Windows Analysis Report loKmeabs9V.exe

Overview

General Information

Sample Name: loKmeabs9V.exe
Analysis ID: 457916
MD5: e0d74762f123eb6603898d1482eb9752
SHA1: ee63af5c34a027ba8b8331dd678b15e7a87d26a6
SHA256: f06e4c96e86c0f36c82d38de0627c0b81995656c4dcbc136c0fedda868ed8ea0
Tags: exeRAT
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.725863057.0000000002170000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin"}
Multi AV Scanner detection for submitted file
Source: loKmeabs9V.exe Virustotal: Detection: 20% Perma Link
Machine Learning detection for sample
Source: loKmeabs9V.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: loKmeabs9V.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://101.99.94.119/WEALTH_PRUuqVZw139.bin

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02175971 NtAllocateVirtualMemory, 1_2_02175971
Detected potential crypto function
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02175971 1_2_02175971
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02177C19 1_2_02177C19
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02178030 1_2_02178030
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02174230 1_2_02174230
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02173A2E 1_2_02173A2E
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_0217962D 1_2_0217962D
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02171654 1_2_02171654
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02179653 1_2_02179653
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_0217245A 1_2_0217245A
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02175844 1_2_02175844
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02178294 1_2_02178294
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02172C93 1_2_02172C93
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02173C9E 1_2_02173C9E
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_0217629C 1_2_0217629C
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_0217149C 1_2_0217149C
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02178098 1_2_02178098
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02178687 1_2_02178687
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02172889 1_2_02172889
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_021730BC 1_2_021730BC
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02170CAC 1_2_02170CAC
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02174CD0 1_2_02174CD0
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_021782DC 1_2_021782DC
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_021736C3 1_2_021736C3
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_021746C8 1_2_021746C8
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02173EE1 1_2_02173EE1
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_0217151C 1_2_0217151C
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02178324 1_2_02178324
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02178923 1_2_02178923
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02177921 1_2_02177921
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02174352 1_2_02174352
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02171D5A 1_2_02171D5A
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02171940 1_2_02171940
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02170571 1_2_02170571
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02174B96 1_2_02174B96
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_021711B4 1_2_021711B4
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02175DAE 1_2_02175DAE
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02170BC7 1_2_02170BC7
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_021719F4 1_2_021719F4
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02175BF3 1_2_02175BF3
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_021741E6 1_2_021741E6
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_021787E3 1_2_021787E3
PE file contains strange resources
Source: loKmeabs9V.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: loKmeabs9V.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: loKmeabs9V.exe, 00000001.00000002.725664691.0000000002090000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs loKmeabs9V.exe
Source: loKmeabs9V.exe, 00000001.00000002.724408573.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
Source: loKmeabs9V.exe Binary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
Uses 32bit PE files
Source: loKmeabs9V.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\loKmeabs9V.exe File created: C:\Users\user\AppData\Local\Temp\~DF1F7CA1E2F5818567.TMP Jump to behavior
Source: loKmeabs9V.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\loKmeabs9V.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\loKmeabs9V.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: loKmeabs9V.exe Virustotal: Detection: 20%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.725863057.0000000002170000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_00404DCC push edx; iretd 1_2_00404DD6
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_004059BD push F32E5D69h; retf 1_2_004059D0
Source: initial sample Static PE information: section name: .text entropy: 7.07623900315
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_0217629C 1_2_0217629C
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_021736C3 1_2_021736C3
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02178923 1_2_02178923
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02175DAE 1_2_02175DAE
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02170BC7 1_2_02170BC7
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_021787E3 1_2_021787E3
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\loKmeabs9V.exe RDTSC instruction interceptor: First address: 0000000002177F30 second address: 0000000002177F30 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A494EE6Bh 0x00000007 xor eax, 6C4D1677h 0x0000000c xor eax, 6E4EF001h 0x00000011 xor eax, A697081Ch 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FF014CB631Ah 0x0000001e lfence 0x00000021 mov edx, 2EA7C992h 0x00000026 xor edx, 079D8C51h 0x0000002c xor edx, 2142E10Eh 0x00000032 xor edx, 7786A4D9h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp dx, ax 0x00000040 ret 0x00000041 sub edx, esi 0x00000043 ret 0x00000044 cmp cl, dl 0x00000046 add edi, edx 0x00000048 dec dword ptr [ebp+000000F8h] 0x0000004e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000055 jne 00007FF014CB62F8h 0x00000057 test eax, ebx 0x00000059 call 00007FF014CB635Fh 0x0000005e call 00007FF014CB633Bh 0x00000063 lfence 0x00000066 mov edx, 2EA7C992h 0x0000006b xor edx, 079D8C51h 0x00000071 xor edx, 2142E10Eh 0x00000077 xor edx, 7786A4D9h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 cmp dx, ax 0x00000085 ret 0x00000086 mov esi, edx 0x00000088 pushad 0x00000089 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02177C19 rdtsc 1_2_02177C19
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02177C19 rdtsc 1_2_02177C19
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02172C93 mov eax, dword ptr fs:[00000030h] 1_2_02172C93
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_0217548E mov eax, dword ptr fs:[00000030h] 1_2_0217548E
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_021736C3 mov eax, dword ptr fs:[00000030h] 1_2_021736C3
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_02177B16 mov eax, dword ptr fs:[00000030h] 1_2_02177B16
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_021773F1 mov eax, dword ptr fs:[00000030h] 1_2_021773F1
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_021787E3 mov eax, dword ptr fs:[00000030h] 1_2_021787E3
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: loKmeabs9V.exe, 00000001.00000002.725388156.0000000000C50000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loKmeabs9V.exe, 00000001.00000002.725388156.0000000000C50000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loKmeabs9V.exe, 00000001.00000002.725388156.0000000000C50000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loKmeabs9V.exe, 00000001.00000002.725388156.0000000000C50000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\loKmeabs9V.exe Code function: 1_2_021773AF cpuid 1_2_021773AF
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457916 Sample: loKmeabs9V.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 84 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 2 other signatures 2->14 5 loKmeabs9V.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Found potential dummy code loops (likely to delay analysis) 5->18 20 Tries to detect virtualization through RDTSC time measurements 5->20
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://101.99.94.119/WEALTH_PRUuqVZw139.bin true
  • Avira URL Cloud: safe
 unknown