Windows Analysis Report RICHIESTA DI OFFERTA.exe

Overview

General Information

Sample Name:	RICHIESTA DI OFFERTA.exe
Analysis ID:	450724
MD5:	73bb5c4b690b8d6df88d6bc18fb3a553
SHA1:	60adddd91b6038fc9d819cf6d647ce3be0b11d38
SHA256:	a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.2609057616.0000000000460000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}"}

Compliance:

Uses 32bit PE files

Source: RICHIESTA DI OFFERTA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004092BC	0_2_004092BC
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046684F	0_2_0046684F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046A455	0_2_0046A455
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046681F	0_2_0046681F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00467025	0_2_00467025
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00467022	0_2_00467022
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004618FB	0_2_004618FB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466C93	0_2_00466C93
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046709F	0_2_0046709F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00467CAB	0_2_00467CAB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466554	0_2_00466554
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466955	0_2_00466955
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046156F	0_2_0046156F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046A969	0_2_0046A969
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00461175	0_2_00461175
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00463971	0_2_00463971
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046AFD7	0_2_0046AFD7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466D2C	0_2_00466D2C
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046692D	0_2_0046692D
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466138	0_2_00466138
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004661DC	0_2_004661DC
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004669D8	0_2_004669D8
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046C5D9	0_2_0046C5D9
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004655A6	0_2_004655A6
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00461A43	0_2_00461A43
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00461664	0_2_00461664
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00461276	0_2_00461276
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466E00	0_2_00466E00
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046662B	0_2_0046662B
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004666C7	0_2_004666C7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466EC7	0_2_00466EC7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004616E3	0_2_004616E3
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004612E8	0_2_004612E8
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004636FA	0_2_004636FA
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046E280	0_2_0046E280
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466692	0_2_00466692
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004662A3	0_2_004662A3
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466AAB	0_2_00466AAB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046634E	0_2_0046634E
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046DB55	0_2_0046DB55
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466B6B	0_2_00466B6B
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466778	0_2_00466778
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046C329	0_2_0046C329
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046AFD7	0_2_0046AFD7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466BEB	0_2_00466BEB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004663F7	0_2_004663F7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00465FF1	0_2_00465FF1
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00461783	0_2_00461783
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466F9B	0_2_00466F9B

PE file contains strange resources

Source: RICHIESTA DI OFFERTA.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RICHIESTA DI OFFERTA.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.2609026459.0000000000435000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIndtr8.exe vs RICHIESTA DI OFFERTA.exe
Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.2608868723.00000000003E0000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs RICHIESTA DI OFFERTA.exe
Source: RICHIESTA DI OFFERTA.exe	Binary or memory string: OriginalFilenameIndtr8.exe vs RICHIESTA DI OFFERTA.exe

Uses 32bit PE files

Source: RICHIESTA DI OFFERTA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe

File created: C:\Users\user\AppData\Local\Temp\~DF94EEF8D419BE56F0.TMP

Jump to behavior

Source: RICHIESTA DI OFFERTA.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2609057616.0000000000460000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0040C06E push 00000000h; retf	0_2_0040C0B0
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00406625 push ebp; iretd	0_2_0040662F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00463429 push 84000002h; retf	0_2_0046342F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00460095 pushad ; retf	0_2_00460097
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046010B pushad ; retf	0_2_0046010D

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046684F	0_2_0046684F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046A455	0_2_0046A455
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046681F	0_2_0046681F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004618FB	0_2_004618FB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466554	0_2_00466554
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466955	0_2_00466955
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046156F	0_2_0046156F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046A969	0_2_0046A969
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00461175	0_2_00461175
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00463971	0_2_00463971
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046692D	0_2_0046692D
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466138	0_2_00466138
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004661DC	0_2_004661DC
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004669D8	0_2_004669D8
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046C5D9	0_2_0046C5D9
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00461664	0_2_00461664
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00461276	0_2_00461276
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046662B	0_2_0046662B
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004666C7	0_2_004666C7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004616E3	0_2_004616E3
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004612E8	0_2_004612E8
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004636FA	0_2_004636FA
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046E280	0_2_0046E280
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466692	0_2_00466692
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004662A3	0_2_004662A3
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466AAB	0_2_00466AAB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046634E	0_2_0046634E
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00466778	0_2_00466778
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_004663F7	0_2_004663F7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00465FF1	0_2_00465FF1
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00461783	0_2_00461783

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe

RDTSC instruction interceptor: First address: 000000000046E352 second address: 000000000046E352 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe

RDTSC instruction interceptor: First address: 000000000046E352 second address: 000000000046E352 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe

Code function: 0_2_0046684F rdtsc

0_2_0046684F

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe

Code function: 0_2_0046684F rdtsc

0_2_0046684F

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046A900 mov eax, dword ptr fs:[00000030h]	0_2_0046A900
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046C5D9 mov eax, dword ptr fs:[00000030h]	0_2_0046C5D9
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_0046B1FE mov eax, dword ptr fs:[00000030h]	0_2_0046B1FE
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe	Code function: 0_2_00467AB1 mov eax, dword ptr fs:[00000030h]	0_2_00467AB1

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.2609521250.0000000000A00000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.2609521250.0000000000A00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.2609521250.0000000000A00000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe

Code function: 0_2_004608C5 cpuid

0_2_004608C5

Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}	true	Avira URL Cloud: safe	unknown

ID:	450724
Product:	CloudBasic
Start time:	16:25:18
Start date:	19.07.2021
Sample:	RICHIESTA DI OFFERTA.exe
Cookbook:	default.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	73bb5c4b690b8d6df88d6bc18fb3a553
SHA1:	60adddd91b6038fc9d819cf6d647ce3be0b11d38
SHA256:	a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report RICHIESTA DI OFFERTA.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted URLs