Loading ...

Play interactive tourEdit tour

Windows Analysis Report VZghv7yI7g

Overview

General Information

Sample Name:VZghv7yI7g (renamed file extension from none to exe)
Analysis ID:450819
MD5:73bb5c4b690b8d6df88d6bc18fb3a553
SHA1:60adddd91b6038fc9d819cf6d647ce3be0b11d38
SHA256:a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • VZghv7yI7g.exe (PID: 2256 cmdline: 'C:\Users\user\Desktop\VZghv7yI7g.exe' MD5: 73BB5C4B690B8D6DF88D6BC18FB3A553)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: VZghv7yI7g.exeVirustotal: Detection: 29%Perma Link
    Source: VZghv7yI7g.exeReversingLabs: Detection: 13%
    Source: VZghv7yI7g.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_004092BC0_2_004092BC
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225662B0_2_0225662B
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256E000_2_02256E00
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022516640_2_02251664
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022512760_2_02251276
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02251A430_2_02251A43
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022562A30_2_022562A3
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256AAB0_2_02256AAB
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225E2800_2_0225E280
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022566920_2_02256692
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022516E30_2_022516E3
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022512E80_2_022512E8
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022536FA0_2_022536FA
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022566C70_2_022566C7
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256EC70_2_02256EC7
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225C3290_2_0225C329
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256B6B0_2_02256B6B
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022567780_2_02256778
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225634E0_2_0225634E
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225DB550_2_0225DB55
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022517830_2_02251783
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256F9B0_2_02256F9B
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256BEB0_2_02256BEB
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022563F70_2_022563F7
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02255FF10_2_02255FF1
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225AFD70_2_0225AFD7
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022570250_2_02257025
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022570220_2_02257022
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225681F0_2_0225681F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225684F0_2_0225684F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225A4550_2_0225A455
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02257CAB0_2_02257CAB
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256C930_2_02256C93
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225709F0_2_0225709F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022518FB0_2_022518FB
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225AFD70_2_0225AFD7
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225692D0_2_0225692D
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256D2C0_2_02256D2C
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022561380_2_02256138
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225156F0_2_0225156F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225A9690_2_0225A969
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022511750_2_02251175
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022539710_2_02253971
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022569550_2_02256955
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022565540_2_02256554
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022555A60_2_022555A6
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022561DC0_2_022561DC
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225C5D90_2_0225C5D9
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022569D80_2_022569D8
    Source: VZghv7yI7g.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: VZghv7yI7g.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: VZghv7yI7g.exe, 00000000.00000002.756145297.00000000021F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs VZghv7yI7g.exe
    Source: VZghv7yI7g.exe, 00000000.00000000.226808596.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIndtr8.exe vs VZghv7yI7g.exe
    Source: VZghv7yI7g.exeBinary or memory string: OriginalFilenameIndtr8.exe vs VZghv7yI7g.exe
    Source: VZghv7yI7g.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal84.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DF815418FFB8C45D82.TMPJump to behavior
    Source: VZghv7yI7g.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: VZghv7yI7g.exeVirustotal: Detection: 29%
    Source: VZghv7yI7g.exeReversingLabs: Detection: 13%

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0040C06E push 00000000h; retf 0_2_0040C0B0
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_00406625 push ebp; iretd 0_2_0040662F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02253429 push 84000002h; retf 0_2_0225342F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02250095 pushad ; retf 0_2_02250097
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225010B pushad ; retf 0_2_0225010D
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225662B 0_2_0225662B
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02251664 0_2_02251664
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02251276 0_2_02251276
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022562A3 0_2_022562A3
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256AAB 0_2_02256AAB
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225E280 0_2_0225E280
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256692 0_2_02256692
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022516E3 0_2_022516E3
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022512E8 0_2_022512E8
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022536FA 0_2_022536FA
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022566C7 0_2_022566C7
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256778 0_2_02256778
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225634E 0_2_0225634E
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02251783 0_2_02251783
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022563F7 0_2_022563F7
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02255FF1 0_2_02255FF1
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225681F 0_2_0225681F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225684F 0_2_0225684F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225A455 0_2_0225A455
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022518FB 0_2_022518FB
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225692D 0_2_0225692D
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256138 0_2_02256138
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225156F 0_2_0225156F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225A969 0_2_0225A969
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02251175 0_2_02251175
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02253971 0_2_02253971
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256955 0_2_02256955
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256554 0_2_02256554
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022561DC 0_2_022561DC
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225C5D9 0_2_0225C5D9
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022569D8 0_2_022569D8
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeRDTSC instruction interceptor: First address: 000000000225E352 second address: 000000000225E352 instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeRDTSC instruction interceptor: First address: 000000000225E352 second address: 000000000225E352 instructions:
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02255623 rdtsc 0_2_02255623
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeAPI coverage: 9.9 %
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02255623 rdtsc 0_2_02255623
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02257AB1 mov eax, dword ptr fs:[00000030h]0_2_02257AB1
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225A900 mov eax, dword ptr fs:[00000030h]0_2_0225A900
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225B1FE mov eax, dword ptr fs:[00000030h]0_2_0225B1FE
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225C5D9 mov eax, dword ptr fs:[00000030h]0_2_0225C5D9
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: VZghv7yI7g.exe, 00000000.00000002.755749327.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
    Source: VZghv7yI7g.exe, 00000000.00000002.755749327.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: VZghv7yI7g.exe, 00000000.00000002.755749327.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: VZghv7yI7g.exe, 00000000.00000002.755749327.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022557A4 cpuid 0_2_022557A4

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.