Windows Analysis Report nZdwtTEYoW.exe

Overview

General Information

Sample Name: nZdwtTEYoW.exe
Analysis ID: 451394
MD5: c8feb9d53b567cd1bfb0e59cf7d26bc2
SHA1: 82a22cb59d46bae21fa4877015e163eacc04a022
SHA256: 642a0df15a9b8e3124d638e755f0bdbacd0d1c3ff01b59b36213a190a5e5645a
Tags: exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1OPtVT-x7\"[OfT"}
Multi AV Scanner detection for submitted file
Source: nZdwtTEYoW.exe Virustotal: Detection: 25% Perma Link
Source: nZdwtTEYoW.exe ReversingLabs: Detection: 13%
Machine Learning detection for sample
Source: nZdwtTEYoW.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: nZdwtTEYoW.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1OPtVT-x7"[OfT

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: nZdwtTEYoW.exe, 00000000.00000002.761919156.000000000064A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_022155D9 NtAllocateVirtualMemory, 0_2_022155D9
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_022157A7 NtAllocateVirtualMemory, 0_2_022157A7
Detected potential crypto function
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_00401128 0_2_00401128
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_022155D9 0_2_022155D9
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02214233 0_2_02214233
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02211262 0_2_02211262
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_022122A3 0_2_022122A3
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_022182CB 0_2_022182CB
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_0221330A 0_2_0221330A
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02213063 0_2_02213063
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_022120EB 0_2_022120EB
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02217923 0_2_02217923
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02212114 0_2_02212114
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02213917 0_2_02213917
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02218167 0_2_02218167
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02210974 0_2_02210974
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_022109EF 0_2_022109EF
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_022126CF 0_2_022126CF
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02216F7F 0_2_02216F7F
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_0221379D 0_2_0221379D
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02210F9F 0_2_02210F9F
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02210FFE 0_2_02210FFE
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_022137D8 0_2_022137D8
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02210CA7 0_2_02210CA7
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_022154BA 0_2_022154BA
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02211CBD 0_2_02211CBD
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_022134EA 0_2_022134EA
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02212531 0_2_02212531
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02218501 0_2_02218501
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_0221854C 0_2_0221854C
PE file contains strange resources
Source: nZdwtTEYoW.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nZdwtTEYoW.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: nZdwtTEYoW.exe, 00000000.00000000.234126028.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCALICOES.exe vs nZdwtTEYoW.exe
Source: nZdwtTEYoW.exe, 00000000.00000002.762332668.00000000021E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs nZdwtTEYoW.exe
Source: nZdwtTEYoW.exe Binary or memory string: OriginalFilenameCALICOES.exe vs nZdwtTEYoW.exe
Uses 32bit PE files
Source: nZdwtTEYoW.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal88.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe File created: C:\Users\user\AppData\Local\Temp\~DFCCD223C299E0DF5D.TMP Jump to behavior
Source: nZdwtTEYoW.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: nZdwtTEYoW.exe Virustotal: Detection: 25%
Source: nZdwtTEYoW.exe ReversingLabs: Detection: 13%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_00401128 push esi; retn 4D4Dh 0_2_0040263F
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_00404916 push 00000014h; ret 0_2_00404938
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02216A23 push ebx; iretd 0_2_02216A2E
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02218223 push ebx; iretd 0_2_0221822E
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02214227 push ebx; iretd 0_2_02214232
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_0221222B push ebx; iretd 0_2_02212236
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02216A2F push ebx; iretd 0_2_02216A3A
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_0221822F push ebx; iretd 0_2_0221823A
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02212237 push ebx; iretd 0_2_02212242
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02216A3B push ebx; iretd 0_2_02216A46
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_0221823B push ebx; iretd 0_2_02218246
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02214203 push ebx; iretd 0_2_0221420E
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02212207 push ebx; iretd 0_2_02212212
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02216A0B push ebx; iretd 0_2_02216A16
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_0221820B push ebx; iretd 0_2_02218216
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_0221420F push ebx; iretd 0_2_0221421A
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02212213 push ebx; iretd 0_2_0221221E
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02216A17 push ebx; iretd 0_2_02216A22
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02218217 push ebx; iretd 0_2_02218222
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_0221421B push ebx; iretd 0_2_02214226
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_0221221F push ebx; iretd 0_2_0221222A
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02212267 push ebx; iretd 0_2_02212272
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02218A67 push ebx; iretd 0_2_02218A72
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02216A6B push ebx; iretd 0_2_02216A76
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_0221826B push ebx; iretd 0_2_02218276
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02212A6F push ebx; iretd 0_2_02212A7A
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02212273 push ebx; iretd 0_2_0221227E
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02218A73 push ebx; iretd 0_2_02218A7E
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02216A77 push ebx; iretd 0_2_02216A82
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02218277 push ebx; iretd 0_2_02218282
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02212A7B push ebx; iretd 0_2_02212A86
Source: initial sample Static PE information: section name: .text entropy: 6.90665747983
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02213917 0_2_02213917
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02218167 0_2_02218167
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02216F7F 0_2_02216F7F
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_0221379D 0_2_0221379D
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_022137D8 0_2_022137D8
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe RDTSC instruction interceptor: First address: 000000000221928F second address: 000000000221928F instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe RDTSC instruction interceptor: First address: 0000000002219277 second address: 000000000221928F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor ecx, AF55D2FDh 0x00000009 mov dword ptr [edi+ecx], eax 0x0000000c mov ecx, C83BC8F2h 0x00000011 xor ecx, 51282A31h 0x00000017 pushad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe RDTSC instruction interceptor: First address: 000000000221928F second address: 000000000221928F instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02215223 rdtsc 0_2_02215223
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02215223 rdtsc 0_2_02215223
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_0221732C mov eax, dword ptr fs:[00000030h] 0_2_0221732C
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02213063 mov eax, dword ptr fs:[00000030h] 0_2_02213063
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02218167 mov eax, dword ptr fs:[00000030h] 0_2_02218167
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02214E17 mov eax, dword ptr fs:[00000030h] 0_2_02214E17
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02217730 mov eax, dword ptr fs:[00000030h] 0_2_02217730
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe Code function: 0_2_02212531 mov eax, dword ptr fs:[00000030h] 0_2_02212531
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp Binary or memory string: Progmanlock