Windows Analysis Report LzbZ4T1iV8.exe

Overview

General Information

Sample Name: LzbZ4T1iV8.exe
Analysis ID: 458125
MD5: 41e1bc9de5f3b61639fb88143e933ff8
SHA1: 432531c5a0f7f82b8ec10e7f3fde1b51ebd3d0e8
SHA256: d32cf33f8f64824f799ca44e9988ddc517e88db1235f93792d3ed2ddaa48e35f
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin^"}
Multi AV Scanner detection for submitted file
Source: LzbZ4T1iV8.exe Virustotal: Detection: 17% Perma Link
Source: LzbZ4T1iV8.exe ReversingLabs: Detection: 17%
Machine Learning detection for sample
Source: LzbZ4T1iV8.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: LzbZ4T1iV8.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://101.99.94.119/WEALTH_PRUuqVZw139.bin^

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021758B1 NtAllocateVirtualMemory, 1_2_021758B1
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021758FA NtAllocateVirtualMemory, 1_2_021758FA
Detected potential crypto function
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_00404478 1_2_00404478
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_00404418 1_2_00404418
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_00404834 1_2_00404834
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_004036F0 1_2_004036F0
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_004034F4 1_2_004034F4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_00403488 1_2_00403488
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_004046B4 1_2_004046B4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_00404774 1_2_00404774
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_00404534 1_2_00404534
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_004045F4 1_2_004045F4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_004035B2 1_2_004035B2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_004043B8 1_2_004043B8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021758B1 1_2_021758B1
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02174C19 1_2_02174C19
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_0217424C 1_2_0217424C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02173C48 1_2_02173C48
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_0217249F 1_2_0217249F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02172899 1_2_02172899
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_0217808E 1_2_0217808E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021756A3 1_2_021756A3
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02172EA2 1_2_02172EA2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02177AD9 1_2_02177AD9
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021742C4 1_2_021742C4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021720C0 1_2_021720C0
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02172CF2 1_2_02172CF2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021720FE 1_2_021720FE
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02177F34 1_2_02177F34
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_0217474F 1_2_0217474F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02171D73 1_2_02171D73
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02170567 1_2_02170567
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02171D68 1_2_02171D68
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02173FBC 1_2_02173FBC
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021743A8 1_2_021743A8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021761C5 1_2_021761C5
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021777FF 1_2_021777FF
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021793FB 1_2_021793FB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021793EC 1_2_021793EC
PE file contains strange resources
Source: LzbZ4T1iV8.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LzbZ4T1iV8.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: LzbZ4T1iV8.exe, 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe, 00000001.00000002.742262419.0000000002120000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe
Uses 32bit PE files
Source: LzbZ4T1iV8.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe File created: C:\Users\user\AppData\Local\Temp\~DFE493499F9C12E32C.TMP Jump to behavior
Source: LzbZ4T1iV8.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LzbZ4T1iV8.exe Virustotal: Detection: 17%
Source: LzbZ4T1iV8.exe ReversingLabs: Detection: 17%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_004018D2 push fs; retf 1_2_004018D4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_0217A006 pushfd ; iretd 1_2_0217A007
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_0217662F push cs; iretd 1_2_02176630
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02176075 push 39F54C89h; retf 1_2_0217607A
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02178694 push E886E32Ah; iretd 1_2_0217869C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02179F30 pushfd ; retf 1_2_02179F43
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02175D44 push edx; ret 1_2_02175D4A
Source: initial sample Static PE information: section name: .text entropy: 7.08169017725
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe RDTSC instruction interceptor: First address: 0000000002177542 second address: 0000000002177542 instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe RDTSC instruction interceptor: First address: 00000000021774C3 second address: 0000000002177542 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push D90E6CFBh 0x00000010 call 00007FEAE0DD0522h 0x00000015 mov dword ptr [ebp+04h], eax 0x00000018 mov ebx, dword ptr [eax+3Ch] 0x0000001b add eax, ebx 0x0000001d mov ebx, dword ptr [eax+78h] 0x00000020 mov eax, dword ptr [ebp+04h] 0x00000023 add eax, ebx 0x00000025 mov ecx, dword ptr [eax+18h] 0x00000028 mov dword ptr [ebp+08h], ecx 0x0000002b mov ecx, dword ptr [eax+1Ch] 0x0000002e mov dword ptr [ebp+14h], ecx 0x00000031 mov ecx, dword ptr [eax+24h] 0x00000034 mov dword ptr [ebp+10h], ecx 0x00000037 mov esi, dword ptr [eax+20h] 0x0000003a add esi, dword ptr [ebp+04h] 0x0000003d xor ecx, ecx 0x0000003f mov edx, dword ptr [esi] 0x00000041 add edx, dword ptr [ebp+04h] 0x00000044 mov dword ptr [ebp+000001F3h], eax 0x0000004a test si, 2E1Ah 0x0000004f mov eax, ecx 0x00000051 push eax 0x00000052 mov eax, dword ptr [ebp+000001F3h] 0x00000058 mov dword ptr [ebp+000001C8h], ebx 0x0000005e mov ebx, esi 0x00000060 push ebx 0x00000061 pushad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe RDTSC instruction interceptor: First address: 0000000002177542 second address: 0000000002177542 instructions:
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe RDTSC instruction interceptor: First address: 000000000217734C second address: 000000000217734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 inc edx 0x00000005 dec ecx 0x00000006 test ecx, ecx 0x00000008 jne 00007FEAE0DD04EEh 0x0000000a mov al, byte ptr [edx] 0x0000000c mov byte ptr [ebx], al 0x0000000e pushad 0x0000000f mov ecx, 00000009h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe RDTSC instruction interceptor: First address: 0000000002178236 second address: 0000000002178261 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esi, 6F48A402h 0x00000011 cmp dword ptr [edi+14h], esi 0x00000014 mov esi, dword ptr [ebp+000001F0h] 0x0000001a je 00007FEAE0DEEEE5h 0x0000001c mov dword ptr [ebp+00000246h], eax 0x00000022 mov eax, 3E9A0B50h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe RDTSC instruction interceptor: First address: 0000000002177D0C second address: 0000000002177D0C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00B1C905h 0x00000007 xor eax, AE894D5Ah 0x0000000c xor eax, 9A90F0F9h 0x00000011 add eax, CB578B5Bh 0x00000016 cpuid 0x00000018 test ch, dh 0x0000001a popad 0x0000001b call 00007FEAE0DD050Bh 0x00000020 lfence 0x00000023 mov edx, 770EC33Bh 0x00000028 sub edx, 4238A07Dh 0x0000002e xor edx, 9CFEAEA4h 0x00000034 xor edx, D7D68C0Eh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007FEAE0DD05E9h 0x00000044 test ch, ah 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a add edi, edx 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007FEAE0DD04EAh 0x0000005b cmp edx, eax 0x0000005d call 00007FEAE0DD054Ch 0x00000062 call 00007FEAE0DD052Eh 0x00000067 lfence 0x0000006a mov edx, 770EC33Bh 0x0000006f sub edx, 4238A07Dh 0x00000075 xor edx, 9CFEAEA4h 0x0000007b xor edx, D7D68C0Eh 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 jmp 00007FEAE0DD05E9h 0x0000008b test ch, ah 0x0000008d ret 0x0000008e mov esi, edx 0x00000090 pushad 0x00000091 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021758B1 rdtsc 1_2_021758B1
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021758B1 rdtsc 1_2_021758B1
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02175461 mov eax, dword ptr fs:[00000030h] 1_2_02175461
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_02172CF2 mov eax, dword ptr fs:[00000030h] 1_2_02172CF2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_021778E2 mov eax, dword ptr fs:[00000030h] 1_2_021778E2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_0217735B mov eax, dword ptr fs:[00000030h] 1_2_0217735B
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: LzbZ4T1iV8.exe, 00000001.00000002.741953345.0000000000C50000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: LzbZ4T1iV8.exe, 00000001.00000002.741953345.0000000000C50000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: LzbZ4T1iV8.exe, 00000001.00000002.741953345.0000000000C50000.00000002.00000001.sdmp Binary or memory string: Progman
Source: LzbZ4T1iV8.exe, 00000001.00000002.741953345.0000000000C50000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe Code function: 1_2_00401A45 cpuid 1_2_00401A45
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458125 Sample: LzbZ4T1iV8.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 84 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 2 other signatures 2->14 5 LzbZ4T1iV8.exe 1 2->5         started        process3 signatures4 16 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->16 18 Found potential dummy code loops (likely to delay analysis) 5->18 20 Tries to detect virtualization through RDTSC time measurements 5->20
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://101.99.94.119/WEALTH_PRUuqVZw139.bin^ true
  • Avira URL Cloud: safe
 unknown