Loading ...

Play interactive tourEdit tour

Analysis Report d81yNmZHaE.exe

Overview

General Information

Sample Name:d81yNmZHaE.exe
Analysis ID:432593
MD5:74b1969d9f41c94a1a07431b65bbf390
SHA1:54935d5f7a59384ba8d1b26e25bbbc394e91922a
SHA256:f50e2cbd23d058c6f0b1b147c1ee77ccd969b9f895375aed3c42ccbab0bbbe15
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • d81yNmZHaE.exe (PID: 5416 cmdline: 'C:\Users\user\Desktop\d81yNmZHaE.exe' MD5: 74B1969D9F41C94A1A07431B65BBF390)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://genitoriborgosatollo.it/main/client_sOcehs220.bin, http://amandaduquenoy."}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
d81yNmZHaE.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.234240857.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.d81yNmZHaE.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
          0.2.d81yNmZHaE.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://genitoriborgosatollo.it/main/client_sOcehs220.bin, http://amandaduquenoy."}
            Multi AV Scanner detection for submitted fileShow sources
            Source: d81yNmZHaE.exeVirustotal: Detection: 33%Perma Link
            Source: d81yNmZHaE.exeReversingLabs: Detection: 39%
            Source: d81yNmZHaE.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://genitoriborgosatollo.it/main/client_sOcehs220.bin, http://amandaduquenoy.

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D6827 NtAllocateVirtualMemory,0_2_022D6827
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D6A71 NtAllocateVirtualMemory,0_2_022D6A71
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D6884 NtAllocateVirtualMemory,0_2_022D6884
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D68C9 NtAllocateVirtualMemory,0_2_022D68C9
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D6911 NtAllocateVirtualMemory,0_2_022D6911
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D6955 NtAllocateVirtualMemory,0_2_022D6955
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_00401C100_2_00401C10
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_004055DB0_2_004055DB
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D68270_2_022D6827
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D32090_2_022D3209
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D327D0_2_022D327D
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D334F0_2_022D334F
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D33BC0_2_022D33BC
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D50400_2_022D5040
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D512C0_2_022D512C
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D31AB0_2_022D31AB
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D91DD0_2_022D91DD
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D36240_2_022D3624
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022DB46C0_2_022DB46C
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D36AD0_2_022D36AD
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D46A50_2_022D46A5
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022DA68D0_2_022DA68D
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D46FD0_2_022D46FD
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022DA6D90_2_022DA6D9
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D27020_2_022D2702
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D17650_2_022D1765
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022DA74C0_2_022DA74C
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D47A90_2_022D47A9
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022DA7BD0_2_022DA7BD
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D47CF0_2_022D47CF
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D346D0_2_022D346D
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022DB46C0_2_022DB46C
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D54710_2_022D5471
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D34510_2_022D3451
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D35310_2_022D3531
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D65BD0_2_022D65BD
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D65840_2_022D6584
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022DBA0B0_2_022DBA0B
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D2A4A0_2_022D2A4A
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D4A880_2_022D4A88
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D4AF40_2_022D4AF4
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D4B810_2_022D4B81
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D88B90_2_022D88B9
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D68840_2_022D6884
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D68C90_2_022D68C9
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D69110_2_022D6911
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D49690_2_022D4969
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D69550_2_022D6955
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D49EC0_2_022D49EC
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D4EC90_2_022D4EC9
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D1F7F0_2_022D1F7F
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D3F940_2_022D3F94
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D1FE40_2_022D1FE4
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D4C250_2_022D4C25
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D2C990_2_022D2C99
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D2D320_2_022D2D32
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D4D5C0_2_022D4D5C
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D2DAD0_2_022D2DAD
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D4DB50_2_022D4DB5
            Source: d81yNmZHaE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: d81yNmZHaE.exe, 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBlver.exe vs d81yNmZHaE.exe
            Source: d81yNmZHaE.exe, 00000000.00000002.761074940.00000000021F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs d81yNmZHaE.exe
            Source: d81yNmZHaE.exeBinary or memory string: OriginalFilenameBlver.exe vs d81yNmZHaE.exe
            Source: d81yNmZHaE.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal88.rans.troj.evad.winEXE@1/0@0/0
            Source: d81yNmZHaE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: d81yNmZHaE.exeVirustotal: Detection: 33%
            Source: d81yNmZHaE.exeReversingLabs: Detection: 39%

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: d81yNmZHaE.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000000.234240857.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.0.d81yNmZHaE.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.d81yNmZHaE.exe.400000.0.unpack, type: UNPACKEDPE
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_004030EE push dword ptr [ebp-44h]; ret 0_2_0041E804
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_00408957 push ecx; retf 0_2_00408A01
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_0040953D push es; retf 0_2_0040953E
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D72B9 push ebx; iretd 0_2_022D72C7
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D0041 push cs; iretd 0_2_022D004B
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D00C0 push cs; iretd 0_2_022D00CA
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D678D push cs; iretd 0_2_022D678E
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D5A5A push ebp; retf 0_2_022D5A62
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D6827 NtAllocateVirtualMemory,0_2_022D6827
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D31AB 0_2_022D31AB
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D46A5 0_2_022D46A5
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D46FD 0_2_022D46FD
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D2702 0_2_022D2702
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D47A9 0_2_022D47A9
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D47CF 0_2_022D47CF
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022DBA0B 0_2_022DBA0B
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D4A88 0_2_022D4A88
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D4AF4 0_2_022D4AF4
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D4B81 0_2_022D4B81
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D88B9 0_2_022D88B9
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D4969 0_2_022D4969
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D49EC 0_2_022D49EC
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D4C25 0_2_022D4C25
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeRDTSC instruction interceptor: First address: 00000000022D6127 second address: 00000000022D6127 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 54424F80h 0x00000007 xor eax, BD2BBA67h 0x0000000c add eax, 30109B8Dh 0x00000011 sub eax, 197A9173h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F36F0AD3678h 0x0000001e lfence 0x00000021 mov edx, 99F040D7h 0x00000026 add edx, 65972F3Fh 0x0000002c xor edx, B7C92FC9h 0x00000032 xor edx, 37B05FCBh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 cmp ecx, 00000000h 0x00000048 jne 00007F36F0AD3655h 0x0000004a mov dword ptr [ebp+00000249h], eax 0x00000050 mov eax, ecx 0x00000052 push eax 0x00000053 mov eax, dword ptr [ebp+00000249h] 0x00000059 call 00007F36F0AD3687h 0x0000005e call 00007F36F0AD3699h 0x00000063 lfence 0x00000066 mov edx, 99F040D7h 0x0000006b add edx, 65972F3Fh 0x00000071 xor edx, B7C92FC9h 0x00000077 xor edx, 37B05FCBh 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 ret 0x00000083 mov esi, edx 0x00000085 pushad 0x00000086 rdtsc
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D6827 rdtsc 0_2_022D6827
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

            Anti Debugging:

            barindex
            Found potential dummy code loops (likely to delay analysis)Show sources
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeProcess Stats: CPU usage > 90% for more than 60s
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D6827 rdtsc 0_2_022D6827
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D90E4 mov eax, dword ptr fs:[00000030h]0_2_022D90E4
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D31AB mov eax, dword ptr fs:[00000030h]0_2_022D31AB
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022DA68D mov eax, dword ptr fs:[00000030h]0_2_022DA68D
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022DA6D9 mov eax, dword ptr fs:[00000030h]0_2_022DA6D9
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D9AC5 mov eax, dword ptr fs:[00000030h]0_2_022D9AC5
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D3BBC mov eax, dword ptr fs:[00000030h]0_2_022D3BBC
            Source: C:\Users\user\Desktop\d81yNmZHaE.exeCode function: 0_2_022D3F94 mov eax, dword ptr fs:[00000030h]0_2_022D3F94
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
            Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
            Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery31Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.