Loading ...

Play interactive tourEdit tour

Windows Analysis Report MWSW9nxmUK.exe

Overview

General Information

Sample Name:MWSW9nxmUK.exe
Analysis ID:452531
MD5:c937fc9ed4325e6ab24d49a3175f3a5c
SHA1:00439295920e78ecac31d1dbf7eb67118d76299a
SHA256:d54cafc1ca36d0ddd134f53d033ebbaaa490721d62d4168106a9b6c7cfa200ba
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE / OLE file has an invalid certificate
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • MWSW9nxmUK.exe (PID: 1844 cmdline: 'C:\Users\user\Desktop\MWSW9nxmUK.exe' MD5: C937FC9ED4325E6AB24D49A3175F3A5C)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1292263867.0000000002F70000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.1292263867.0000000002F70000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: MWSW9nxmUK.exeVirustotal: Detection: 44%Perma Link
    Source: MWSW9nxmUK.exeReversingLabs: Detection: 42%
    Source: MWSW9nxmUK.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: MWSW9nxmUK.exe

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin
    Source: MWSW9nxmUK.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: MWSW9nxmUK.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: MWSW9nxmUK.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: MWSW9nxmUK.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: MWSW9nxmUK.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: MWSW9nxmUK.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: MWSW9nxmUK.exeString found in binary or memory: http://ocsp.digicert.com0C
    Source: MWSW9nxmUK.exeString found in binary or memory: http://ocsp.digicert.com0O
    Source: MWSW9nxmUK.exeString found in binary or memory: http://www.digicert.com/CPS0
    Source: MWSW9nxmUK.exeString found in binary or memory: https://www.digicert.com/CPS0
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F7543B NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F75540 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F7543B
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F780EF
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F748E9
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F738D1
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F73ED8
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F780C6
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F70CC3
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F742C0
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F780A4
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F728A0
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F73684
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F7048D
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F70889
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F77077
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F71A78
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F74860
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F73A69
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F72455
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F70C54
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F73259
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F78C42
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F70C4C
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F78C36
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F7163B
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F71A21
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F7322C
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F72C2A
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F72228
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F7841E
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F7421B
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F73A18
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F723FF
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F70BDC
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F747C8
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F705B1
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F715BD
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F787BC
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F727A4
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F77BA4
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F747A2
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F76FAF
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F73D84
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F7517E
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F76B7B
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F72379
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F7475F
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F70147
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F75D43
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F77F4E
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F76B35
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F77D3E
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F73325
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F7832E
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F73D2C
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F70916
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F74712
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F74912
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F72518
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F77D06
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F74105
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F7770F
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F75908
    Source: MWSW9nxmUK.exeStatic PE information: invalid certificate
    Source: MWSW9nxmUK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: MWSW9nxmUK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: MWSW9nxmUK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: MWSW9nxmUK.exe, 00000000.00000002.1287872087.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInterrup.exe vs MWSW9nxmUK.exe
    Source: MWSW9nxmUK.exeBinary or memory string: OriginalFilenameInterrup.exe vs MWSW9nxmUK.exe
    Source: MWSW9nxmUK.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal84.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeFile created: C:\Users\user\AppData\Local\Temp\~DF0F4B240A12FF61B4.TMPJump to behavior
    Source: MWSW9nxmUK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: MWSW9nxmUK.exeVirustotal: Detection: 44%
    Source: MWSW9nxmUK.exeReversingLabs: Detection: 42%
    Source: MWSW9nxmUK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: MWSW9nxmUK.exe

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.1292263867.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F728A0
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F727A4
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F72379
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F77D3E
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F77503
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeRDTSC instruction interceptor: First address: 0000000002F78CAB second address: 0000000002F78CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F180C9266B8h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeRDTSC instruction interceptor: First address: 0000000002F78CAB second address: 0000000002F78CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F180C9266B8h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeRDTSC instruction interceptor: First address: 0000000002F7750B second address: 0000000002F7752A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4E5E24E1h 0x00000007 xor eax, 256A0EB4h 0x0000000c xor eax, 6B41C15Ch 0x00000011 xor eax, 0075EB08h 0x00000016 cpuid 0x00000018 popad 0x00000019 pushad 0x0000001a mov ecx, 000000F8h 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F72EF7 rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F72EF7 rdtsc
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F72EF7 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F73259 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F7504C mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F7322C mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F727A4 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F76B69 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F77D3E mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F77106 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F77D06 mov eax, dword ptr fs:[00000030h]
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: MWSW9nxmUK.exe, 00000000.00000002.1288850804.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: MWSW9nxmUK.exe, 00000000.00000002.1288850804.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: MWSW9nxmUK.exe, 00000000.00000002.1288850804.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: MWSW9nxmUK.exe, 00000000.00000002.1288850804.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02F77337 cpuid

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    MWSW9nxmUK.exe44%VirustotalBrowse
    MWSW9nxmUK.exe43%ReversingLabsWin32.Trojan.Vebzenpak

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin0%VirustotalBrowse
    https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://kinmirai.org/wp-content/bin_inUIdCgQk163.bintrue
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:33.0.0 White Diamond
    Analysis ID:452531
    Start date:22.07.2021
    Start time:15:01:15
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 11m 59s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:MWSW9nxmUK.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Run name:Suspected Instruction Hammering Hide Perf
    Number of analysed new started processes analysed:41
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal84.troj.evad.winEXE@1/0@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, UsoClient.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):4.648392883751036
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:MWSW9nxmUK.exe
    File size:246888
    MD5:c937fc9ed4325e6ab24d49a3175f3a5c
    SHA1:00439295920e78ecac31d1dbf7eb67118d76299a
    SHA256:d54cafc1ca36d0ddd134f53d033ebbaaa490721d62d4168106a9b6c7cfa200ba
    SHA512:ff13a5d3bfd503e0f11c9d974a4ac88f965eec14cbf07723ac9ed425222aaa7c5871a6438cd7491fbd694424ebe4c8675dc076e81564204583336a2940e9a9d0
    SSDEEP:1536:HrnnnnnnnnnnnnnnnrKDnnnnnnnnnnnnnnnCnnnnnnnnnnnnnnXnnnnnnnnnnnnE:H6LVbA8nT1vnv9dnj6czcW
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................................Rich............PE..L.....\S.................0...p......0........@....@................

    File Icon

    Icon Hash:e8ccce8e8ececce8

    Static PE Info

    General

    Entrypoint:0x401330
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x535CB682 [Sun Apr 27 07:49:22 2014 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:4e1e57f6de47f654992269152dd1e659

    Authenticode Signature

    Signature Valid:false
    Signature Issuer:E=Matri7@conn.Gru, CN=Characte2, OU=presolvep, O=Neapol8, L=styk, S=Laur, C=LC
    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
    Error Number:-2146762487
    Not Before, Not After
    • 7/21/2021 3:37:16 PM 7/21/2022 3:37:16 PM
    Subject Chain
    • E=Matri7@conn.Gru, CN=Characte2, OU=presolvep, O=Neapol8, L=styk, S=Laur, C=LC
    Version:3
    Thumbprint MD5:79CF1ECF512D0016E6565DBDBB4BA3BB
    Thumbprint SHA-1:E4666F2B8BC7DC083B23415376F21E8E4C2CEB0D
    Thumbprint SHA-256:89E6F5909EC358780F7165075AE7073138BA8B7BE49CFEB5B401AF72BDC5E42B
    Serial:00

    Entrypoint Preview

    Instruction
    push 0042F030h
    call 00007F180CCA7253h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    inc eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [edx+ebp], bh
    dec edi
    bound ecx, dword ptr [esi-7EB8CB92h]
    bound edi, dword ptr [edx-44h]
    pop edi
    push cs
    pop ds
    int3
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax], eax
    add byte ptr [eax], al
    inc edx
    add byte ptr [esi], al
    push eax
    add dword ptr [ecx], 50h
    jc 00007F180CCA72CCh
    jnc 00007F180CCA72C7h
    jc 00007F180CCA72D5h
    bound eax, dword ptr [eax]
    add byte ptr [eax], al
    add byte ptr [edx+ecx*4+0000030Ah], ah
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    adc al, F3h
    enter 5D60h, CBh
    rol byte ptr [edx+08D6814Bh], 0000000Eh
    cmp esi, dword ptr [ebp+06D99345h]
    fmul dword ptr [ecx-0Dh]

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x330740x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x350000x54c4.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x3b0580x1410
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x11000x1c.text
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000xf8.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x324c00x33000False0.249516505821data4.59513440104IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x340000xb900x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x350000x54c40x6000False0.293294270833data4.11736046499IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x39e5c0x668dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 4265541880, next used block 7936
    RT_ICON0x39b740x2e8data
    RT_ICON0x3998c0x1e8data
    RT_ICON0x398640x128GLS_BINARY_LSB_FIRST
    RT_ICON0x389bc0xea8data
    RT_ICON0x381140x8a8data
    RT_ICON0x37a4c0x6c8data
    RT_ICON0x374e40x568GLS_BINARY_LSB_FIRST
    RT_ICON0x3643c0x10a8data
    RT_ICON0x35ab40x988data
    RT_ICON0x3564c0x468GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x355ac0xa0data
    RT_VERSION0x352d00x2dcdataEnglishUnited States

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0409 0x04b0
    LegalCopyrightClicked
    InternalNameInterrup
    FileVersion7.00
    CompanyNameClicked
    LegalTrademarksClicked
    CommentsClicked
    ProductNameClicked
    ProductVersion7.00
    FileDescriptionClicked
    OriginalFilenameInterrup.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    System Behavior

    General

    Start time:15:02:04
    Start date:22/07/2021
    Path:C:\Users\user\Desktop\MWSW9nxmUK.exe
    Wow64 process (32bit):true
    Commandline:'C:\Users\user\Desktop\MWSW9nxmUK.exe'
    Imagebase:0x400000
    File size:246888 bytes
    MD5 hash:C937FC9ED4325E6AB24D49A3175F3A5C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1292263867.0000000002F70000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >