Windows Analysis Report ogvcqbOEQs

ID:	456986
Product:	CloudBasic
Start time:	17:48:12
Start date:	30.07.2021
Sample:	ogvcqbOEQs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f00e0bf11a316d65ab59574825f125bf
SHA1:	a25674d3d8285ad9216e61cfe923bc4b4a0c833a
SHA256:	06b51823317ace5ebfb38121fce872db43c72042d7ef657e3830d46c5572f0c3
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Found malware configuration

Source: ogvcqbOEQs.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "http://d-bin.duckdns.org/remcos_dyno_xLTzJv"}

Multi AV Scanner detection for submitted file

Source: ogvcqbOEQs.exe

Virustotal: Detection: 18%

Perma Link

Compliance:

Uses 32bit PE files

Source: ogvcqbOEQs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://d-bin.duckdns.org/remcos_dyno_xLTzJv

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A4810		1_2_020A4810
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A44C7		1_2_020A44C7
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020AA9B4		1_2_020AA9B4

PE file contains strange resources

Source: ogvcqbOEQs.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: ogvcqbOEQs.exe, 00000001.00000000.227845225.0000000000413000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMSTEAMS vs ogvcqbOEQs.exe
Source: ogvcqbOEQs.exe, 00000001.00000002.751695769.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs ogvcqbOEQs.exe
Source: ogvcqbOEQs.exe	Binary or memory string: OriginalFilenameMSTEAMS vs ogvcqbOEQs.exe

Uses 32bit PE files

Source: ogvcqbOEQs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Classification label

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Creates temporary files

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA9BE596F96A9332A.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: ogvcqbOEQs.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: ogvcqbOEQs.exe

Virustotal: Detection: 18%

Submission file is bigger than most known malware samples

Source: ogvcqbOEQs.exe

Static file information: File size 10571776 > 1048576

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.751704834.00000000020A0000.00000040.00000001.sdmp, type: MEMORY

PE file contains an invalid checksum

Source: ogvcqbOEQs.exe

Static PE information: real checksum: 0xa24e1f should be:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_00402A6D push edx; ret		1_2_00402A86
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_00405E39 push es; iretd		1_2_00405E62
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_0040483D push edx; ret		1_2_00404843
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_00405D05 push cs; ret		1_2_00405D9B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_00404725 push esp; retf		1_2_00404726
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A4E38 push BA000001h; ret		1_2_020A4E45
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A1C9C push eax; ret		1_2_020A1CB5
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A5CB4 push eax; iretd		1_2_020A5CB5
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A910C push eax; retf		1_2_020A910D
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A554D push eax; iretd		1_2_020A554E
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A5145 push ecx; ret		1_2_020A5146
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A5763 push 878BD3C4h; iretd		1_2_020A5774
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A57D8 push eax; ret		1_2_020A57D9
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 1_2_020A77EC push eax; ret		1_2_020A7805

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000020A9289 second address: 00000000020A9289 instructions:
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000020A95D8 second address: 00000000020A95D8 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 000000000040D2BF second address: 000000000040D2BF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 cmp ecx, 00000092h 0x00000009 popad 0x0000000a pushfd 0x0000000b popfd 0x0000000c nop 0x0000000d dec edi 0x0000000e lfence 0x00000011 cmp eax, 34h 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007F70F03BC520h 0x00000019 nop 0x0000001a lfence 0x0000001d pushad 0x0000001e cmp eax, 7Ch 0x00000021 nop 0x00000022 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000020A032C second address: 00000000020A84FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [ebp+0000022Ch], edx 0x00000011 mov edx, 79A9B8F5h 0x00000016 xor edx, A14CDEE8h 0x0000001c xor edx, B4BF7B12h 0x00000022 add edx, 93A5E2F1h 0x00000028 push edx 0x00000029 mov edx, dword ptr [ebp+0000022Ch] 0x0000002f cmp ax, bx 0x00000032 push B6F4F8D9h 0x00000037 cmp ax, cx 0x0000003a push E49F8B3Ch 0x0000003f nop 0x00000040 push 16E1361Ah 0x00000045 push 1E79F54Fh 0x0000004a push 66B6A393h 0x0000004f test dl, al 0x00000051 push 54CCBF9Ah 0x00000056 call 00007F70F03BDCFAh 0x0000005b jmp 00007F70F03B4FCAh 0x0000005d cmp ah, dh 0x0000005f test ax, dx 0x00000062 cmp ch, FFFFFFDDh 0x00000065 mov ecx, dword ptr [ebp+1Ch] 0x00000068 mov edx, 129FECA4h 0x0000006d call 00007F70F03B42C5h 0x00000072 mov dword ptr [ebp+000001A2h], ecx 0x00000078 mov ecx, esi 0x0000007a cmp edx, 5B13C306h 0x00000080 push ecx 0x00000081 mov ecx, dword ptr [ebp+000001A2h] 0x00000087 mov dword ptr [ebp+0000022Eh], eax 0x0000008d mov eax, edx 0x0000008f push eax 0x00000090 cld 0x00000091 mov eax, dword ptr [ebp+0000022Eh] 0x00000097 mov dword ptr [ebp+0000017Fh], ebx 0x0000009d mov ebx, ecx 0x0000009f push ebx 0x000000a0 pushad 0x000000a1 lfence 0x000000a4 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000020A9289 second address: 00000000020A9289 instructions:
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000020A95D8 second address: 00000000020A95D8 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 1_2_020A84CB rdtsc

1_2_020A84CB

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 1_2_020A84CB rdtsc

1_2_020A84CB

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 1_2_020A8A7E mov eax, dword ptr fs:[00000030h]

1_2_020A8A7E

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Progmanlock