Windows Analysis Report ftyaXQevlQ.exe

Overview

General Information

Sample Name: ftyaXQevlQ.exe
Analysis ID: 458362
MD5: 7a90c8f725811e53a27ecb8e2c6a952b
SHA1: d09f363cefebf3877a29f250fba3ba7affe6549f
SHA256: 2d2796f4298b67f77555e446cfe4eca0559ddee6cdf6371524051a42f8dbd291
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.1409667003.0000000002230000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTHKELLS_QhOVDYr246"}
Multi AV Scanner detection for submitted file
Source: ftyaXQevlQ.exe Virustotal: Detection: 23% Perma Link
Source: ftyaXQevlQ.exe ReversingLabs: Detection: 21%
Machine Learning detection for sample
Source: ftyaXQevlQ.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: ftyaXQevlQ.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://101.99.94.119/WEALTHKELLS_QhOVDYr246

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022358EC NtAllocateVirtualMemory, 0_2_022358EC
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02235A21 NtAllocateVirtualMemory, 0_2_02235A21
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022358E9 NtAllocateVirtualMemory, 0_2_022358E9
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02235961 NtAllocateVirtualMemory, 0_2_02235961
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_0223596D NtAllocateVirtualMemory, 0_2_0223596D
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02235979 NtAllocateVirtualMemory, 0_2_02235979
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02235953 NtAllocateVirtualMemory, 0_2_02235953
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022359A9 NtAllocateVirtualMemory, 0_2_022359A9
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022359B5 NtAllocateVirtualMemory, 0_2_022359B5
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02235985 NtAllocateVirtualMemory, 0_2_02235985
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02235991 NtAllocateVirtualMemory, 0_2_02235991
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_0223599D NtAllocateVirtualMemory, 0_2_0223599D
Detected potential crypto function
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_00401144 0_2_00401144
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022358EC 0_2_022358EC
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02235A21 0_2_02235A21
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02230231 0_2_02230231
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02238A36 0_2_02238A36
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02232835 0_2_02232835
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02237870 0_2_02237870
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02234047 0_2_02234047
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02232A58 0_2_02232A58
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022338AB 0_2_022338AB
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02233894 0_2_02233894
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02238AE2 0_2_02238AE2
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022358E9 0_2_022358E9
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02233AF3 0_2_02233AF3
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022388FD 0_2_022388FD
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022312C7 0_2_022312C7
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022386C5 0_2_022386C5
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02235D2B 0_2_02235D2B
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02237336 0_2_02237336
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02237B34 0_2_02237B34
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02235707 0_2_02235707
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02235961 0_2_02235961
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_0223596D 0_2_0223596D
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02231F48 0_2_02231F48
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02235953 0_2_02235953
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022313B2 0_2_022313B2
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022359B5 0_2_022359B5
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02233BE0 0_2_02233BE0
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022309D6 0_2_022309D6
PE file contains strange resources
Source: ftyaXQevlQ.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ftyaXQevlQ.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: ftyaXQevlQ.exe, 00000000.00000002.1408527901.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBOETTEPAPIR.exe vs ftyaXQevlQ.exe
Source: ftyaXQevlQ.exe, 00000000.00000002.1409623834.00000000021E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs ftyaXQevlQ.exe
Source: ftyaXQevlQ.exe Binary or memory string: OriginalFilenameBOETTEPAPIR.exe vs ftyaXQevlQ.exe
Uses 32bit PE files
Source: ftyaXQevlQ.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe File created: C:\Users\user\AppData\Local\Temp\~DFC9319DEA221822AB.TMP Jump to behavior
Source: ftyaXQevlQ.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ftyaXQevlQ.exe Virustotal: Detection: 23%
Source: ftyaXQevlQ.exe ReversingLabs: Detection: 21%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1409667003.0000000002230000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_00404542 push ds; retf 0_2_0040456D
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_00405977 push dword ptr [ecx-4E013672h]; retf 0_2_0040597F
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_004017A5 push 00000065h; ret 0_2_004017B7
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_004061A9 push ds; retf 0_2_004061B9
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02238465 push eax; ret 0_2_02238466
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02231976 push esi; ret 0_2_0223197B
Source: initial sample Static PE information: section name: .text entropy: 7.06319493547
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022358EC NtAllocateVirtualMemory, 0_2_022358EC
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe RDTSC instruction interceptor: First address: 0000000002237740 second address: 0000000002237740 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub edx, 6B2AB29Ch 0x00000011 cmp byte ptr [esi], dl 0x00000013 mov edx, dword ptr [ebp+0000026Ch] 0x00000019 jnc 00007F86ECB8FFE7h 0x0000001b mov ebx, eax 0x0000001d shl eax, 05h 0x00000020 add eax, ebx 0x00000022 movzx ecx, byte ptr [esi] 0x00000025 test esi, 8BF3F78Dh 0x0000002b add eax, ecx 0x0000002d xor eax, 241DED1Dh 0x00000032 inc esi 0x00000033 mov dword ptr [ebp+00000269h], eax 0x00000039 mov eax, 268AB9BAh 0x0000003e cmp bx, bx 0x00000041 xor eax, 5F75F58Ch 0x00000046 cmp dx, dx 0x00000049 xor eax, A2125650h 0x0000004e add eax, 2412E59Ah 0x00000053 cmp byte ptr [esi], al 0x00000055 mov eax, dword ptr [ebp+00000269h] 0x0000005b jne 00007F86ECB8FF28h 0x0000005d mov dword ptr [ebp+0000026Ch], edx 0x00000063 mov edx, 0CE9BEB7h 0x00000068 cmp ch, bh 0x0000006a xor edx, 565E109Eh 0x00000070 xor edx, 319D1D69h 0x00000076 pushad 0x00000077 lfence 0x0000007a rdtsc
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe RDTSC instruction interceptor: First address: 0000000002238317 second address: 0000000002237740 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov edi, dword ptr [ebp+00000231h] 0x00000011 mov dword ptr [ebp+00000262h], edx 0x00000017 push esi 0x00000018 jmp 00007F86ECA68865h 0x0000001a call 00007F86ECA68815h 0x0000001f pop esi 0x00000020 jmp esi 0x00000022 pop esi 0x00000023 mov edx, ecx 0x00000025 push edx 0x00000026 mov edx, dword ptr [ebp+00000262h] 0x0000002c mov dword ptr [ebp+000001BBh], edx 0x00000032 test bx, dx 0x00000035 mov edx, esi 0x00000037 push edx 0x00000038 mov edx, dword ptr [ebp+000001BBh] 0x0000003e cmp dx, ax 0x00000041 mov dword ptr [ebp+00000233h], eax 0x00000047 mov eax, esi 0x00000049 push eax 0x0000004a mov eax, dword ptr [ebp+00000233h] 0x00000050 cmp bh, dh 0x00000052 add dword ptr [esp], ecx 0x00000055 call 00007F86ECA67B84h 0x0000005a mov esi, dword ptr [esp+04h] 0x0000005e mov eax, 552EAF50h 0x00000063 push ss 0x00000064 pop ss 0x00000065 jmp 00007F86ECA68843h 0x00000067 xor eax, 8A108D49h 0x0000006c add eax, 135A661Ch 0x00000071 xor eax, F2989D30h 0x00000076 test bl, al 0x00000078 test ax, 0000508Eh 0x0000007c mov dword ptr [ebp+0000026Ch], edx 0x00000082 mov edx, 0CE9BEB7h 0x00000087 cmp ch, bh 0x00000089 xor edx, 565E109Eh 0x0000008f xor edx, 319D1D69h 0x00000095 pushad 0x00000096 lfence 0x00000099 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022358EC rdtsc 0_2_022358EC
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022358EC rdtsc 0_2_022358EC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02237A47 mov eax, dword ptr fs:[00000030h] 0_2_02237A47
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022338AB mov eax, dword ptr fs:[00000030h] 0_2_022338AB
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_022386C5 mov eax, dword ptr fs:[00000030h] 0_2_022386C5
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02235513 mov eax, dword ptr fs:[00000030h] 0_2_02235513
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02237367 mov eax, dword ptr fs:[00000030h] 0_2_02237367
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: ftyaXQevlQ.exe, 00000000.00000002.1409488101.0000000000D80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: ftyaXQevlQ.exe, 00000000.00000002.1409488101.0000000000D80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: ftyaXQevlQ.exe, 00000000.00000002.1409488101.0000000000D80000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: ftyaXQevlQ.exe, 00000000.00000002.1409488101.0000000000D80000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ftyaXQevlQ.exe Code function: 0_2_02230231 cpuid 0_2_02230231
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458362 Sample: ftyaXQevlQ.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 84 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 2 other signatures 2->14 5 ftyaXQevlQ.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Found potential dummy code loops (likely to delay analysis) 5->18 20 Tries to detect virtualization through RDTSC time measurements 5->20
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://101.99.94.119/WEALTHKELLS_QhOVDYr246 true
  • Avira URL Cloud: safe
 unknown