Analysis Report EXErprijFY

Overview

General Information

Sample Name: EXErprijFY (renamed file extension from none to exe)
Analysis ID: 433989
MD5: ee83942376ea5717149517fcc832ab9f
SHA1: ec75b10c6ef046cb63eaa20470ac94529fb4873a
SHA256: b3498937a71913d7101fafb04eb48a791106bec97e21839b2e1be8bb55a3f5fc
Tags: 32exeGuLoadertrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Potential malicious icon found
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: EXErprijFY.exe Avira: detected
Antivirus detection for URL or domain
Source: https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin Avira URL Cloud: Label: malware
Found malware configuration
Source: EXErprijFY.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin"}

Compliance:

barindex
Uses 32bit PE files
Source: EXErprijFY.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: EXErprijFY.exe, 00000000.00000002.1164512673.00000000006FA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\EXErprijFY.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\EXErprijFY.exe Code function: 0_2_004018A4 0_2_004018A4
Source: C:\Users\user\Desktop\EXErprijFY.exe Code function: 0_2_00405732 0_2_00405732
PE file contains strange resources
Source: EXErprijFY.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: EXErprijFY.exe, 00000000.00000000.641912573.0000000000424000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamepetered.exe vs EXErprijFY.exe
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamepetered.exeFE2X2 vs EXErprijFY.exe
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamepetered.exeFE2X vs EXErprijFY.exe
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamepetered.exeFE2XpJ4 vs EXErprijFY.exe
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamepetered.exeFE2X_I vs EXErprijFY.exe
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamepetered.exeFE2X>N~ vs EXErprijFY.exe
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamepetered.exeFE2XxO< vs EXErprijFY.exe
Source: EXErprijFY.exe, 00000000.00000002.1164564990.00000000020A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs EXErprijFY.exe
Source: EXErprijFY.exe Binary or memory string: OriginalFilenamepetered.exe vs EXErprijFY.exe
Uses 32bit PE files
Source: EXErprijFY.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@1/0@0/0
Source: EXErprijFY.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\EXErprijFY.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1164652170.0000000002230000.00000040.00000001.sdmp, type: MEMORY
Yara detected GuLoader
Source: Yara match File source: EXErprijFY.exe, type: SAMPLE
Source: Yara match File source: 0.0.EXErprijFY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EXErprijFY.exe.400000.0.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\EXErprijFY.exe Code function: 0_2_004059CC pushfd ; iretd 0_2_004059D5
Source: C:\Users\user\Desktop\EXErprijFY.exe Code function: 0_2_00406199 push ss; ret 0_2_004062BA
Source: C:\Users\user\Desktop\EXErprijFY.exe Code function: 0_2_00407E0A push ecx; iretd 0_2_00407E0C
Source: C:\Users\user\Desktop\EXErprijFY.exe Code function: 0_2_004062BD push ss; ret 0_2_004062BA
Source: C:\Users\user\Desktop\EXErprijFY.exe Code function: 0_2_00402F0B push dword ptr [ebp-1Ch]; ret 0_2_0041B724
Source: C:\Users\user\Desktop\EXErprijFY.exe Code function: 0_2_00409B16 push ecx; retf 0_2_00409B23
Source: C:\Users\user\Desktop\EXErprijFY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\EXErprijFY.exe RDTSC instruction interceptor: First address: 0000000002237154 second address: 0000000002237154 instructions:
Source: C:\Users\user\Desktop\EXErprijFY.exe RDTSC instruction interceptor: First address: 000000000223A078 second address: 000000000223A078 instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\EXErprijFY.exe RDTSC instruction interceptor: First address: 0000000002237154 second address: 0000000002237154 instructions:
Source: C:\Users\user\Desktop\EXErprijFY.exe RDTSC instruction interceptor: First address: 000000000223A021 second address: 000000000223A078 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 53673179h 0x00000007 sub eax, 2CF91FC3h 0x0000000c xor eax, 4DAF12BEh 0x00000011 sub eax, 6BC10307h 0x00000016 cpuid 0x00000018 jmp 00007F311485C18Eh 0x0000001a pushad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\EXErprijFY.exe RDTSC instruction interceptor: First address: 000000000223A078 second address: 000000000223A078 instructions:
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\EXErprijFY.exe Process Stats: CPU usage > 90% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: EXErprijFY.exe, 00000000.00000002.1164536037.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: EXErprijFY.exe, 00000000.00000002.1164536037.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: EXErprijFY.exe, 00000000.00000002.1164536037.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: EXErprijFY.exe, 00000000.00000002.1164536037.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433989 Sample: EXErprijFY Startdate: 14/06/2021 Architecture: WINDOWS Score: 100 8 Potential malicious icon found 2->8 10 Found malware configuration 2->10 12 Antivirus detection for URL or domain 2->12 14 4 other signatures 2->14 5 EXErprijFY.exe 2->5         started        process3 signatures4 16 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->16 18 Found potential dummy code loops (likely to delay analysis) 5->18 20 Tries to detect virtualization through RDTSC time measurements 5->20
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin true
  • Avira URL Cloud: malware
 unknown