Windows Analysis Report kGSHiWbgq9.exe

ID:	457930
Product:	CloudBasic
Start time:	15:06:08
Start date:	02.08.2021
Sample:	kGSHiWbgq9.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	27bf14807bc9d5cd2d823293f43c3a3a
SHA1:	08eeed11867aa351be0d6c48da283721ee6c0769
SHA256:	55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Found malware configuration

Source: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}

Multi AV Scanner detection for submitted file

Source: kGSHiWbgq9.exe

Virustotal: Detection: 21%

Perma Link

Machine Learning detection for sample

Source: kGSHiWbgq9.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: kGSHiWbgq9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_PRUu

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02465968 NtAllocateVirtualMemory,		0_2_02465968
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02465A62 NtAllocateVirtualMemory,		0_2_02465A62

Detected potential crypto function

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02465968		0_2_02465968
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460211		0_2_02460211
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02464339		0_2_02464339
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024640B7		0_2_024640B7
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024686DB		0_2_024686DB
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024686F4		0_2_024686F4
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02465781		0_2_02465781
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_0246443A		0_2_0246443A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024694D8		0_2_024694D8
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_0246853B		0_2_0246853B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024695C6		0_2_024695C6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024685E7		0_2_024685E7
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024605A1		0_2_024605A1
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02465A62		0_2_02465A62
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02462A77		0_2_02462A77
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02467A7A		0_2_02467A7A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460B59		0_2_02460B59
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460BDC		0_2_02460BDC
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02463BFF		0_2_02463BFF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02462873		0_2_02462873
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02468802		0_2_02468802
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02461900		0_2_02461900
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_0246891F		0_2_0246891F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02467E5C		0_2_02467E5C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460ED2		0_2_02460ED2
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02461E99		0_2_02461E99
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02462FD3		0_2_02462FD3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02468C2C		0_2_02468C2C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02463CEF		0_2_02463CEF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02463CF2		0_2_02463CF2
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460CFA		0_2_02460CFA
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02465D78		0_2_02465D78
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02462D3B		0_2_02462D3B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460DD5		0_2_02460DD5
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02461DA0		0_2_02461DA0
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02464DB6		0_2_02464DB6

PE file contains strange resources

Source: kGSHiWbgq9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kGSHiWbgq9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: kGSHiWbgq9.exe, 00000000.00000002.769800514.00000000021E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe, 00000000.00000002.767741983.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe

Uses 32bit PE files

Source: kGSHiWbgq9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Classification label

Source: classification engine

Classification label: mal88.troj.evad.winEXE@1/0@0/0

Creates temporary files

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF0A4DA332BC76A601.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: kGSHiWbgq9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: kGSHiWbgq9.exe

Virustotal: Detection: 21%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00408873 push esp; ret		0_2_00408877
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_004088C0 push esp; ret		0_2_004088CB
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_004014E9 push es; ret		0_2_004014EA
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00408CB2 push esi; ret		0_2_00408CB3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_0040891C push esi; retf		0_2_0040892F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00407D36 pushad ; iretd		0_2_00407D3B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00408672 push esi; ret		0_2_00408677
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00407E22 push ds; iretd		0_2_00407E27
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00408624 push esp; ret		0_2_00408627
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00408ADE push esi; retf		0_2_00408ADF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00408695 push esi; ret		0_2_00408677
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02466625 push ebp; iretd		0_2_02466637

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.07266809617

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460B59		0_2_02460B59
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460BDC		0_2_02460BDC
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02462FD3		0_2_02462FD3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460CFA		0_2_02460CFA
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02462D3B		0_2_02462D3B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460DD5		0_2_02460DD5

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000002460298 second address: 0000000002460298 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000002467EAD second address: 0000000002467EAD instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000002469858 second address: 0000000002469858 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000002460298 second address: 0000000002460298 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000002467EAD second address: 0000000002467EAD instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000002469858 second address: 0000000002469858 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000002467CB5 second address: 0000000002467CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F7834E0F173h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007F7834E0F169h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007F7834E0F06Ch 0x00000063 call 00007F7834E0F0C7h 0x00000068 call 00007F7834E0F194h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 0_2_02460211 rdtsc

0_2_02460211

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 0_2_02460211 rdtsc

0_2_02460211

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024673B4 mov eax, dword ptr fs:[00000030h]		0_2_024673B4
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02463441 mov eax, dword ptr fs:[00000030h]		0_2_02463441
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_0246853B mov eax, dword ptr fs:[00000030h]		0_2_0246853B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02465589 mov eax, dword ptr fs:[00000030h]		0_2_02465589
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02467898 mov eax, dword ptr fs:[00000030h]		0_2_02467898
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02462D3B mov eax, dword ptr fs:[00000030h]		0_2_02462D3B

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: kGSHiWbgq9.exe, 00000000.00000002.769113256.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: kGSHiWbgq9.exe, 00000000.00000002.769113256.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: kGSHiWbgq9.exe, 00000000.00000002.769113256.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: kGSHiWbgq9.exe, 00000000.00000002.769113256.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock