Loading ...

Play interactive tourEdit tour

Windows Analysis Report nZdwtTEYoW.exe

Overview

General Information

Sample Name:nZdwtTEYoW.exe
Analysis ID:451394
MD5:c8feb9d53b567cd1bfb0e59cf7d26bc2
SHA1:82a22cb59d46bae21fa4877015e163eacc04a022
SHA256:642a0df15a9b8e3124d638e755f0bdbacd0d1c3ff01b59b36213a190a5e5645a
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • nZdwtTEYoW.exe (PID: 4536 cmdline: 'C:\Users\user\Desktop\nZdwtTEYoW.exe' MD5: C8FEB9D53B567CD1BFB0E59CF7D26BC2)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1OPtVT-x7\"[OfT"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1OPtVT-x7\"[OfT"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: nZdwtTEYoW.exeVirustotal: Detection: 25%Perma Link
    Source: nZdwtTEYoW.exeReversingLabs: Detection: 13%
    Machine Learning detection for sampleShow sources
    Source: nZdwtTEYoW.exeJoe Sandbox ML: detected
    Source: nZdwtTEYoW.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1OPtVT-x7"[OfT
    Source: nZdwtTEYoW.exe, 00000000.00000002.761919156.000000000064A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022155D9 NtAllocateVirtualMemory,0_2_022155D9
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022157A7 NtAllocateVirtualMemory,0_2_022157A7
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_004011280_2_00401128
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022155D90_2_022155D9
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022142330_2_02214233
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022112620_2_02211262
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022122A30_2_022122A3
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022182CB0_2_022182CB
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221330A0_2_0221330A
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022130630_2_02213063
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022120EB0_2_022120EB
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022179230_2_02217923
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022121140_2_02212114
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022139170_2_02213917
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022181670_2_02218167
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022109740_2_02210974
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022109EF0_2_022109EF
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022126CF0_2_022126CF
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216F7F0_2_02216F7F
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221379D0_2_0221379D
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02210F9F0_2_02210F9F
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02210FFE0_2_02210FFE
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022137D80_2_022137D8
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02210CA70_2_02210CA7
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022154BA0_2_022154BA
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02211CBD0_2_02211CBD
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022134EA0_2_022134EA
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022125310_2_02212531
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022185010_2_02218501
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221854C0_2_0221854C
    Source: nZdwtTEYoW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: nZdwtTEYoW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: nZdwtTEYoW.exe, 00000000.00000000.234126028.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCALICOES.exe vs nZdwtTEYoW.exe
    Source: nZdwtTEYoW.exe, 00000000.00000002.762332668.00000000021E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs nZdwtTEYoW.exe
    Source: nZdwtTEYoW.exeBinary or memory string: OriginalFilenameCALICOES.exe vs nZdwtTEYoW.exe
    Source: nZdwtTEYoW.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal88.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCCD223C299E0DF5D.TMPJump to behavior
    Source: nZdwtTEYoW.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: nZdwtTEYoW.exeVirustotal: Detection: 25%
    Source: nZdwtTEYoW.exeReversingLabs: Detection: 13%

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_00401128 push esi; retn 4D4Dh0_2_0040263F
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_00404916 push 00000014h; ret 0_2_00404938
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216A23 push ebx; iretd 0_2_02216A2E
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02218223 push ebx; iretd 0_2_0221822E
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02214227 push ebx; iretd 0_2_02214232
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221222B push ebx; iretd 0_2_02212236
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216A2F push ebx; iretd 0_2_02216A3A
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221822F push ebx; iretd 0_2_0221823A
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212237 push ebx; iretd 0_2_02212242
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216A3B push ebx; iretd 0_2_02216A46
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221823B push ebx; iretd 0_2_02218246
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02214203 push ebx; iretd 0_2_0221420E
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212207 push ebx; iretd 0_2_02212212
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216A0B push ebx; iretd 0_2_02216A16
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221820B push ebx; iretd 0_2_02218216
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221420F push ebx; iretd 0_2_0221421A
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212213 push ebx; iretd 0_2_0221221E
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216A17 push ebx; iretd 0_2_02216A22
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02218217 push ebx; iretd 0_2_02218222
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221421B push ebx; iretd 0_2_02214226
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221221F push ebx; iretd 0_2_0221222A
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212267 push ebx; iretd 0_2_02212272
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02218A67 push ebx; iretd 0_2_02218A72
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216A6B push ebx; iretd 0_2_02216A76
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221826B push ebx; iretd 0_2_02218276
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212A6F push ebx; iretd 0_2_02212A7A
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212273 push ebx; iretd 0_2_0221227E
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02218A73 push ebx; iretd 0_2_02218A7E
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216A77 push ebx; iretd 0_2_02216A82
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02218277 push ebx; iretd 0_2_02218282
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212A7B push ebx; iretd 0_2_02212A86
    Source: initial sampleStatic PE information: section name: .text entropy: 6.90665747983
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02213917 0_2_02213917
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02218167 0_2_02218167
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216F7F 0_2_02216F7F
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221379D 0_2_0221379D
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022137D8 0_2_022137D8
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeRDTSC instruction interceptor: First address: 000000000221928F second address: 000000000221928F instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeRDTSC instruction interceptor: First address: 0000000002219277 second address: 000000000221928F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor ecx, AF55D2FDh 0x00000009 mov dword ptr [edi+ecx], eax 0x0000000c mov ecx, C83BC8F2h 0x00000011 xor ecx, 51282A31h 0x00000017 pushad 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeRDTSC instruction interceptor: First address: 000000000221928F second address: 000000000221928F instructions:
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02215223 rdtsc 0_2_02215223
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02215223 rdtsc 0_2_02215223
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221732C mov eax, dword ptr fs:[00000030h]0_2_0221732C
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02213063 mov eax, dword ptr fs:[00000030h]0_2_02213063
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02218167 mov eax, dword ptr fs:[00000030h]0_2_02218167
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02214E17 mov eax, dword ptr fs:[00000030h]0_2_02214E17
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02217730 mov eax, dword ptr fs:[00000030h]0_2_02217730
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212531 mov eax, dword ptr fs:[00000030h]0_2_02212531
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
    Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
    Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery41Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery31Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.