Loading ...

Play interactive tourEdit tour

Windows Analysis Report RICHIESTA DI OFFERTA.exe

Overview

General Information

Sample Name:RICHIESTA DI OFFERTA.exe
Analysis ID:450724
MD5:73bb5c4b690b8d6df88d6bc18fb3a553
SHA1:60adddd91b6038fc9d819cf6d647ce3be0b11d38
SHA256:a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • RICHIESTA DI OFFERTA.exe (PID: 3448 cmdline: 'C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe' MD5: 73BB5C4B690B8D6DF88D6BC18FB3A553)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.856112688.00000000029B0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.856112688.00000000029B0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: RICHIESTA DI OFFERTA.exeVirustotal: Detection: 20%Perma Link
    Source: RICHIESTA DI OFFERTA.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004092BC0_2_004092BC
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B66920_2_029B6692
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BE2800_2_029BE280
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6AAB0_2_029B6AAB
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B62A30_2_029B62A3
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B66C70_2_029B66C7
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6EC70_2_029B6EC7
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B36FA0_2_029B36FA
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B12E80_2_029B12E8
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B16E30_2_029B16E3
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6E000_2_029B6E00
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B662B0_2_029B662B
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B1A430_2_029B1A43
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B12760_2_029B1276
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B16640_2_029B1664
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6F9B0_2_029B6F9B
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B17830_2_029B1783
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BAFD70_2_029BAFD7
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B5FF10_2_029B5FF1
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B63F70_2_029B63F7
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6BEB0_2_029B6BEB
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BC3290_2_029BC329
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BDB550_2_029BDB55
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B634E0_2_029B634E
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B67780_2_029B6778
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6B6B0_2_029B6B6B
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B709F0_2_029B709F
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6C930_2_029B6C93
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B7CAB0_2_029B7CAB
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B18FB0_2_029B18FB
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B681F0_2_029B681F
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B70220_2_029B7022
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B70250_2_029B7025
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BA4550_2_029BA455
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B684F0_2_029B684F
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B55A60_2_029B55A6
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BC5D90_2_029BC5D9
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B69D80_2_029B69D8
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B61DC0_2_029B61DC
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B61380_2_029B6138
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B692D0_2_029B692D
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6D2C0_2_029B6D2C
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BAFD70_2_029BAFD7
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B69550_2_029B6955
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B65540_2_029B6554
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B39710_2_029B3971
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B11750_2_029B1175
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BA9690_2_029BA969
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B156F0_2_029B156F
    Source: RICHIESTA DI OFFERTA.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: RICHIESTA DI OFFERTA.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.855399216.0000000002210000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs RICHIESTA DI OFFERTA.exe
    Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.854982624.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIndtr8.exe vs RICHIESTA DI OFFERTA.exe
    Source: RICHIESTA DI OFFERTA.exeBinary or memory string: OriginalFilenameIndtr8.exe vs RICHIESTA DI OFFERTA.exe
    Source: RICHIESTA DI OFFERTA.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal84.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeFile created: C:\Users\user\AppData\Local\Temp\~DF6D563A5036AAF145.TMPJump to behavior
    Source: RICHIESTA DI OFFERTA.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: RICHIESTA DI OFFERTA.exeVirustotal: Detection: 20%

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.856112688.00000000029B0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0040C06E push 00000000h; retf 0_2_0040C0B0
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00406625 push ebp; iretd 0_2_0040662F
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B0095 pushad ; retf 0_2_029B0097
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B3429 push 84000002h; retf 0_2_029B342F
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B010B pushad ; retf 0_2_029B010D
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6692 0_2_029B6692
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BE280 0_2_029BE280
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6AAB 0_2_029B6AAB
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B62A3 0_2_029B62A3
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B66C7 0_2_029B66C7
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B36FA 0_2_029B36FA
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B12E8 0_2_029B12E8
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B16E3 0_2_029B16E3
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B662B 0_2_029B662B
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B1276 0_2_029B1276
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B1664 0_2_029B1664
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B1783 0_2_029B1783
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B5FF1 0_2_029B5FF1
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B63F7 0_2_029B63F7
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B634E 0_2_029B634E
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6778 0_2_029B6778
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B18FB 0_2_029B18FB
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B681F 0_2_029B681F
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BA455 0_2_029BA455
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B684F 0_2_029B684F
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BC5D9 0_2_029BC5D9
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B69D8 0_2_029B69D8
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B61DC 0_2_029B61DC
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6138 0_2_029B6138
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B692D 0_2_029B692D
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6955 0_2_029B6955
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6554 0_2_029B6554
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B3971 0_2_029B3971
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B1175 0_2_029B1175
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BA969 0_2_029BA969
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B156F 0_2_029B156F
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeRDTSC instruction interceptor: First address: 00000000029BE352 second address: 00000000029BE352 instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeRDTSC instruction interceptor: First address: 00000000029BE352 second address: 00000000029BE352 instructions:
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6692 rdtsc 0_2_029B6692
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeAPI coverage: 9.9 %
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B6692 rdtsc 0_2_029B6692
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B7AB1 mov eax, dword ptr fs:[00000030h]0_2_029B7AB1
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BC5D9 mov eax, dword ptr fs:[00000030h]0_2_029BC5D9
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BB1FE mov eax, dword ptr fs:[00000030h]0_2_029BB1FE
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029BA900 mov eax, dword ptr fs:[00000030h]0_2_029BA900
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.855242988.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.855242988.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.855242988.0000000000D80000.00000002.00000001.sdmpBinary or memory string: &Program Manager
    Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.855242988.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_029B57A4 cpuid 0_2_029B57A4

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.