Windows Analysis Report ftyaXQevlQ.exe

Overview

General Information

Sample Name: ftyaXQevlQ.exe
Analysis ID: 458362
MD5: 7a90c8f725811e53a27ecb8e2c6a952b
SHA1: d09f363cefebf3877a29f250fba3ba7affe6549f
SHA256: 2d2796f4298b67f77555e446cfe4eca0559ddee6cdf6371524051a42f8dbd291
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.1173739995.00000000020F0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTHKELLS_QhOVDYr246"}
Multi AV Scanner detection for submitted file
Source: ftyaXQevlQ.exe Virustotal: Detection: 23% Perma Link
Source: ftyaXQevlQ.exe ReversingLabs: Detection: 21%
Machine Learning detection for sample
Source: ftyaXQevlQ.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: ftyaXQevlQ.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://101.99.94.119/WEALTHKELLS_QhOVDYr246

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F58EC NtAllocateVirtualMemory, 0_2_020F58EC
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F5A21 NtAllocateVirtualMemory, 0_2_020F5A21
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F58E9 NtAllocateVirtualMemory, 0_2_020F58E9
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F5953 NtAllocateVirtualMemory, 0_2_020F5953
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F596D NtAllocateVirtualMemory, 0_2_020F596D
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F5961 NtAllocateVirtualMemory, 0_2_020F5961
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F5979 NtAllocateVirtualMemory, 0_2_020F5979
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F5985 NtAllocateVirtualMemory, 0_2_020F5985
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F599D NtAllocateVirtualMemory, 0_2_020F599D
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F5991 NtAllocateVirtualMemory, 0_2_020F5991
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F59A9 NtAllocateVirtualMemory, 0_2_020F59A9
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F59B5 NtAllocateVirtualMemory, 0_2_020F59B5
Detected potential crypto function
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_00401144 0_2_00401144
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F58EC 0_2_020F58EC
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F5A21 0_2_020F5A21
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F8A36 0_2_020F8A36
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F2835 0_2_020F2835
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F0231 0_2_020F0231
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F4047 0_2_020F4047
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F2A58 0_2_020F2A58
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F7870 0_2_020F7870
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F3894 0_2_020F3894
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F38AB 0_2_020F38AB
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F12C7 0_2_020F12C7
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F86C5 0_2_020F86C5
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F58E9 0_2_020F58E9
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F8AE2 0_2_020F8AE2
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F88FD 0_2_020F88FD
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F3AF3 0_2_020F3AF3
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F5707 0_2_020F5707
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F5D2B 0_2_020F5D2B
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F7336 0_2_020F7336
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F7B34 0_2_020F7B34
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F1F48 0_2_020F1F48
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F5953 0_2_020F5953
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F596D 0_2_020F596D
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F5961 0_2_020F5961
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F59B5 0_2_020F59B5
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F13B2 0_2_020F13B2
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F09D6 0_2_020F09D6
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F3BE0 0_2_020F3BE0
PE file contains strange resources
Source: ftyaXQevlQ.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ftyaXQevlQ.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: ftyaXQevlQ.exe, 00000000.00000000.650866555.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBOETTEPAPIR.exe vs ftyaXQevlQ.exe
Source: ftyaXQevlQ.exe, 00000000.00000002.1173563584.0000000002090000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs ftyaXQevlQ.exe
Source: ftyaXQevlQ.exe Binary or memory string: OriginalFilenameBOETTEPAPIR.exe vs ftyaXQevlQ.exe
Uses 32bit PE files
Source: ftyaXQevlQ.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe File created: C:\Users\user\AppData\Local\Temp\~DF4EA5FE16BB58CFDF.TMP Jump to behavior
Source: ftyaXQevlQ.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ftyaXQevlQ.exe Virustotal: Detection: 23%
Source: ftyaXQevlQ.exe ReversingLabs: Detection: 21%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1173739995.00000000020F0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_00404542 push ds; retf 0_2_0040456D
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_00405977 push dword ptr [ecx-4E013672h]; retf 0_2_0040597F
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_004017A5 push 00000065h; ret 0_2_004017B7
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_004061A9 push ds; retf 0_2_004061B9
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F8465 push eax; ret 0_2_020F8466
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F1976 push esi; ret 0_2_020F197B
Source: initial sample Static PE information: section name: .text entropy: 7.06319493547
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F58EC NtAllocateVirtualMemory, 0_2_020F58EC
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe RDTSC instruction interceptor: First address: 00000000020F7740 second address: 00000000020F7740 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub edx, 6B2AB29Ch 0x00000011 cmp byte ptr [esi], dl 0x00000013 mov edx, dword ptr [ebp+0000026Ch] 0x00000019 jnc 00007F59F8EA92B7h 0x0000001b mov ebx, eax 0x0000001d shl eax, 05h 0x00000020 add eax, ebx 0x00000022 movzx ecx, byte ptr [esi] 0x00000025 test esi, 8BF3F78Dh 0x0000002b add eax, ecx 0x0000002d xor eax, 241DED1Dh 0x00000032 inc esi 0x00000033 mov dword ptr [ebp+00000269h], eax 0x00000039 mov eax, 268AB9BAh 0x0000003e cmp bx, bx 0x00000041 xor eax, 5F75F58Ch 0x00000046 cmp dx, dx 0x00000049 xor eax, A2125650h 0x0000004e add eax, 2412E59Ah 0x00000053 cmp byte ptr [esi], al 0x00000055 mov eax, dword ptr [ebp+00000269h] 0x0000005b jne 00007F59F8EA91F8h 0x0000005d mov dword ptr [ebp+0000026Ch], edx 0x00000063 mov edx, 0CE9BEB7h 0x00000068 cmp ch, bh 0x0000006a xor edx, 565E109Eh 0x00000070 xor edx, 319D1D69h 0x00000076 pushad 0x00000077 lfence 0x0000007a rdtsc
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe RDTSC instruction interceptor: First address: 00000000020F8317 second address: 00000000020F7740 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov edi, dword ptr [ebp+00000231h] 0x00000011 mov dword ptr [ebp+00000262h], edx 0x00000017 push esi 0x00000018 jmp 00007F59F8ACA3D5h 0x0000001a call 00007F59F8ACA385h 0x0000001f pop esi 0x00000020 jmp esi 0x00000022 pop esi 0x00000023 mov edx, ecx 0x00000025 push edx 0x00000026 mov edx, dword ptr [ebp+00000262h] 0x0000002c mov dword ptr [ebp+000001BBh], edx 0x00000032 test bx, dx 0x00000035 mov edx, esi 0x00000037 push edx 0x00000038 mov edx, dword ptr [ebp+000001BBh] 0x0000003e cmp dx, ax 0x00000041 mov dword ptr [ebp+00000233h], eax 0x00000047 mov eax, esi 0x00000049 push eax 0x0000004a mov eax, dword ptr [ebp+00000233h] 0x00000050 cmp bh, dh 0x00000052 add dword ptr [esp], ecx 0x00000055 call 00007F59F8AC96F4h 0x0000005a mov esi, dword ptr [esp+04h] 0x0000005e mov eax, 552EAF50h 0x00000063 push ss 0x00000064 pop ss 0x00000065 jmp 00007F59F8ACA3B3h 0x00000067 xor eax, 8A108D49h 0x0000006c add eax, 135A661Ch 0x00000071 xor eax, F2989D30h 0x00000076 test bl, al 0x00000078 test ax, 0000508Eh 0x0000007c mov dword ptr [ebp+0000026Ch], edx 0x00000082 mov edx, 0CE9BEB7h 0x00000087 cmp ch, bh 0x00000089 xor edx, 565E109Eh 0x0000008f xor edx, 319D1D69h 0x00000095 pushad 0x00000096 lfence 0x00000099 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F58EC rdtsc 0_2_020F58EC
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F58EC rdtsc 0_2_020F58EC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F7A47 mov eax, dword ptr fs:[00000030h] 0_2_020F7A47
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F38AB mov eax, dword ptr fs:[00000030h] 0_2_020F38AB
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F86C5 mov eax, dword ptr fs:[00000030h] 0_2_020F86C5
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F5513 mov eax, dword ptr fs:[00000030h] 0_2_020F5513
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F7367 mov eax, dword ptr fs:[00000030h] 0_2_020F7367
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: ftyaXQevlQ.exe, 00000000.00000002.1173506402.0000000000C40000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: ftyaXQevlQ.exe, 00000000.00000002.1173506402.0000000000C40000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: ftyaXQevlQ.exe, 00000000.00000002.1173506402.0000000000C40000.00000002.00000001.sdmp Binary or memory string: Progman
Source: ftyaXQevlQ.exe, 00000000.00000002.1173506402.0000000000C40000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_020F0231 cpuid 0_2_020F0231
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458362 Sample: ftyaXQevlQ.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 84 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 2 other signatures 2->14 5 ftyaXQevlQ.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Found potential dummy code loops (likely to delay analysis) 5->18 20 Tries to detect virtualization through RDTSC time measurements 5->20
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://101.99.94.119/WEALTHKELLS_QhOVDYr246 true
  • Avira URL Cloud: safe
 unknown