Windows Analysis Report VZghv7yI7g

Overview

General Information

Sample Name: VZghv7yI7g (renamed file extension from none to exe)
Analysis ID: 450819
MD5: 73bb5c4b690b8d6df88d6bc18fb3a553
SHA1: 60adddd91b6038fc9d819cf6d647ce3be0b11d38
SHA256: a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}"}
Multi AV Scanner detection for submitted file
Source: VZghv7yI7g.exe Virustotal: Detection: 29% Perma Link
Source: VZghv7yI7g.exe ReversingLabs: Detection: 13%

Compliance:

barindex
Uses 32bit PE files
Source: VZghv7yI7g.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_004092BC 0_2_004092BC
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225662B 0_2_0225662B
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256E00 0_2_02256E00
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02251664 0_2_02251664
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02251276 0_2_02251276
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02251A43 0_2_02251A43
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022562A3 0_2_022562A3
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256AAB 0_2_02256AAB
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225E280 0_2_0225E280
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256692 0_2_02256692
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022516E3 0_2_022516E3
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022512E8 0_2_022512E8
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022536FA 0_2_022536FA
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022566C7 0_2_022566C7
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256EC7 0_2_02256EC7
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225C329 0_2_0225C329
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256B6B 0_2_02256B6B
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256778 0_2_02256778
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225634E 0_2_0225634E
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225DB55 0_2_0225DB55
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02251783 0_2_02251783
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256F9B 0_2_02256F9B
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256BEB 0_2_02256BEB
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022563F7 0_2_022563F7
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02255FF1 0_2_02255FF1
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225AFD7 0_2_0225AFD7
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02257025 0_2_02257025
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02257022 0_2_02257022
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225681F 0_2_0225681F
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225684F 0_2_0225684F
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225A455 0_2_0225A455
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02257CAB 0_2_02257CAB
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256C93 0_2_02256C93
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225709F 0_2_0225709F
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022518FB 0_2_022518FB
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225AFD7 0_2_0225AFD7
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225692D 0_2_0225692D
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256D2C 0_2_02256D2C
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256138 0_2_02256138
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225156F 0_2_0225156F
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225A969 0_2_0225A969
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02251175 0_2_02251175
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02253971 0_2_02253971
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256955 0_2_02256955
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256554 0_2_02256554
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022555A6 0_2_022555A6
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022561DC 0_2_022561DC
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225C5D9 0_2_0225C5D9
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022569D8 0_2_022569D8
PE file contains strange resources
Source: VZghv7yI7g.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VZghv7yI7g.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: VZghv7yI7g.exe, 00000000.00000002.756145297.00000000021F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs VZghv7yI7g.exe
Source: VZghv7yI7g.exe, 00000000.00000000.226808596.0000000000435000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIndtr8.exe vs VZghv7yI7g.exe
Source: VZghv7yI7g.exe Binary or memory string: OriginalFilenameIndtr8.exe vs VZghv7yI7g.exe
Uses 32bit PE files
Source: VZghv7yI7g.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\VZghv7yI7g.exe File created: C:\Users\user~1\AppData\Local\Temp\~DF815418FFB8C45D82.TMP Jump to behavior
Source: VZghv7yI7g.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: VZghv7yI7g.exe Virustotal: Detection: 29%
Source: VZghv7yI7g.exe ReversingLabs: Detection: 13%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0040C06E push 00000000h; retf 0_2_0040C0B0
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_00406625 push ebp; iretd 0_2_0040662F
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02253429 push 84000002h; retf 0_2_0225342F
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02250095 pushad ; retf 0_2_02250097
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225010B pushad ; retf 0_2_0225010D
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225662B 0_2_0225662B
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02251664 0_2_02251664
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02251276 0_2_02251276
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022562A3 0_2_022562A3
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256AAB 0_2_02256AAB
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225E280 0_2_0225E280
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256692 0_2_02256692
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022516E3 0_2_022516E3
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022512E8 0_2_022512E8
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022536FA 0_2_022536FA
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022566C7 0_2_022566C7
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256778 0_2_02256778
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225634E 0_2_0225634E
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02251783 0_2_02251783
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022563F7 0_2_022563F7
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02255FF1 0_2_02255FF1
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225681F 0_2_0225681F
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225684F 0_2_0225684F
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225A455 0_2_0225A455
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022518FB 0_2_022518FB
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225692D 0_2_0225692D
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256138 0_2_02256138
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225156F 0_2_0225156F
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225A969 0_2_0225A969
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02251175 0_2_02251175
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02253971 0_2_02253971
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256955 0_2_02256955
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02256554 0_2_02256554
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022561DC 0_2_022561DC
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225C5D9 0_2_0225C5D9
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022569D8 0_2_022569D8
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\VZghv7yI7g.exe RDTSC instruction interceptor: First address: 000000000225E352 second address: 000000000225E352 instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\VZghv7yI7g.exe RDTSC instruction interceptor: First address: 000000000225E352 second address: 000000000225E352 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02255623 rdtsc 0_2_02255623
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\VZghv7yI7g.exe API coverage: 9.9 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02255623 rdtsc 0_2_02255623
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02257AB1 mov eax, dword ptr fs:[00000030h] 0_2_02257AB1
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225A900 mov eax, dword ptr fs:[00000030h] 0_2_0225A900
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225B1FE mov eax, dword ptr fs:[00000030h] 0_2_0225B1FE
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0225C5D9 mov eax, dword ptr fs:[00000030h] 0_2_0225C5D9
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: VZghv7yI7g.exe, 00000000.00000002.755749327.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: VZghv7yI7g.exe, 00000000.00000002.755749327.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: VZghv7yI7g.exe, 00000000.00000002.755749327.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: VZghv7yI7g.exe, 00000000.00000002.755749327.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_022557A4 cpuid 0_2_022557A4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450819 Sample: VZghv7yI7g Startdate: 19/07/2021 Architecture: WINDOWS Score: 84 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 C2 URLs / IPs found in malware configuration 2->14 5 VZghv7yI7g.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->18 20 Found potential dummy code loops (likely to delay analysis) 5->20 22 Tries to detect virtualization through RDTSC time measurements 5->22
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi} true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown