C25

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\d81yNmZHaE.exe

RDTSC instruction interceptor: First address: 00000000022D6127 second address: 00000000022D6127 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 54424F80h 0x00000007 xor eax, BD2BBA67h 0x0000000c add eax, 30109B8Dh 0x00000011 sub eax, 197A9173h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F36F0AD3678h 0x0000001e lfence 0x00000021 mov edx, 99F040D7h 0x00000026 add edx, 65972F3Fh 0x0000002c xor edx, B7C92FC9h 0x00000032 xor edx, 37B05FCBh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 cmp ecx, 00000000h 0x00000048 jne 00007F36F0AD3655h 0x0000004a mov dword ptr [ebp+00000249h], eax 0x00000050 mov eax, ecx 0x00000052 push eax 0x00000053 mov eax, dword ptr [ebp+00000249h] 0x00000059 call 00007F36F0AD3687h 0x0000005e call 00007F36F0AD3699h 0x00000063 lfence 0x00000066 mov edx, 99F040D7h 0x0000006b add edx, 65972F3Fh 0x00000071 xor edx, B7C92FC9h 0x00000077 xor edx, 37B05FCBh 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 ret 0x00000083 mov esi, edx 0x00000085 pushad 0x00000086 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\d81yNmZHaE.exe

Code function: 0_2_022D6827 rdtsc

0_2_022D6827

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\d81yNmZHaE.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\d81yNmZHaE.exe

Code function: 0_2_022D6827 rdtsc

0_2_022D6827

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D90E4 mov eax, dword ptr fs:[00000030h]	0_2_022D90E4
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D31AB mov eax, dword ptr fs:[00000030h]	0_2_022D31AB
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DA68D mov eax, dword ptr fs:[00000030h]	0_2_022DA68D
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DA6D9 mov eax, dword ptr fs:[00000030h]	0_2_022DA6D9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D9AC5 mov eax, dword ptr fs:[00000030h]	0_2_022D9AC5
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D3BBC mov eax, dword ptr fs:[00000030h]	0_2_022D3BBC
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D3F94 mov eax, dword ptr fs:[00000030h]	0_2_022D3F94

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://genitoriborgosatollo.it/main/client_sOcehs220.bin, http://amandaduquenoy.	true	Avira URL Cloud: safe	unknown

ID:	432593
Product:	CloudBasic
Start time:	15:19:00
Start date:	10.06.2021
Sample:	d81yNmZHaE.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	74b1969d9f41c94a1a07431b65bbf390
SHA1:	54935d5f7a59384ba8d1b26e25bbbc394e91922a
SHA256:	f50e2cbd23d058c6f0b1b147c1ee77ccd969b9f895375aed3c42ccbab0bbbe15
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report d81yNmZHaE.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted URLs