Windows Analysis Report PREVENTIVO RICHIESTO (2).exe

Overview

General Information

Sample Name: PREVENTIVO RICHIESTO (2).exe
Analysis ID: 450786
MD5: 72d9c62e4483519df1303fe0c46d16aa
SHA1: 12093edc01bcf89eb7a9758d1392592fb273de35
SHA256: 42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: PREVENTIVO RICHIESTO (2).exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin"}
Multi AV Scanner detection for submitted file
Source: PREVENTIVO RICHIESTO (2).exe Virustotal: Detection: 30% Perma Link
Source: PREVENTIVO RICHIESTO (2).exe ReversingLabs: Detection: 13%

Compliance:

barindex
Uses 32bit PE files
Source: PREVENTIVO RICHIESTO (2).exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: PREVENTIVO RICHIESTO (2).exe, 00000001.00000002.761454521.000000000066A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3845C NtAllocateVirtualMemory, 1_2_02B3845C
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3845C NtAllocateVirtualMemory, 1_2_02B3845C
Detected potential crypto function
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3845C 1_2_02B3845C
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B30AA1 1_2_02B30AA1
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31AF5 1_2_02B31AF5
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B372F9 1_2_02B372F9
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B30A2D 1_2_02B30A2D
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3B213 1_2_02B3B213
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B30A75 1_2_02B30A75
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36A69 1_2_02B36A69
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3125D 1_2_02B3125D
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B37249 1_2_02B37249
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B33BA4 1_2_02B33BA4
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31BF5 1_2_02B31BF5
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B363DD 1_2_02B363DD
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36BC1 1_2_02B36BC1
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3E3CA 1_2_02B3E3CA
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B35338 1_2_02B35338
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31325 1_2_02B31325
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3DB08 1_2_02B3DB08
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B33BA4 1_2_02B33BA4
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B32B51 1_2_02B32B51
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36B4B 1_2_02B36B4B
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36891 1_2_02B36891
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31895 1_2_02B31895
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B308E3 1_2_02B308E3
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B310C9 1_2_02B310C9
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B38023 1_2_02B38023
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B32079 1_2_02B32079
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3706D 1_2_02B3706D
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B33056 1_2_02B33056
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B319B9 1_2_02B319B9
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B311F5 1_2_02B311F5
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B369E6 1_2_02B369E6
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B321D5 1_2_02B321D5
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B359DF 1_2_02B359DF
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B39139 1_2_02B39139
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3693D 1_2_02B3693D
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31929 1_2_02B31929
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B32119 1_2_02B32119
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B37105 1_2_02B37105
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31159 1_2_02B31159
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3769D 1_2_02B3769D
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B366F5 1_2_02B366F5
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3A6F9 1_2_02B3A6F9
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B35EE0 1_2_02B35EE0
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36EE9 1_2_02B36EE9
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31ECD 1_2_02B31ECD
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B37E3B 1_2_02B37E3B
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31E2A 1_2_02B31E2A
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36E05 1_2_02B36E05
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31675 1_2_02B31675
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31E7B 1_2_02B31E7B
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36E55 1_2_02B36E55
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B33E5D 1_2_02B33E5D
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36641 1_2_02B36641
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3B645 1_2_02B3B645
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B32645 1_2_02B32645
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31FA1 1_2_02B31FA1
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B30FAD 1_2_02B30FAD
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B367AD 1_2_02B367AD
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B33F9D 1_2_02B33F9D
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3579C 1_2_02B3579C
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B30F89 1_2_02B30F89
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B30FEA 1_2_02B30FEA
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3845C 1_2_02B3845C
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B33F15 1_2_02B33F15
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31715 1_2_02B31715
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3C71B 1_2_02B3C71B
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3E4B5 1_2_02B3E4B5
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36CBD 1_2_02B36CBD
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3BCA9 1_2_02B3BCA9
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B32496 1_2_02B32496
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36489 1_2_02B36489
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B35CD5 1_2_02B35CD5
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B304CF 1_2_02B304CF
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B354CD 1_2_02B354CD
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B35437 1_2_02B35437
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3042B 1_2_02B3042B
PE file contains strange resources
Source: PREVENTIVO RICHIESTO (2).exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PREVENTIVO RICHIESTO (2).exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: PREVENTIVO RICHIESTO (2).exe, 00000001.00000002.760734160.0000000000435000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSome4.exe vs PREVENTIVO RICHIESTO (2).exe
Source: PREVENTIVO RICHIESTO (2).exe Binary or memory string: OriginalFilenameSome4.exe vs PREVENTIVO RICHIESTO (2).exe
Uses 32bit PE files
Source: PREVENTIVO RICHIESTO (2).exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal92.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe File created: C:\Users\user\AppData\Local\Temp\~DF54E67088F923551D.TMP Jump to behavior
Source: PREVENTIVO RICHIESTO (2).exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PREVENTIVO RICHIESTO (2).exe Virustotal: Detection: 30%
Source: PREVENTIVO RICHIESTO (2).exe ReversingLabs: Detection: 13%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.766210847.0000000002B30000.00000040.00000001.sdmp, type: MEMORY
Yara detected GuLoader
Source: Yara match File source: PREVENTIVO RICHIESTO (2).exe, type: SAMPLE
Source: Yara match File source: 1.0.PREVENTIVO RICHIESTO (2).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PREVENTIVO RICHIESTO (2).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.760416679.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.234229828.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_00406632 push ebp; iretd 1_2_0040663C
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B352D0 pushfd ; iretd 1_2_02B352D9
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31AF5 1_2_02B31AF5
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B372F9 1_2_02B372F9
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36A69 1_2_02B36A69
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3125D 1_2_02B3125D
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B37249 1_2_02B37249
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B33BA4 1_2_02B33BA4
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B363DD 1_2_02B363DD
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36BC1 1_2_02B36BC1
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3E3CA 1_2_02B3E3CA
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B35338 1_2_02B35338
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31325 1_2_02B31325
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B33BA4 1_2_02B33BA4
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B32B51 1_2_02B32B51
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36B4B 1_2_02B36B4B
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36891 1_2_02B36891
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31895 1_2_02B31895
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B310C9 1_2_02B310C9
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3706D 1_2_02B3706D
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B319B9 1_2_02B319B9
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B311F5 1_2_02B311F5
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B369E6 1_2_02B369E6
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B359DF 1_2_02B359DF
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B39139 1_2_02B39139
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3693D 1_2_02B3693D
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31929 1_2_02B31929
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B37105 1_2_02B37105
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31159 1_2_02B31159
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B366F5 1_2_02B366F5
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3A6F9 1_2_02B3A6F9
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36EE9 1_2_02B36EE9
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B37E3B 1_2_02B37E3B
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36E05 1_2_02B36E05
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31675 1_2_02B31675
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B30651 1_2_02B30651
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36E55 1_2_02B36E55
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36641 1_2_02B36641
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3B645 1_2_02B3B645
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B30FAD 1_2_02B30FAD
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B367AD 1_2_02B367AD
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B30F89 1_2_02B30F89
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B30FEA 1_2_02B30FEA
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31715 1_2_02B31715
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3C71B 1_2_02B3C71B
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36CBD 1_2_02B36CBD
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B36489 1_2_02B36489
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B334C5 1_2_02B334C5
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B304CF 1_2_02B304CF
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3042B 1_2_02B3042B
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe RDTSC instruction interceptor: First address: 0000000002B3BF06 second address: 0000000002B3BF06 instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe RDTSC instruction interceptor: First address: 0000000002B3B34C second address: 0000000002B3B3B1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp esi, A3B0EE80h 0x00000009 mov edx, dword ptr [esp+04h] 0x0000000d test ch, ch 0x0000000f mov ecx, dword ptr [esp+08h] 0x00000013 jmp 00007F0274A679B2h 0x00000015 test ax, bx 0x00000018 add edx, ecx 0x0000001a neg ecx 0x0000001c test dx, cx 0x0000001f mov ebx, dword ptr [esp+0Ch] 0x00000023 mov eax, dword ptr [esp+10h] 0x00000027 cmp ecx, eax 0x00000029 add eax, ebx 0x0000002b mov esi, eax 0x0000002d neg ebx 0x0000002f pushad 0x00000030 mov esi, 0000000Eh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe RDTSC instruction interceptor: First address: 0000000002B3BF06 second address: 0000000002B3BF06 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B30AA1 rdtsc 1_2_02B30AA1
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B30AA1 rdtsc 1_2_02B30AA1
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B35338 mov eax, dword ptr fs:[00000030h] 1_2_02B35338
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3AB78 mov eax, dword ptr fs:[00000030h] 1_2_02B3AB78
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B37E00 mov eax, dword ptr fs:[00000030h] 1_2_02B37E00
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3C71B mov eax, dword ptr fs:[00000030h] 1_2_02B3C71B
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B3B43A mov eax, dword ptr fs:[00000030h] 1_2_02B3B43A
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: PREVENTIVO RICHIESTO (2).exe, 00000001.00000002.762145071.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: PREVENTIVO RICHIESTO (2).exe, 00000001.00000002.762145071.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: PREVENTIVO RICHIESTO (2).exe, 00000001.00000002.762145071.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: PREVENTIVO RICHIESTO (2).exe, 00000001.00000002.762145071.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: PREVENTIVO RICHIESTO (2).exe, 00000001.00000002.762145071.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 1_2_02B31AF5 cpuid 1_2_02B31AF5
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450786 Sample: PREVENTIVO RICHIESTO (2).exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 92 7 Found malware configuration 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 6 other signatures 2->13 5 PREVENTIVO RICHIESTO (2).exe 1 2->5         started        process3
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin true
  • Avira URL Cloud: safe
 unknown