Loading ...

Play interactive tourEdit tour

Windows Analysis Report PREVENTIVO RICHIESTO (2).exe

Overview

General Information

Sample Name:PREVENTIVO RICHIESTO (2).exe
Analysis ID:450786
MD5:72d9c62e4483519df1303fe0c46d16aa
SHA1:12093edc01bcf89eb7a9758d1392592fb273de35
SHA256:42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PREVENTIVO RICHIESTO (2).exe (PID: 5716 cmdline: 'C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe' MD5: 72D9C62E4483519DF1303FE0C46D16AA)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
PREVENTIVO RICHIESTO (2).exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1236460953.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000000.00000000.208215258.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.PREVENTIVO RICHIESTO (2).exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
          0.2.PREVENTIVO RICHIESTO (2).exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: PREVENTIVO RICHIESTO (2).exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: PREVENTIVO RICHIESTO (2).exeVirustotal: Detection: 30%Perma Link
            Source: PREVENTIVO RICHIESTO (2).exeReversingLabs: Detection: 13%
            Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDE51
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDF39
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDB35
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDB08
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CCF4D
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDBE9
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDC19
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDC59
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDD55
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDDB7
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDDD5
            Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: PREVENTIVO RICHIESTO (2).exe, 00000000.00000000.208248451.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSome4.exe vs PREVENTIVO RICHIESTO (2).exe
            Source: PREVENTIVO RICHIESTO (2).exeBinary or memory string: OriginalFilenameSome4.exe vs PREVENTIVO RICHIESTO (2).exe
            Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal80.troj.evad.winEXE@1/0@0/0
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeFile created: C:\Users\user\AppData\Local\Temp\~DF7595A64BA3F3C87B.TMPJump to behavior
            Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: PREVENTIVO RICHIESTO (2).exeVirustotal: Detection: 30%
            Source: PREVENTIVO RICHIESTO (2).exeReversingLabs: Detection: 13%

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: PREVENTIVO RICHIESTO (2).exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.PREVENTIVO RICHIESTO (2).exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PREVENTIVO RICHIESTO (2).exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1236460953.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.208215258.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_00406632 push ebp; iretd
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 00000000022CBF06 second address: 00000000022CBF06 instructions:
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 00000000022CB646 second address: 00000000022CBA31 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test ebx, eax 0x0000000c call 00007F394C8F551Dh 0x00000011 test ax, ax 0x00000014 test dh, 00000034h 0x00000017 xor edi, edi 0x00000019 pushad 0x0000001a mov bx, 94B2h 0x0000001e cmp bx, 94B2h 0x00000023 jne 00007F394C8F4448h 0x00000029 popad 0x0000002a test ch, ch 0x0000002c mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000036 test ch, FFFFFFCAh 0x00000039 call 00007F394C8F5292h 0x0000003e call 00007F394C8F5265h 0x00000043 lfence 0x00000046 mov edx, C4D7E93Dh 0x0000004b xor edx, F24722A8h 0x00000051 xor edx, 65E80731h 0x00000057 xor edx, 2C86CCB0h 0x0000005d mov edx, dword ptr [edx] 0x0000005f lfence 0x00000062 jmp 00007F394C8F522Eh 0x00000064 cmp eax, BD9A57B8h 0x00000069 cmp cl, cl 0x0000006b cmp ch, ah 0x0000006d cmp ebx, ebx 0x0000006f test al, 1Ah 0x00000071 ret 0x00000072 mov esi, edx 0x00000074 pushad 0x00000075 rdtsc
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 00000000022CB34C second address: 00000000022CB3B1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp esi, A3B0EE80h 0x00000009 mov edx, dword ptr [esp+04h] 0x0000000d test ch, ch 0x0000000f mov ecx, dword ptr [esp+08h] 0x00000013 jmp 00007F394C398152h 0x00000015 test ax, bx 0x00000018 add edx, ecx 0x0000001a neg ecx 0x0000001c test dx, cx 0x0000001f mov ebx, dword ptr [esp+0Ch] 0x00000023 mov eax, dword ptr [esp+10h] 0x00000027 cmp ecx, eax 0x00000029 add eax, ebx 0x0000002b mov esi, eax 0x0000002d neg ebx 0x0000002f pushad 0x00000030 mov esi, 0000000Eh 0x00000035 rdtsc
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 00000000022CBF06 second address: 00000000022CBF06 instructions:
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 00000000022CB646 second address: 00000000022CBA31 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test ebx, eax 0x0000000c call 00007F394C8F551Dh 0x00000011 test ax, ax 0x00000014 test dh, 00000034h 0x00000017 xor edi, edi 0x00000019 pushad 0x0000001a mov bx, 94B2h 0x0000001e cmp bx, 94B2h 0x00000023 jne 00007F394C8F4448h 0x00000029 popad 0x0000002a test ch, ch 0x0000002c mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000036 test ch, FFFFFFCAh 0x00000039 call 00007F394C8F5292h 0x0000003e call 00007F394C8F5265h 0x00000043 lfence 0x00000046 mov edx, C4D7E93Dh 0x0000004b xor edx, F24722A8h 0x00000051 xor edx, 65E80731h 0x00000057 xor edx, 2C86CCB0h 0x0000005d mov edx, dword ptr [edx] 0x0000005f lfence 0x00000062 jmp 00007F394C8F522Eh 0x00000064 cmp eax, BD9A57B8h 0x00000069 cmp cl, cl 0x0000006b cmp ch, ah 0x0000006d cmp ebx, ebx 0x0000006f test al, 1Ah 0x00000071 ret 0x00000072 mov esi, edx 0x00000074 pushad 0x00000075 rdtsc
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 00000000022CBB41 second address: 00000000022CB487 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 6D96B120h 0x00000013 add eax, 9E133F54h 0x00000018 xor eax, F9EAE90Fh 0x0000001d xor eax, F243197Ah 0x00000022 cpuid 0x00000024 test al, D2h 0x00000026 bt ecx, 1Fh 0x0000002a cmp ch, dh 0x0000002c jc 00007F394CDEDCA8h 0x00000032 cmp edx, eax 0x00000034 cmp al, cl 0x00000036 push D375BB0Ch 0x0000003b pushad 0x0000003c mov di, 6000h 0x00000040 cmp di, 6000h 0x00000045 jne 00007F394CDE1A53h 0x0000004b popad 0x0000004c call 00007F394CDEC40Ch 0x00000051 mov eax, dword ptr fs:[00000030h] 0x00000057 mov eax, dword ptr [eax+0Ch] 0x0000005a cmp bh, ah 0x0000005c mov eax, dword ptr [eax+14h] 0x0000005f test cx, dx 0x00000062 mov ecx, dword ptr [eax] 0x00000064 mov eax, ecx 0x00000066 jmp 00007F394CDED2DBh 0x00000068 mov ebx, dword ptr [eax+28h] 0x0000006b mov dword ptr [ebp+000001F5h], edi 0x00000071 mov edi, E1E7AEC2h 0x00000076 cmp dl, 0000004Dh 0x00000079 xor edi, 75204E2Fh 0x0000007f pushad 0x00000080 mov edx, 0000008Ch 0x00000085 rdtsc
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CE707 rdtsc
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

            Anti Debugging:

            barindex
            Found potential dummy code loops (likely to delay analysis)Show sources
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess Stats: CPU usage > 90% for more than 60s
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CE707 rdtsc
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CCF4D cpuid

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionVirtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery31Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery211SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.