Windows Analysis Report RICHIESTA DI OFFERTA.exe

Overview

General Information

Sample Name: RICHIESTA DI OFFERTA.exe
Analysis ID: 450724
MD5: 73bb5c4b690b8d6df88d6bc18fb3a553
SHA1: 60adddd91b6038fc9d819cf6d647ce3be0b11d38
SHA256: a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.856112688.00000000029B0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}"}
Multi AV Scanner detection for submitted file
Source: RICHIESTA DI OFFERTA.exe Virustotal: Detection: 20% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: RICHIESTA DI OFFERTA.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_004092BC 0_2_004092BC
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6692 0_2_029B6692
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BE280 0_2_029BE280
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6AAB 0_2_029B6AAB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B62A3 0_2_029B62A3
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B66C7 0_2_029B66C7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6EC7 0_2_029B6EC7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B36FA 0_2_029B36FA
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B12E8 0_2_029B12E8
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B16E3 0_2_029B16E3
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6E00 0_2_029B6E00
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B662B 0_2_029B662B
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B1A43 0_2_029B1A43
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B1276 0_2_029B1276
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B1664 0_2_029B1664
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6F9B 0_2_029B6F9B
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B1783 0_2_029B1783
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BAFD7 0_2_029BAFD7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B5FF1 0_2_029B5FF1
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B63F7 0_2_029B63F7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6BEB 0_2_029B6BEB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BC329 0_2_029BC329
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BDB55 0_2_029BDB55
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B634E 0_2_029B634E
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6778 0_2_029B6778
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6B6B 0_2_029B6B6B
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B709F 0_2_029B709F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6C93 0_2_029B6C93
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B7CAB 0_2_029B7CAB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B18FB 0_2_029B18FB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B681F 0_2_029B681F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B7022 0_2_029B7022
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B7025 0_2_029B7025
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BA455 0_2_029BA455
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B684F 0_2_029B684F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B55A6 0_2_029B55A6
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BC5D9 0_2_029BC5D9
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B69D8 0_2_029B69D8
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B61DC 0_2_029B61DC
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6138 0_2_029B6138
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B692D 0_2_029B692D
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6D2C 0_2_029B6D2C
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BAFD7 0_2_029BAFD7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6955 0_2_029B6955
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6554 0_2_029B6554
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B3971 0_2_029B3971
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B1175 0_2_029B1175
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BA969 0_2_029BA969
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B156F 0_2_029B156F
PE file contains strange resources
Source: RICHIESTA DI OFFERTA.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RICHIESTA DI OFFERTA.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.855399216.0000000002210000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs RICHIESTA DI OFFERTA.exe
Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.854982624.0000000000435000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIndtr8.exe vs RICHIESTA DI OFFERTA.exe
Source: RICHIESTA DI OFFERTA.exe Binary or memory string: OriginalFilenameIndtr8.exe vs RICHIESTA DI OFFERTA.exe
Uses 32bit PE files
Source: RICHIESTA DI OFFERTA.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe File created: C:\Users\user\AppData\Local\Temp\~DF6D563A5036AAF145.TMP Jump to behavior
Source: RICHIESTA DI OFFERTA.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RICHIESTA DI OFFERTA.exe Virustotal: Detection: 20%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.856112688.00000000029B0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_0040C06E push 00000000h; retf 0_2_0040C0B0
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_00406625 push ebp; iretd 0_2_0040662F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B0095 pushad ; retf 0_2_029B0097
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B3429 push 84000002h; retf 0_2_029B342F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B010B pushad ; retf 0_2_029B010D
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6692 0_2_029B6692
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BE280 0_2_029BE280
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6AAB 0_2_029B6AAB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B62A3 0_2_029B62A3
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B66C7 0_2_029B66C7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B36FA 0_2_029B36FA
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B12E8 0_2_029B12E8
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B16E3 0_2_029B16E3
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B662B 0_2_029B662B
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B1276 0_2_029B1276
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B1664 0_2_029B1664
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B1783 0_2_029B1783
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B5FF1 0_2_029B5FF1
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B63F7 0_2_029B63F7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B634E 0_2_029B634E
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6778 0_2_029B6778
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B18FB 0_2_029B18FB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B681F 0_2_029B681F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BA455 0_2_029BA455
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B684F 0_2_029B684F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BC5D9 0_2_029BC5D9
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B69D8 0_2_029B69D8
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B61DC 0_2_029B61DC
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6138 0_2_029B6138
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B692D 0_2_029B692D
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6955 0_2_029B6955
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6554 0_2_029B6554
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B3971 0_2_029B3971
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B1175 0_2_029B1175
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BA969 0_2_029BA969
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B156F 0_2_029B156F
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe RDTSC instruction interceptor: First address: 00000000029BE352 second address: 00000000029BE352 instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe RDTSC instruction interceptor: First address: 00000000029BE352 second address: 00000000029BE352 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6692 rdtsc 0_2_029B6692
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe API coverage: 9.9 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B6692 rdtsc 0_2_029B6692
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B7AB1 mov eax, dword ptr fs:[00000030h] 0_2_029B7AB1
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BC5D9 mov eax, dword ptr fs:[00000030h] 0_2_029BC5D9
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BB1FE mov eax, dword ptr fs:[00000030h] 0_2_029BB1FE
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029BA900 mov eax, dword ptr fs:[00000030h] 0_2_029BA900
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.855242988.0000000000D80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.855242988.0000000000D80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.855242988.0000000000D80000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.855242988.0000000000D80000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_029B57A4 cpuid 0_2_029B57A4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450724 Sample: RICHIESTA DI OFFERTA.exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 84 7 Found malware configuration 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 5 other signatures 2->13 5 RICHIESTA DI OFFERTA.exe 1 2->5         started        process3
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi} true
  • Avira URL Cloud: safe
 unknown