Windows Analysis Report PREVENTIVO RICHIESTO (2).exe

Overview

General Information

Sample Name: PREVENTIVO RICHIESTO (2).exe
Analysis ID: 450786
MD5: 72d9c62e4483519df1303fe0c46d16aa
SHA1: 12093edc01bcf89eb7a9758d1392592fb273de35
SHA256: 42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: PREVENTIVO RICHIESTO (2).exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin"}
Multi AV Scanner detection for submitted file
Source: PREVENTIVO RICHIESTO (2).exe Virustotal: Detection: 30% Perma Link
Source: PREVENTIVO RICHIESTO (2).exe ReversingLabs: Detection: 13%

Compliance:

barindex
Uses 32bit PE files
Source: PREVENTIVO RICHIESTO (2).exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_022CDE51 0_2_022CDE51
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_022CDF39 0_2_022CDF39
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_022CDB35 0_2_022CDB35
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_022CDB08 0_2_022CDB08
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_022CCF4D 0_2_022CCF4D
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_022CDBE9 0_2_022CDBE9
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_022CDC19 0_2_022CDC19
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_022CDC59 0_2_022CDC59
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_022CDD55 0_2_022CDD55
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_022CDDB7 0_2_022CDDB7
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_022CDDD5 0_2_022CDDD5
PE file contains strange resources
Source: PREVENTIVO RICHIESTO (2).exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PREVENTIVO RICHIESTO (2).exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: PREVENTIVO RICHIESTO (2).exe, 00000000.00000000.208248451.0000000000435000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSome4.exe vs PREVENTIVO RICHIESTO (2).exe
Source: PREVENTIVO RICHIESTO (2).exe Binary or memory string: OriginalFilenameSome4.exe vs PREVENTIVO RICHIESTO (2).exe
Uses 32bit PE files
Source: PREVENTIVO RICHIESTO (2).exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal80.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe File created: C:\Users\user\AppData\Local\Temp\~DF7595A64BA3F3C87B.TMP Jump to behavior
Source: PREVENTIVO RICHIESTO (2).exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PREVENTIVO RICHIESTO (2).exe Virustotal: Detection: 30%
Source: PREVENTIVO RICHIESTO (2).exe ReversingLabs: Detection: 13%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: PREVENTIVO RICHIESTO (2).exe, type: SAMPLE
Source: Yara match File source: 0.0.PREVENTIVO RICHIESTO (2).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PREVENTIVO RICHIESTO (2).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1236460953.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.208215258.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_00406632 push ebp; iretd 0_2_0040663C
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe RDTSC instruction interceptor: First address: 00000000022CBF06 second address: 00000000022CBF06 instructions:
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe RDTSC instruction interceptor: First address: 00000000022CB646 second address: 00000000022CBA31 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test ebx, eax 0x0000000c call 00007F394C8F551Dh 0x00000011 test ax, ax 0x00000014 test dh, 00000034h 0x00000017 xor edi, edi 0x00000019 pushad 0x0000001a mov bx, 94B2h 0x0000001e cmp bx, 94B2h 0x00000023 jne 00007F394C8F4448h 0x00000029 popad 0x0000002a test ch, ch 0x0000002c mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000036 test ch, FFFFFFCAh 0x00000039 call 00007F394C8F5292h 0x0000003e call 00007F394C8F5265h 0x00000043 lfence 0x00000046 mov edx, C4D7E93Dh 0x0000004b xor edx, F24722A8h 0x00000051 xor edx, 65E80731h 0x00000057 xor edx, 2C86CCB0h 0x0000005d mov edx, dword ptr [edx] 0x0000005f lfence 0x00000062 jmp 00007F394C8F522Eh 0x00000064 cmp eax, BD9A57B8h 0x00000069 cmp cl, cl 0x0000006b cmp ch, ah 0x0000006d cmp ebx, ebx 0x0000006f test al, 1Ah 0x00000071 ret 0x00000072 mov esi, edx 0x00000074 pushad 0x00000075 rdtsc
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe RDTSC instruction interceptor: First address: 00000000022CB34C second address: 00000000022CB3B1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp esi, A3B0EE80h 0x00000009 mov edx, dword ptr [esp+04h] 0x0000000d test ch, ch 0x0000000f mov ecx, dword ptr [esp+08h] 0x00000013 jmp 00007F394C398152h 0x00000015 test ax, bx 0x00000018 add edx, ecx 0x0000001a neg ecx 0x0000001c test dx, cx 0x0000001f mov ebx, dword ptr [esp+0Ch] 0x00000023 mov eax, dword ptr [esp+10h] 0x00000027 cmp ecx, eax 0x00000029 add eax, ebx 0x0000002b mov esi, eax 0x0000002d neg ebx 0x0000002f pushad 0x00000030 mov esi, 0000000Eh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe RDTSC instruction interceptor: First address: 00000000022CBF06 second address: 00000000022CBF06 instructions:
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe RDTSC instruction interceptor: First address: 00000000022CB646 second address: 00000000022CBA31 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test ebx, eax 0x0000000c call 00007F394C8F551Dh 0x00000011 test ax, ax 0x00000014 test dh, 00000034h 0x00000017 xor edi, edi 0x00000019 pushad 0x0000001a mov bx, 94B2h 0x0000001e cmp bx, 94B2h 0x00000023 jne 00007F394C8F4448h 0x00000029 popad 0x0000002a test ch, ch 0x0000002c mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000036 test ch, FFFFFFCAh 0x00000039 call 00007F394C8F5292h 0x0000003e call 00007F394C8F5265h 0x00000043 lfence 0x00000046 mov edx, C4D7E93Dh 0x0000004b xor edx, F24722A8h 0x00000051 xor edx, 65E80731h 0x00000057 xor edx, 2C86CCB0h 0x0000005d mov edx, dword ptr [edx] 0x0000005f lfence 0x00000062 jmp 00007F394C8F522Eh 0x00000064 cmp eax, BD9A57B8h 0x00000069 cmp cl, cl 0x0000006b cmp ch, ah 0x0000006d cmp ebx, ebx 0x0000006f test al, 1Ah 0x00000071 ret 0x00000072 mov esi, edx 0x00000074 pushad 0x00000075 rdtsc
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe RDTSC instruction interceptor: First address: 00000000022CBB41 second address: 00000000022CB487 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 6D96B120h 0x00000013 add eax, 9E133F54h 0x00000018 xor eax, F9EAE90Fh 0x0000001d xor eax, F243197Ah 0x00000022 cpuid 0x00000024 test al, D2h 0x00000026 bt ecx, 1Fh 0x0000002a cmp ch, dh 0x0000002c jc 00007F394CDEDCA8h 0x00000032 cmp edx, eax 0x00000034 cmp al, cl 0x00000036 push D375BB0Ch 0x0000003b pushad 0x0000003c mov di, 6000h 0x00000040 cmp di, 6000h 0x00000045 jne 00007F394CDE1A53h 0x0000004b popad 0x0000004c call 00007F394CDEC40Ch 0x00000051 mov eax, dword ptr fs:[00000030h] 0x00000057 mov eax, dword ptr [eax+0Ch] 0x0000005a cmp bh, ah 0x0000005c mov eax, dword ptr [eax+14h] 0x0000005f test cx, dx 0x00000062 mov ecx, dword ptr [eax] 0x00000064 mov eax, ecx 0x00000066 jmp 00007F394CDED2DBh 0x00000068 mov ebx, dword ptr [eax+28h] 0x0000006b mov dword ptr [ebp+000001F5h], edi 0x00000071 mov edi, E1E7AEC2h 0x00000076 cmp dl, 0000004Dh 0x00000079 xor edi, 75204E2Fh 0x0000007f pushad 0x00000080 mov edx, 0000008Ch 0x00000085 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_022CE707 rdtsc 0_2_022CE707
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_022CE707 rdtsc 0_2_022CE707
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe Code function: 0_2_022CCF4D cpuid 0_2_022CCF4D
No contacted IP infos