Windows Analysis Report Fec9qUX4at.exe

Overview

General Information

Sample Name: Fec9qUX4at.exe
Analysis ID: 458355
MD5: 2046b941817392e3815535fccb1f39dc
SHA1: 843d243a71131baf9fbe0fcf4ba129f51ee74c8f
SHA256: c0d3da1cefd1a979c8b8ce102fd5d3ff090779f72f4d1098eb383cbbb3480bee
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.1174329957.0000000002B20000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"}
Multi AV Scanner detection for submitted file
Source: Fec9qUX4at.exe Virustotal: Detection: 28% Perma Link
Source: Fec9qUX4at.exe ReversingLabs: Detection: 13%
Machine Learning detection for sample
Source: Fec9qUX4at.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Fec9qUX4at.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B25867 NtAllocateVirtualMemory, 0_2_02B25867
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B2586A NtAllocateVirtualMemory, 0_2_02B2586A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B258D5 NtAllocateVirtualMemory, 0_2_02B258D5
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B2586A NtAllocateVirtualMemory, 0_2_02B2586A
Detected potential crypto function
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_00401144 0_2_00401144
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B25867 0_2_02B25867
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B2586A 0_2_02B2586A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B238B9 0_2_02B238B9
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B27AA5 0_2_02B27AA5
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B22AAE 0_2_02B22AAE
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B27EAD 0_2_02B27EAD
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B24292 0_2_02B24292
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B24693 0_2_02B24693
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B28C9D 0_2_02B28C9D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B242D5 0_2_02B242D5
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B206D9 0_2_02B206D9
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B23424 0_2_02B23424
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B25E11 0_2_02B25E11
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B24C15 0_2_02B24C15
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B2380C 0_2_02B2380C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B25661 0_2_02B25661
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B2586A 0_2_02B2586A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B23051 0_2_02B23051
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B25C5C 0_2_02B25C5C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B24A41 0_2_02B24A41
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B2864F 0_2_02B2864F
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B23996 0_2_02B23996
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B28181 0_2_02B28181
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B21D86 0_2_02B21D86
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B21D8F 0_2_02B21D8F
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B285F7 0_2_02B285F7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B213FC 0_2_02B213FC
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B205E0 0_2_02B205E0
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B23FDB 0_2_02B23FDB
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B209C7 0_2_02B209C7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B277CC 0_2_02B277CC
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B2293E 0_2_02B2293E
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B28500 0_2_02B28500
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B29577 0_2_02B29577
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B22D7C 0_2_02B22D7C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B27F61 0_2_02B27F61
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B28355 0_2_02B28355
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B2475A 0_2_02B2475A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B22559 0_2_02B22559
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B28759 0_2_02B28759
PE file contains strange resources
Source: Fec9qUX4at.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Fec9qUX4at.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Fec9qUX4at.exe, 00000000.00000000.650669230.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000000.00000002.1173603407.0000000002090000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe
Uses 32bit PE files
Source: Fec9qUX4at.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal88.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Fec9qUX4at.exe File created: C:\Users\user\AppData\Local\Temp\~DFCB9C324FCAA7B61E.TMP Jump to behavior
Source: Fec9qUX4at.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Fec9qUX4at.exe Virustotal: Detection: 28%
Source: Fec9qUX4at.exe ReversingLabs: Detection: 13%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1174329957.0000000002B20000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_00407CF7 push eax; ret 0_2_00407CF8
Source: initial sample Static PE information: section name: .text entropy: 7.05513425915
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B24693 0_2_02B24693
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B242D5 0_2_02B242D5
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B205E0 0_2_02B205E0
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000002B27394 second address: 0000000002B27394 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx], al 0x0000000c pushad 0x0000000d mov ah, 58h 0x0000000f cmp ah, 00000058h 0x00000012 jne 00007F5630B1DC8Ch 0x00000018 popad 0x00000019 inc ebx 0x0000001a inc edx 0x0000001b dec ecx 0x0000001c test ecx, ecx 0x0000001e jne 00007F5630B20D7Fh 0x00000020 mov al, byte ptr [edx] 0x00000022 pushad 0x00000023 rdtsc
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000002B27394 second address: 0000000002B27394 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx], al 0x0000000c pushad 0x0000000d mov ah, 58h 0x0000000f cmp ah, 00000058h 0x00000012 jne 00007F5630B1DC8Ch 0x00000018 popad 0x00000019 inc ebx 0x0000001a inc edx 0x0000001b dec ecx 0x0000001c test ecx, ecx 0x0000001e jne 00007F5630B20D7Fh 0x00000020 mov al, byte ptr [edx] 0x00000022 pushad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe RDTSC instruction interceptor: First address: 0000000002B27DB5 second address: 0000000002B27DB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A7105D73h 0x00000007 xor eax, 87E90EABh 0x0000000c xor eax, 91654CB2h 0x00000011 xor eax, B19C1F6Bh 0x00000016 cpuid 0x00000018 test ecx, eax 0x0000001a popad 0x0000001b call 00007F563036823Bh 0x00000020 lfence 0x00000023 mov edx, 2543AA54h 0x00000028 xor edx, 8D843AA0h 0x0000002e xor edx, CC85E3A5h 0x00000034 xor edx, 1BBC7345h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f test bx, bx 0x00000042 cmp ch, dh 0x00000044 ret 0x00000045 sub edx, esi 0x00000047 ret 0x00000048 add edi, edx 0x0000004a dec dword ptr [ebp+000000F8h] 0x00000050 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000057 jne 00007F563036821Ch 0x00000059 call 00007F563036827Ch 0x0000005e call 00007F563036825Eh 0x00000063 lfence 0x00000066 mov edx, 2543AA54h 0x0000006b xor edx, 8D843AA0h 0x00000071 xor edx, CC85E3A5h 0x00000077 xor edx, 1BBC7345h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 test bx, bx 0x00000085 cmp ch, dh 0x00000087 ret 0x00000088 mov esi, edx 0x0000008a pushad 0x0000008b rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B238B9 rdtsc 0_2_02B238B9
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B238B9 rdtsc 0_2_02B238B9
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B2380C mov eax, dword ptr fs:[00000030h] 0_2_02B2380C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B2546D mov eax, dword ptr fs:[00000030h] 0_2_02B2546D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B2864F mov eax, dword ptr fs:[00000030h] 0_2_02B2864F
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B273B7 mov eax, dword ptr fs:[00000030h] 0_2_02B273B7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B285F7 mov eax, dword ptr fs:[00000030h] 0_2_02B285F7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B279C6 mov eax, dword ptr fs:[00000030h] 0_2_02B279C6
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B28500 mov eax, dword ptr fs:[00000030h] 0_2_02B28500
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B22D7C mov eax, dword ptr fs:[00000030h] 0_2_02B22D7C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe Code function: 0_2_02B28355 mov eax, dword ptr fs:[00000030h] 0_2_02B28355
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Fec9qUX4at.exe, 00000000.00000002.1173482148.0000000000C40000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Fec9qUX4at.exe, 00000000.00000002.1173482148.0000000000C40000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Fec9qUX4at.exe, 00000000.00000002.1173482148.0000000000C40000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Fec9qUX4at.exe, 00000000.00000002.1173482148.0000000000C40000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458355 Sample: Fec9qUX4at.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 88 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 2 other signatures 2->14 5 Fec9qUX4at.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->18 20 Found potential dummy code loops (likely to delay analysis) 5->20 22 Tries to detect virtualization through RDTSC time measurements 5->22
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://101.99.94.119/WEALTH_fkWglQyCXO188.bin true
  • Avira URL Cloud: safe
 unknown