Analysis Report Facturas Pagadas al Vencimiento 6.exe

Overview

General Information

Sample Name: Facturas Pagadas al Vencimiento 6.exe
Analysis ID: 433003
MD5: 78c3e32a156e44865fcdf53b4783265b
SHA1: 02f175cb27dcf85b810f40d3c0adc66de1467ca0
SHA256: 4d1b07efb6e87b7c1379fc8f9eacef7443c54a57ab8e9d50c98053193316fd91
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: Facturas Pagadas al Vencimiento 6.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1ZXsoOW_y-1MUyiIhdhOWNmzZqI-by8yY"}
Multi AV Scanner detection for submitted file
Source: Facturas Pagadas al Vencimiento 6.exe Virustotal: Detection: 51% Perma Link
Source: Facturas Pagadas al Vencimiento 6.exe Metadefender: Detection: 40% Perma Link
Source: Facturas Pagadas al Vencimiento 6.exe ReversingLabs: Detection: 79%

Compliance:

barindex
Uses 32bit PE files
Source: Facturas Pagadas al Vencimiento 6.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1ZXsoOW_y-1MUyiIhdhOWNmzZqI-by8yY

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_0219BE78 0_2_0219BE78
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_0219A480 0_2_0219A480
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_021946D0 0_2_021946D0
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_021A0B0B 0_2_021A0B0B
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_0219350B 0_2_0219350B
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_0219355C 0_2_0219355C
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_021935A9 0_2_021935A9
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_021973A2 0_2_021973A2
PE file contains strange resources
Source: Facturas Pagadas al Vencimiento 6.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.720387303.0000000000421000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAerogun6.exe vs Facturas Pagadas al Vencimiento 6.exe
Source: Facturas Pagadas al Vencimiento 6.exe Binary or memory string: OriginalFilenameAerogun6.exe vs Facturas Pagadas al Vencimiento 6.exe
Uses 32bit PE files
Source: Facturas Pagadas al Vencimiento 6.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal92.rans.troj.evad.winEXE@1/0@0/0
Source: Facturas Pagadas al Vencimiento 6.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Facturas Pagadas al Vencimiento 6.exe Virustotal: Detection: 51%
Source: Facturas Pagadas al Vencimiento 6.exe Metadefender: Detection: 40%
Source: Facturas Pagadas al Vencimiento 6.exe ReversingLabs: Detection: 79%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Facturas Pagadas al Vencimiento 6.exe, type: SAMPLE
Source: Yara match File source: 0.2.Facturas Pagadas al Vencimiento 6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Facturas Pagadas al Vencimiento 6.exe.400000.0.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_0040CA38 push ecx; ret 0_2_0040CAE8
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_00406AE6 push ecx; ret 0_2_00406AE7
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_004064F2 push esp; retf 0_2_004064F3
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_00409F62 push esp; iretd 0_2_00409F63
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_0040A938 push edi; ret 0_2_0040A940
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_0219404C push FFFFFFC2h; retn 0004h 0_2_021940B4
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_02199C17 0_2_02199C17
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_0219BE78 0_2_0219BE78
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_021A0B0B 0_2_021A0B0B
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe RDTSC instruction interceptor: First address: 000000000219ACD5 second address: 000000000219ACD5 instructions:
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe RDTSC instruction interceptor: First address: 000000000219AEBC second address: 000000000219AEBC instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe RDTSC instruction interceptor: First address: 000000000219A977 second address: 000000000219AA85 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp edx, ebx 0x00000005 pushad 0x00000006 cmp dword ptr [ebp+0000014Ch], 00000000h 0x0000000d jne 00007F7CCC4CF4FAh 0x00000013 test ch, ch 0x00000015 mov eax, 2FD9C07Bh 0x0000001a nop 0x0000001b xor eax, 7E315320h 0x00000020 jmp 00007F7CCC4CF19Eh 0x00000022 test cx, cx 0x00000025 test dx, ax 0x00000028 xor eax, 1C1E277Ah 0x0000002d sub eax, 4DF6AEE8h 0x00000032 mov dword ptr [ebp+00000280h], esi 0x00000038 cmp edx, edx 0x0000003a mov esi, DA7E1005h 0x0000003f cmp ah, ch 0x00000041 xor esi, 59F02A12h 0x00000047 test dl, al 0x00000049 cmp bl, al 0x0000004b sub esi, D3DBBFD6h 0x00000051 sub esi, AFB279D5h 0x00000057 jmp 00007F7CCC4CF1A2h 0x00000059 test cl, bl 0x0000005b push esi 0x0000005c test bx, ax 0x0000005f mov esi, dword ptr [ebp+00000280h] 0x00000065 push 85A6F362h 0x0000006a cmp al, bl 0x0000006c pushad 0x0000006d mov eax, 000000B6h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe RDTSC instruction interceptor: First address: 000000000219ACD5 second address: 000000000219ACD5 instructions:
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe RDTSC instruction interceptor: First address: 000000000219AEBC second address: 000000000219AEBC instructions:
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe RDTSC instruction interceptor: First address: 000000000219F9E7 second address: 000000000219FA7C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp ecx, ecx 0x0000000d cmp ebx, eax 0x0000000f test ecx, ebx 0x00000011 test al, 39h 0x00000013 mov esi, 33B6F880h 0x00000018 cmp edi, 44CF2B59h 0x0000001e xor esi, 8B0C370Ch 0x00000024 cmp dh, ah 0x00000026 xor esi, 7DFB8F97h 0x0000002c cmp ch, dh 0x0000002e cmp bx, cx 0x00000031 xor esi, C541B01Bh 0x00000037 test esi, 0E27938Eh 0x0000003d jmp 00007F7CCC39BE0Eh 0x0000003f cmp dh, ch 0x00000041 cmp eax, ebx 0x00000043 cmp cl, dl 0x00000045 pushad 0x00000046 lfence 0x00000049 rdtsc
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe RDTSC instruction interceptor: First address: 000000000219FBC7 second address: 000000000219FCD9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [ebp+0000019Eh] 0x00000011 cmp ecx, ecx 0x00000013 push AE5BC5C3h 0x00000018 jmp 00007F7CCC4CF19Eh 0x0000001a cmp di, 6510h 0x0000001f add dword ptr [esp], FF06270Bh 0x00000026 xor dword ptr [esp], BF9532A6h 0x0000002d test bx, bx 0x00000030 test ebx, ecx 0x00000032 add dword ptr [esp], ED0B2198h 0x00000039 cmp bh, ch 0x0000003b mov dword ptr [ebp+000001A2h], ecx 0x00000041 mov ecx, esi 0x00000043 push ecx 0x00000044 cmp dh, ah 0x00000046 mov ecx, dword ptr [ebp+000001A2h] 0x0000004c cmp ch, dh 0x0000004e cmp bx, cx 0x00000051 test esi, 54BF3FE2h 0x00000057 mov dword ptr [ebp+000001F2h], edi 0x0000005d mov edi, 6ABD3267h 0x00000062 jmp 00007F7CCC4CF19Eh 0x00000064 cmp dh, ch 0x00000066 cmp eax, ebx 0x00000068 xor edi, 005A9092h 0x0000006e cmp cl, dl 0x00000070 xor edi, 0D36FEAFh 0x00000076 pushad 0x00000077 lfence 0x0000007a rdtsc
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe RDTSC instruction interceptor: First address: 000000000219FF21 second address: 000000000219FF5C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+00000172h], edx 0x00000009 mov edx, ecx 0x0000000b push edx 0x0000000c test bl, bl 0x0000000e mov edx, dword ptr [ebp+00000172h] 0x00000014 cmp ch, 00000072h 0x00000017 cmp ax, cx 0x0000001a mov dword ptr [ebp+000001E9h], ecx 0x00000020 mov ecx, esi 0x00000022 push ecx 0x00000023 test ecx, 875BEF8Bh 0x00000029 mov ecx, dword ptr [ebp+000001E9h] 0x0000002f cmp edi, 715ED056h 0x00000035 pushad 0x00000036 mov edx, 0000005Ch 0x0000003b rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_02199C17 rdtsc 0_2_02199C17
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe API coverage: 5.1 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_02199C17 rdtsc 0_2_02199C17
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_0219F023 mov eax, dword ptr fs:[00000030h] 0_2_0219F023
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_0219F6FE mov eax, dword ptr fs:[00000030h] 0_2_0219F6FE
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_021A0B0B mov eax, dword ptr fs:[00000030h] 0_2_021A0B0B
Source: C:\Users\user\Desktop\Facturas Pagadas al Vencimiento 6.exe Code function: 0_2_02199B01 mov eax, dword ptr fs:[00000030h] 0_2_02199B01
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.721351172.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.721351172.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.721351172.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Facturas Pagadas al Vencimiento 6.exe, 00000000.00000002.721351172.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
No contacted IP infos