Windows Analysis Report PO#578946.exe

Overview

General Information

Sample Name: PO#578946.exe
Analysis ID: 457760
MD5: 691bde1d30c382256ff1072b8f305841
SHA1: 1ce839f49da7750ab19f0e709747a36dce1933fc
SHA256: 9d1bfddea6c5c0a596af58ed64e6c38d2a274e507ca8d92d8fc801e3d8878cca
Tags: exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: PO#578946.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.868117942.0000000002420000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1_XiRU-Ribfen&"}
Multi AV Scanner detection for submitted file
Source: PO#578946.exe Virustotal: Detection: 56% Perma Link
Source: PO#578946.exe ReversingLabs: Detection: 34%

Compliance:

barindex
Uses 32bit PE files
Source: PO#578946.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1_XiRU-Ribfen&

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO#578946.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\PO#578946.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_024268DE NtAllocateVirtualMemory, 0_2_024268DE
Detected potential crypto function
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_024268DE 0_2_024268DE
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424A49 0_2_02424A49
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_0242A250 0_2_0242A250
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424625 0_2_02424625
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424633 0_2_02424633
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02426236 0_2_02426236
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02425234 0_2_02425234
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02423E3A 0_2_02423E3A
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_024232CA 0_2_024232CA
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02422ED7 0_2_02422ED7
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424AF4 0_2_02424AF4
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02429E9A 0_2_02429E9A
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424EB4 0_2_02424EB4
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02428764 0_2_02428764
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02429F6E 0_2_02429F6E
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02422F7C 0_2_02422F7C
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424F17 0_2_02424F17
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424723 0_2_02424723
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424F28 0_2_02424F28
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_024217CC 0_2_024217CC
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424FE4 0_2_02424FE4
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_024233FF 0_2_024233FF
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02422B82 0_2_02422B82
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02421785 0_2_02421785
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_0242538A 0_2_0242538A
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424B8B 0_2_02424B8B
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424790 0_2_02424790
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02422BB8 0_2_02422BB8
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02422C53 0_2_02422C53
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_0242A060 0_2_0242A060
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02428400 0_2_02428400
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_024248CE 0_2_024248CE
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424C8D 0_2_02424C8D
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_0242A499 0_2_0242A499
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02422CB1 0_2_02422CB1
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_0242414E 0_2_0242414E
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424D60 0_2_02424D60
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_0242316F 0_2_0242316F
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02429D6D 0_2_02429D6D
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02425118 0_2_02425118
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02423534 0_2_02423534
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02423DC1 0_2_02423DC1
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_0242A1E2 0_2_0242A1E2
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02422DE0 0_2_02422DE0
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_024245FC 0_2_024245FC
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_0242318A 0_2_0242318A
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424190 0_2_02424190
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02429DA0 0_2_02429DA0
Sample file is different than original file name gathered from version info
Source: PO#578946.exe, 00000000.00000000.335853401.0000000000418000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUnderno3.exe vs PO#578946.exe
Source: PO#578946.exe, 00000000.00000002.868019534.00000000022D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs PO#578946.exe
Source: PO#578946.exe Binary or memory string: OriginalFilenameUnderno3.exe vs PO#578946.exe
Uses 32bit PE files
Source: PO#578946.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal96.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\PO#578946.exe File created: C:\Users\user\AppData\Local\Temp\~DF5AAF62D8F409C8D0.TMP Jump to behavior
Source: PO#578946.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO#578946.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#578946.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PO#578946.exe Virustotal: Detection: 56%
Source: PO#578946.exe ReversingLabs: Detection: 34%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.868117942.0000000002420000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_00408EF8 pushad ; ret 0_2_00408EF9
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_0040953E push eax; iretd 0_2_00409547
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02426E62 pushad ; retf 0_2_02427882
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02420AF1 push esp; retf 0_2_02420AF2
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02420B18 push esp; retf 0_2_02420B19
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02426F1E pushad ; retf 0_2_02427882
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02427BF7 push esp; ret 0_2_02427BFF
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_0242784E pushad ; retf 0_2_02427882
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02427866 pushad ; retf 0_2_02427882
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02426DC4 pushad ; retf 0_2_02427882
Source: C:\Users\user\Desktop\PO#578946.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_0242316F 0_2_0242316F
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\PO#578946.exe RDTSC instruction interceptor: First address: 000000000242034B second address: 000000000242034B instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\PO#578946.exe RDTSC instruction interceptor: First address: 000000000242034B second address: 000000000242034B instructions:
Source: C:\Users\user\Desktop\PO#578946.exe RDTSC instruction interceptor: First address: 0000000002426191 second address: 0000000002426191 instructions: 0x00000000 rdtsc 0x00000002 mov eax, CFC9D9CCh 0x00000007 xor eax, E7B8D616h 0x0000000c xor eax, B003C39Fh 0x00000011 xor eax, 9872CC44h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FEE848CB84Ah 0x0000001e lfence 0x00000021 mov edx, 324626BAh 0x00000026 xor edx, 8E47B5F1h 0x0000002c xor edx, CD58843Fh 0x00000032 xor edx, 0EA71760h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 cmp cx, dx 0x00000045 add edi, edx 0x00000047 dec ecx 0x00000048 mov dword ptr [ebp+000001B1h], ecx 0x0000004e mov ecx, 1C5A7D24h 0x00000053 xor ecx, 8E853080h 0x00000059 cmp cx, cx 0x0000005c xor ecx, 6F6EDF25h 0x00000062 test ax, dx 0x00000065 sub ecx, FDB19281h 0x0000006b cmp dword ptr [ebp+000001B1h], ecx 0x00000071 mov ecx, dword ptr [ebp+000001B1h] 0x00000077 jne 00007FEE848CB7F4h 0x00000079 cmp edx, eax 0x0000007b mov dword ptr [ebp+00000221h], eax 0x00000081 mov eax, ecx 0x00000083 push eax 0x00000084 mov eax, dword ptr [ebp+00000221h] 0x0000008a call 00007FEE848CB910h 0x0000008f call 00007FEE848CB86Bh 0x00000094 lfence 0x00000097 mov edx, 324626BAh 0x0000009c xor edx, 8E47B5F1h 0x000000a2 xor edx, CD58843Fh 0x000000a8 xor edx, 0EA71760h 0x000000ae mov edx, dword ptr [edx] 0x000000b0 lfence 0x000000b3 ret 0x000000b4 mov esi, edx 0x000000b6 pushad 0x000000b7 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424A49 rdtsc 0_2_02424A49
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\PO#578946.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02424A49 rdtsc 0_2_02424A49
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02425FBD mov eax, dword ptr fs:[00000030h] 0_2_02425FBD
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02428C43 mov eax, dword ptr fs:[00000030h] 0_2_02428C43
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_0242914F mov eax, dword ptr fs:[00000030h] 0_2_0242914F
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_0242316F mov eax, dword ptr fs:[00000030h] 0_2_0242316F
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02429D6D mov eax, dword ptr fs:[00000030h] 0_2_02429D6D
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02423DC1 mov eax, dword ptr fs:[00000030h] 0_2_02423DC1
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: PO#578946.exe, 00000000.00000002.867875316.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: PO#578946.exe, 00000000.00000002.867875316.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: PO#578946.exe, 00000000.00000002.867875316.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: PO#578946.exe, 00000000.00000002.867875316.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\PO#578946.exe Code function: 0_2_02425B4B cpuid 0_2_02425B4B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457760 Sample: PO#578946.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 96 8 Found malware configuration 2->8 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 3 other signatures 2->14 5 PO#578946.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->18 20 Found potential dummy code loops (likely to delay analysis) 5->20 22 Tries to detect virtualization through RDTSC time measurements 5->22
No contacted IP infos