Windows Analysis Report lpSbvoEkD6.exe

Overview

General Information

Sample Name: lpSbvoEkD6.exe
Analysis ID: 434685
MD5: ab19307ba349239ed32f7ec471c882e6
SHA1: 451cb1fc62f9fcd4d6f5e8b187404d278f21c65e
SHA256: 5445447afbc7e74f9a827b122e1b38c4cb9715ec3dfc5bbfbf4805759bfc6eac
Tags: exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: lpSbvoEkD6.exe Malware Configuration Extractor: GuLoader {"Payload URL": "http://theater.expodium.net/wp-content/plugins/m/Host_AvQmpG228.bin, https://meatflesh.com/b/Host_AvQmpG228.bin"}
Multi AV Scanner detection for submitted file
Source: lpSbvoEkD6.exe Virustotal: Detection: 29% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: lpSbvoEkD6.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://theater.expodium.net/wp-content/plugins/m/Host_AvQmpG228.bin, https://meatflesh.com/b/Host_AvQmpG228.bin

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Code function: 0_2_00405720 0_2_00405720
PE file contains strange resources
Source: lpSbvoEkD6.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: lpSbvoEkD6.exe, 00000000.00000002.576799654.0000000002300000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCHELEM.exeFE2X0 vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCHELEM.exeFE2X vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCHELEM.exeFE2X^ vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCHELEM.exeFE2X3 vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCHELEM.exeFE2Xu vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe, 00000000.00000002.576781617.00000000021E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCHELEM.exeFE2XV vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe, 00000000.00000002.576572316.0000000000424000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCHELEM.exe vs lpSbvoEkD6.exe
Source: lpSbvoEkD6.exe Binary or memory string: OriginalFilenameCHELEM.exe vs lpSbvoEkD6.exe
Uses 32bit PE files
Source: lpSbvoEkD6.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0
Source: lpSbvoEkD6.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: lpSbvoEkD6.exe Virustotal: Detection: 29%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: lpSbvoEkD6.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.216224466.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.576531591.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0.2.lpSbvoEkD6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lpSbvoEkD6.exe.400000.0.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Code function: 0_2_00409AF3 push ss; retf 0_2_00409AFB
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Code function: 0_2_00406141 push 5A7B4F15h; ret 0_2_0040614C
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Code function: 0_2_00406D6B push eax; ret 0_2_00406D6D
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Code function: 0_2_00402F03 push dword ptr [ebp-1Ch]; ret 0_2_0041B0E4
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Code function: 0_2_00406BCA pushfd ; ret 0_2_00406BD1
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Code function: 0_2_00407D85 pushad ; iretd 0_2_00407DA1
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe RDTSC instruction interceptor: First address: 0000000002C32B24 second address: 0000000002C32B24 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 9E07C293h 0x00000007 add eax, 10CAA39Fh 0x0000000c xor eax, 3308A0D8h 0x00000011 sub eax, 9DDAC6E9h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F99AC4F37A1h 0x0000001e lfence 0x00000021 mov edx, 25CCE66Fh 0x00000026 xor edx, BC263FA9h 0x0000002c xor edx, 19DA13DCh 0x00000032 xor edx, FFCECA0Eh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e jmp 00007F99AC4F3796h 0x00000040 test dx, dx 0x00000043 sub edx, esi 0x00000045 ret 0x00000046 pop ecx 0x00000047 add edi, edx 0x00000049 dec ecx 0x0000004a cmp ecx, 00000000h 0x0000004d jne 00007F99AC4F3743h 0x0000004f mov dword ptr [ebp+0000021Bh], edx 0x00000055 mov edx, ecx 0x00000057 test edx, ecx 0x00000059 push edx 0x0000005a mov edx, dword ptr [ebp+0000021Bh] 0x00000060 call 00007F99AC4F377Bh 0x00000065 call 00007F99AC4F37C2h 0x0000006a lfence 0x0000006d mov edx, 25CCE66Fh 0x00000072 xor edx, BC263FA9h 0x00000078 xor edx, 19DA13DCh 0x0000007e xor edx, FFCECA0Eh 0x00000084 mov edx, dword ptr [edx] 0x00000086 lfence 0x00000089 ret 0x0000008a mov esi, edx 0x0000008c pushad 0x0000008d rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\lpSbvoEkD6.exe Process Stats: CPU usage > 90% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: lpSbvoEkD6.exe, 00000000.00000002.576734773.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: lpSbvoEkD6.exe, 00000000.00000002.576734773.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: lpSbvoEkD6.exe, 00000000.00000002.576734773.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: lpSbvoEkD6.exe, 00000000.00000002.576734773.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 434685 Sample: lpSbvoEkD6.exe Startdate: 15/06/2021 Architecture: WINDOWS Score: 84 8 Potential malicious icon found 2->8 10 Found malware configuration 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 2 other signatures 2->14 5 lpSbvoEkD6.exe 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16 18 Tries to detect virtualization through RDTSC time measurements 5->18
No contacted IP infos