Analysis Report Facturas Pagadas Al Vencimiento.exe

Overview

General Information

Sample Name: Facturas Pagadas Al Vencimiento.exe
Analysis ID: 433561
MD5: c8d357afda8635441bc5838244ca0029
SHA1: 026b3b6bafa462c763860afeb21b3cfe05aeb600
SHA256: 94bfbe95a21d987080ac95825abde8cf1aa7955fa711c8daeea32ba18590979d
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Checks if the current process is being debugged
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
One or more processes crash
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: Facturas Pagadas Al Vencimiento.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1dBTGLOe-ZeMuRpNWg8qsJp7BOE8QNF9s5l"}
Multi AV Scanner detection for submitted file
Source: Facturas Pagadas Al Vencimiento.exe Virustotal: Detection: 71% Perma Link
Source: Facturas Pagadas Al Vencimiento.exe Metadefender: Detection: 45% Perma Link
Source: Facturas Pagadas Al Vencimiento.exe ReversingLabs: Detection: 69%

Compliance:

barindex
Uses 32bit PE files
Source: Facturas Pagadas Al Vencimiento.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1dBTGLOe-ZeMuRpNWg8qsJp7BOE8QNF9s5l

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.251983968.000000000073A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Detected potential crypto function
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_004014BC 0_2_004014BC
One or more processes crash
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 696
PE file contains strange resources
Source: Facturas Pagadas Al Vencimiento.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.236913139.0000000000610000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Facturas Pagadas Al Vencimiento.exe
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.228562671.0000000000421000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameGRFTNING.exe vs Facturas Pagadas Al Vencimiento.exe
Source: Facturas Pagadas Al Vencimiento.exe Binary or memory string: OriginalFilenameGRFTNING.exe vs Facturas Pagadas Al Vencimiento.exe
Uses 32bit PE files
Source: Facturas Pagadas Al Vencimiento.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal76.rans.troj.winEXE@3/8@0/1
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6040
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C35.tmp Jump to behavior
Source: Facturas Pagadas Al Vencimiento.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Facturas Pagadas Al Vencimiento.exe Virustotal: Detection: 71%
Source: Facturas Pagadas Al Vencimiento.exe Metadefender: Detection: 45%
Source: Facturas Pagadas Al Vencimiento.exe ReversingLabs: Detection: 69%
Source: unknown Process created: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe 'C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe'
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 696
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 696
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Facturas Pagadas Al Vencimiento.exe, type: SAMPLE
Source: Yara match File source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Facturas Pagadas Al Vencimiento.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.7.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_00406C48 push edi; iretd 0_2_00406C4C
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040A4F0 push edi; retf 0_2_0040A4F6
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040B88A push es; ret 0_2_0040B902
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_004018A5 push eax; retn 0041h 0_2_004018AD
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040CD40 push FFFFFF87h; ret 0_2_0040CD42
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040AD1C pushfd ; ret 0_2_0040AD2E
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040DE63 push ds; ret 0_2_0040DE6D
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040C20B push FFFFFFF9h; ret 0_2_0040C2DE
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040C20D push FFFFFFF9h; ret 0_2_0040C2DE
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040CAC2 pushad ; ret 0_2_0040CAD2
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_00405EC5 push es; ret 0_2_00405EC8
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040D6DA push cs; ret 0_2_0040D6F1
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040BA91 push ss; ret 0_2_0040BA92
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_0040829F push 00000055h; ret 0_2_004082BD
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_00409768 push ebp; ret 0_2_0040976D
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_00409F3A push 00000048h; ret 0_2_00409F92
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_00409FCB push 00000048h; ret 0_2_00409F92
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Code function: 0_2_004077DD push ebp; ret 0_2_0040780E
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe Process queried: DebugPort Jump to behavior
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.237197797.0000000000CC0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.237197797.0000000000CC0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.237197797.0000000000CC0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.237197797.0000000000CC0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433561 Sample: Facturas Pagadas Al Vencimi... Startdate: 12/06/2021 Architecture: WINDOWS Score: 76 15 Potential malicious icon found 2->15 17 Found malware configuration 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 2 other signatures 2->21 6 Facturas Pagadas Al Vencimiento.exe 2->6         started        process3 process4 8 WerFault.exe 2 9 6->8         started        11 WerFault.exe 23 9 6->11         started        dnsIp5 13 192.168.2.1 unknown unknown 8->13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
192.168.2.1