Windows Analysis Report BANK DETAILS.bat

Overview

General Information

Sample Name:	BANK DETAILS.bat (renamed file extension from bat to exe)
Analysis ID:	458685
MD5:	37ecfc300780ade05b85fc969675e415
SHA1:	4874e705a0a075997da7d7bd8cf6f8608376600a
SHA256:	552db26bdd2347a216bb88e706ebf2bc9a145c8a5d38d082c53dcdd2f344c162
Tags:	batexe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.1183771496.0000000000760000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1xfZvLwUHsJmtVI"}

Multi AV Scanner detection for submitted file

Source: BANK DETAILS.exe

Virustotal: Detection: 19%

Perma Link

Compliance:

Uses 32bit PE files

Source: BANK DETAILS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1xfZvLwUHsJmtVI

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: BANK DETAILS.exe, 00000000.00000002.1183807890.00000000007FA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00766F5D NtAllocateVirtualMemory,		0_2_00766F5D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00767139 NtAllocateVirtualMemory,		0_2_00767139

Detected potential crypto function

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00766F5D	0_2_00766F5D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076AE73	0_2_0076AE73
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076147F	0_2_0076147F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076B878	0_2_0076B878
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765479	0_2_00765479
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076586F	0_2_0076586F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076325B	0_2_0076325B
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00769C43	0_2_00769C43
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00761030	0_2_00761030
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076163E	0_2_0076163E
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A63F	0_2_0076A63F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00767639	0_2_00767639
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076682A	0_2_0076682A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A015	0_2_0076A015
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760612	0_2_00760612
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765404	0_2_00765404
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00763A0C	0_2_00763A0C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765608	0_2_00765608
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007696F1	0_2_007696F1
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760EFC	0_2_00760EFC
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007646FA	0_2_007646FA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A4ED	0_2_0076A4ED
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007698DA	0_2_007698DA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007642D8	0_2_007642D8
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00762ECF	0_2_00762ECF
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00764EC9	0_2_00764EC9
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076B4B1	0_2_0076B4B1
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A896	0_2_0076A896
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076B699	0_2_0076B699
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760E85	0_2_00760E85
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076976C	0_2_0076976C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076416B	0_2_0076416B
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00762546	0_2_00762546
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076AB46	0_2_0076AB46
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760F49	0_2_00760F49
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760F35	0_2_00760F35
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765335	0_2_00765335
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A53D	0_2_0076A53D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00769738	0_2_00769738
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00762F27	0_2_00762F27
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00762129	0_2_00762129
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00769D11	0_2_00769D11
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076911A	0_2_0076911A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076B30C	0_2_0076B30C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007631F5	0_2_007631F5
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00768BE6	0_2_00768BE6
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007625E2	0_2_007625E2
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007615D3	0_2_007615D3
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007625C4	0_2_007625C4
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A1CD	0_2_0076A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076B3B7	0_2_0076B3B7
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007641BA	0_2_007641BA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765FB8	0_2_00765FB8
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00764BA2	0_2_00764BA2
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760F98	0_2_00760F98
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00761599	0_2_00761599
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00763185	0_2_00763185
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00761782	0_2_00761782
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A1CD	0_2_0076A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00764F8D	0_2_00764F8D

PE file contains strange resources

Source: BANK DETAILS.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: BANK DETAILS.exe, 00000000.00000000.657476442.000000000041B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMeloplasttyskl2.exe vs BANK DETAILS.exe
Source: BANK DETAILS.exe, 00000000.00000002.1184205233.0000000002A70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMeloplasttyskl2.exeFE2Xee vs BANK DETAILS.exe
Source: BANK DETAILS.exe, 00000000.00000002.1183729711.00000000005F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs BANK DETAILS.exe
Source: BANK DETAILS.exe	Binary or memory string: OriginalFilenameMeloplasttyskl2.exe vs BANK DETAILS.exe

Uses 32bit PE files

Source: BANK DETAILS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\BANK DETAILS.exe

File created: C:\Users\user\AppData\Local\Temp\~DF653C10E4147526EC.TMP

Jump to behavior

Source: BANK DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BANK DETAILS.exe

Virustotal: Detection: 19%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1183771496.0000000000760000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00412CC0 push dword ptr [ebp-14h]; ret	0_2_00414DE8
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00404460 pushfd ; ret	0_2_00404475
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_004045EE push cs; iretd	0_2_00404609
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0040428E push ds; iretd	0_2_0040429A

Source: initial sample

Static PE information: section name: .text entropy: 6.81210830027

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00766F5D NtAllocateVirtualMemory,	0_2_00766F5D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076AE73	0_2_0076AE73
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076147F	0_2_0076147F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765479	0_2_00765479
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00762066	0_2_00762066
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00769C43	0_2_00769C43
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00761030	0_2_00761030
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076163E	0_2_0076163E
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00767639	0_2_00767639
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076682A	0_2_0076682A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760612	0_2_00760612
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765404	0_2_00765404
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00763A0C	0_2_00763A0C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765608	0_2_00765608
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760EFC	0_2_00760EFC
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007646FA	0_2_007646FA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00764EC9	0_2_00764EC9
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760E85	0_2_00760E85
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760F49	0_2_00760F49
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760F35	0_2_00760F35
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765335	0_2_00765335
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076911A	0_2_0076911A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00768BE6	0_2_00768BE6
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007615D3	0_2_007615D3
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A1CD	0_2_0076A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00764BA2	0_2_00764BA2
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760F98	0_2_00760F98
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00761599	0_2_00761599
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00761782	0_2_00761782
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A1CD	0_2_0076A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00764F8D	0_2_00764F8D

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000000766F8A second address: 0000000000766F8A instructions:
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000000769377 second address: 0000000000769377 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000000766F8A second address: 0000000000766F8A instructions:
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000000769479 second address: 00000000007694C2 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, dword ptr fs:[00000030h] 0x00000009 mov eax, dword ptr [eax+0Ch] 0x0000000c mov eax, dword ptr [eax+14h] 0x0000000f test al, cl 0x00000011 mov ecx, dword ptr [eax] 0x00000013 mov eax, ecx 0x00000015 cmp ebx, eax 0x00000017 jmp 00007FE334DBD16Bh 0x00000019 test bx, bx 0x0000001c mov ebx, dword ptr [eax+28h] 0x0000001f mov dword ptr [ebp+00000277h], ebx 0x00000025 mov ebx, EFC24E89h 0x0000002a pushad 0x0000002b mov edi, 00000074h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000000769377 second address: 0000000000769377 instructions:
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 00000000007670DF second address: 0000000000767117 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor edi, 4F0B01ABh 0x00000009 cmp ch, ah 0x0000000b push edi 0x0000000c cmp bx, bx 0x0000000f mov edi, dword ptr [ebp+00000203h] 0x00000015 cmp ah, 00000001h 0x00000018 test ecx, ebx 0x0000001a mov dword ptr [ebp+00000148h], 00000000h 0x00000024 add ebx, 04h 0x00000027 mov dword ptr [ebp+0000024Ah], eax 0x0000002d cmp ch, FFFFFFDAh 0x00000030 mov eax, ebx 0x00000032 pushad 0x00000033 mov ecx, 00000042h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 000000000076B44E second address: 0000000000769479 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 call 00007FE334DBAD90h 0x00000008 test dl, dl 0x0000000a pushad 0x0000000b test bh, ah 0x0000000d cmp cl, bl 0x0000000f push 92D68FDCh 0x00000014 call 00007FE334DBB6C6h 0x00000019 pushad 0x0000001a mov edi, 00000045h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 00000000007666CF second address: 00000000007667B7 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp cx, 8B05h 0x00000008 mov dword ptr [ebp+00000212h], edi 0x0000000e test bh, dh 0x00000010 mov edi, ecx 0x00000012 push edi 0x00000013 cmp ecx, edx 0x00000015 mov edi, dword ptr [ebp+00000212h] 0x0000001b cmp bl, bl 0x0000001d test esi, 5BD1BFCAh 0x00000023 call 00007FE334DBD20Dh 0x00000028 call 00007FE334DBD17Eh 0x0000002d lfence 0x00000030 mov edx, C7DAD013h 0x00000035 add edx, 5901ADA8h 0x0000003b xor edx, 770150F3h 0x00000041 xor edx, 28232D5Ch 0x00000047 mov edx, dword ptr [edx] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 00000000007667B7 second address: 0000000000766703 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 27269D29h 0x00000007 xor eax, A18D231Eh 0x0000000c xor eax, 1CE799B1h 0x00000011 sub eax, 9A4C2785h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FE334DBC22Dh 0x0000001e lfence 0x00000021 mov edx, C7DAD013h 0x00000026 add edx, 5901ADA8h 0x0000002c xor edx, 770150F3h 0x00000032 xor edx, 28232D5Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 cmp esi, C7A87762h 0x00000047 pushad 0x00000048 mov eax, 00000008h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000000766703 second address: 0000000000766745 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pop ecx 0x00000004 cmp cx, E7B5h 0x00000009 add edi, edx 0x0000000b test bh, dh 0x0000000d dec ecx 0x0000000e mov dword ptr [ebp+0000024Eh], 76D68B9Dh 0x00000018 cmp ecx, edx 0x0000001a xor dword ptr [ebp+0000024Eh], 83B81CB0h 0x00000024 cmp bl, bl 0x00000026 test esi, 7FF4DB34h 0x0000002c xor dword ptr [ebp+0000024Eh], A8C87E56h 0x00000036 cmp esi, 10940B3Dh 0x0000003c pushad 0x0000003d mov eax, 00000064h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000000766745 second address: 00000000007667B7 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor dword ptr [ebp+0000024Eh], 5DA6E97Bh 0x0000000d cmp cx, 91C2h 0x00000012 test bh, dh 0x00000014 cmp ecx, dword ptr [ebp+0000024Eh] 0x0000001a jne 00007FE334DBC193h 0x00000020 cmp cx, 8B05h 0x00000025 mov dword ptr [ebp+00000212h], edi 0x0000002b test bh, dh 0x0000002d mov edi, ecx 0x0000002f push edi 0x00000030 cmp ecx, edx 0x00000032 mov edi, dword ptr [ebp+00000212h] 0x00000038 cmp bl, bl 0x0000003a test esi, 5BD1BFCAh 0x00000040 call 00007FE334DBC2DDh 0x00000045 call 00007FE334DBC24Eh 0x0000004a lfence 0x0000004d mov edx, C7DAD013h 0x00000052 add edx, 5901ADA8h 0x00000058 xor edx, 770150F3h 0x0000005e xor edx, 28232D5Ch 0x00000064 mov edx, dword ptr [edx] 0x00000066 lfence 0x00000069 ret 0x0000006a mov esi, edx 0x0000006c pushad 0x0000006d rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Code function: 0_2_00766F5D rdtsc

0_2_00766F5D

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Code function: 0_2_00766F5D rdtsc

0_2_00766F5D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00769473 mov eax, dword ptr fs:[00000030h]	0_2_00769473
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00763A0C mov eax, dword ptr fs:[00000030h]	0_2_00763A0C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076416B mov eax, dword ptr fs:[00000030h]	0_2_0076416B
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076652D mov eax, dword ptr fs:[00000030h]	0_2_0076652D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00763DC6 mov eax, dword ptr fs:[00000030h]	0_2_00763DC6
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00768FC0 mov eax, dword ptr fs:[00000030h]	0_2_00768FC0
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A1CD mov eax, dword ptr fs:[00000030h]	0_2_0076A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007641BA mov eax, dword ptr fs:[00000030h]	0_2_007641BA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A1CD mov eax, dword ptr fs:[00000030h]	0_2_0076A1CD

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: BANK DETAILS.exe, 00000000.00000002.1183852579.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: BANK DETAILS.exe, 00000000.00000002.1183852579.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: BANK DETAILS.exe, 00000000.00000002.1183852579.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: BANK DETAILS.exe, 00000000.00000002.1183852579.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Code function: 0_2_00762C11 cpuid

0_2_00762C11

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Found malware configuration

Source: 00000000.00000002.1183771496.0000000000760000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1xfZvLwUHsJmtVI"}

Multi AV Scanner detection for submitted file

Source: BANK DETAILS.exe

Virustotal: Detection: 19%

Perma Link

Compliance:

Uses 32bit PE files

Source: BANK DETAILS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1xfZvLwUHsJmtVI

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: BANK DETAILS.exe, 00000000.00000002.1183807890.00000000007FA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00766F5D NtAllocateVirtualMemory,		0_2_00766F5D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00767139 NtAllocateVirtualMemory,		0_2_00767139

Detected potential crypto function

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00766F5D	0_2_00766F5D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076AE73	0_2_0076AE73
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076147F	0_2_0076147F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076B878	0_2_0076B878
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765479	0_2_00765479
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076586F	0_2_0076586F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076325B	0_2_0076325B
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00769C43	0_2_00769C43
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00761030	0_2_00761030
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076163E	0_2_0076163E
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A63F	0_2_0076A63F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00767639	0_2_00767639
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076682A	0_2_0076682A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A015	0_2_0076A015
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760612	0_2_00760612
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765404	0_2_00765404
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00763A0C	0_2_00763A0C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765608	0_2_00765608
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007696F1	0_2_007696F1
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760EFC	0_2_00760EFC
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007646FA	0_2_007646FA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A4ED	0_2_0076A4ED
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007698DA	0_2_007698DA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007642D8	0_2_007642D8
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00762ECF	0_2_00762ECF
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00764EC9	0_2_00764EC9
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076B4B1	0_2_0076B4B1
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A896	0_2_0076A896
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076B699	0_2_0076B699
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760E85	0_2_00760E85
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076976C	0_2_0076976C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076416B	0_2_0076416B
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00762546	0_2_00762546
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076AB46	0_2_0076AB46
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760F49	0_2_00760F49
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760F35	0_2_00760F35
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765335	0_2_00765335
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A53D	0_2_0076A53D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00769738	0_2_00769738
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00762F27	0_2_00762F27
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00762129	0_2_00762129
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00769D11	0_2_00769D11
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076911A	0_2_0076911A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076B30C	0_2_0076B30C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007631F5	0_2_007631F5
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00768BE6	0_2_00768BE6
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007625E2	0_2_007625E2
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007615D3	0_2_007615D3
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007625C4	0_2_007625C4
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A1CD	0_2_0076A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076B3B7	0_2_0076B3B7
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007641BA	0_2_007641BA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765FB8	0_2_00765FB8
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00764BA2	0_2_00764BA2
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760F98	0_2_00760F98
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00761599	0_2_00761599
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00763185	0_2_00763185
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00761782	0_2_00761782
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A1CD	0_2_0076A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00764F8D	0_2_00764F8D

PE file contains strange resources

Source: BANK DETAILS.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: BANK DETAILS.exe, 00000000.00000000.657476442.000000000041B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMeloplasttyskl2.exe vs BANK DETAILS.exe
Source: BANK DETAILS.exe, 00000000.00000002.1184205233.0000000002A70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMeloplasttyskl2.exeFE2Xee vs BANK DETAILS.exe
Source: BANK DETAILS.exe, 00000000.00000002.1183729711.00000000005F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs BANK DETAILS.exe
Source: BANK DETAILS.exe	Binary or memory string: OriginalFilenameMeloplasttyskl2.exe vs BANK DETAILS.exe

Uses 32bit PE files

Source: BANK DETAILS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\BANK DETAILS.exe

File created: C:\Users\user\AppData\Local\Temp\~DF653C10E4147526EC.TMP

Jump to behavior

Source: BANK DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BANK DETAILS.exe

Virustotal: Detection: 19%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1183771496.0000000000760000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00412CC0 push dword ptr [ebp-14h]; ret	0_2_00414DE8
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00404460 pushfd ; ret	0_2_00404475
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_004045EE push cs; iretd	0_2_00404609
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0040428E push ds; iretd	0_2_0040429A

Source: initial sample

Static PE information: section name: .text entropy: 6.81210830027

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00766F5D NtAllocateVirtualMemory,	0_2_00766F5D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076AE73	0_2_0076AE73
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076147F	0_2_0076147F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765479	0_2_00765479
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00762066	0_2_00762066
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00769C43	0_2_00769C43
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00761030	0_2_00761030
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076163E	0_2_0076163E
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00767639	0_2_00767639
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076682A	0_2_0076682A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760612	0_2_00760612
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765404	0_2_00765404
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00763A0C	0_2_00763A0C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765608	0_2_00765608
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760EFC	0_2_00760EFC
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007646FA	0_2_007646FA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00764EC9	0_2_00764EC9
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760E85	0_2_00760E85
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760F49	0_2_00760F49
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760F35	0_2_00760F35
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00765335	0_2_00765335
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076911A	0_2_0076911A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00768BE6	0_2_00768BE6
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007615D3	0_2_007615D3
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A1CD	0_2_0076A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00764BA2	0_2_00764BA2
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00760F98	0_2_00760F98
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00761599	0_2_00761599
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00761782	0_2_00761782
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A1CD	0_2_0076A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00764F8D	0_2_00764F8D

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000000766F8A second address: 0000000000766F8A instructions:
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000000769377 second address: 0000000000769377 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000000766F8A second address: 0000000000766F8A instructions:
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000000769479 second address: 00000000007694C2 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, dword ptr fs:[00000030h] 0x00000009 mov eax, dword ptr [eax+0Ch] 0x0000000c mov eax, dword ptr [eax+14h] 0x0000000f test al, cl 0x00000011 mov ecx, dword ptr [eax] 0x00000013 mov eax, ecx 0x00000015 cmp ebx, eax 0x00000017 jmp 00007FE334DBD16Bh 0x00000019 test bx, bx 0x0000001c mov ebx, dword ptr [eax+28h] 0x0000001f mov dword ptr [ebp+00000277h], ebx 0x00000025 mov ebx, EFC24E89h 0x0000002a pushad 0x0000002b mov edi, 00000074h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000000769377 second address: 0000000000769377 instructions:
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 00000000007670DF second address: 0000000000767117 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor edi, 4F0B01ABh 0x00000009 cmp ch, ah 0x0000000b push edi 0x0000000c cmp bx, bx 0x0000000f mov edi, dword ptr [ebp+00000203h] 0x00000015 cmp ah, 00000001h 0x00000018 test ecx, ebx 0x0000001a mov dword ptr [ebp+00000148h], 00000000h 0x00000024 add ebx, 04h 0x00000027 mov dword ptr [ebp+0000024Ah], eax 0x0000002d cmp ch, FFFFFFDAh 0x00000030 mov eax, ebx 0x00000032 pushad 0x00000033 mov ecx, 00000042h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 000000000076B44E second address: 0000000000769479 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 call 00007FE334DBAD90h 0x00000008 test dl, dl 0x0000000a pushad 0x0000000b test bh, ah 0x0000000d cmp cl, bl 0x0000000f push 92D68FDCh 0x00000014 call 00007FE334DBB6C6h 0x00000019 pushad 0x0000001a mov edi, 00000045h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 00000000007666CF second address: 00000000007667B7 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp cx, 8B05h 0x00000008 mov dword ptr [ebp+00000212h], edi 0x0000000e test bh, dh 0x00000010 mov edi, ecx 0x00000012 push edi 0x00000013 cmp ecx, edx 0x00000015 mov edi, dword ptr [ebp+00000212h] 0x0000001b cmp bl, bl 0x0000001d test esi, 5BD1BFCAh 0x00000023 call 00007FE334DBD20Dh 0x00000028 call 00007FE334DBD17Eh 0x0000002d lfence 0x00000030 mov edx, C7DAD013h 0x00000035 add edx, 5901ADA8h 0x0000003b xor edx, 770150F3h 0x00000041 xor edx, 28232D5Ch 0x00000047 mov edx, dword ptr [edx] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 00000000007667B7 second address: 0000000000766703 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 27269D29h 0x00000007 xor eax, A18D231Eh 0x0000000c xor eax, 1CE799B1h 0x00000011 sub eax, 9A4C2785h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FE334DBC22Dh 0x0000001e lfence 0x00000021 mov edx, C7DAD013h 0x00000026 add edx, 5901ADA8h 0x0000002c xor edx, 770150F3h 0x00000032 xor edx, 28232D5Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 cmp esi, C7A87762h 0x00000047 pushad 0x00000048 mov eax, 00000008h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000000766703 second address: 0000000000766745 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pop ecx 0x00000004 cmp cx, E7B5h 0x00000009 add edi, edx 0x0000000b test bh, dh 0x0000000d dec ecx 0x0000000e mov dword ptr [ebp+0000024Eh], 76D68B9Dh 0x00000018 cmp ecx, edx 0x0000001a xor dword ptr [ebp+0000024Eh], 83B81CB0h 0x00000024 cmp bl, bl 0x00000026 test esi, 7FF4DB34h 0x0000002c xor dword ptr [ebp+0000024Eh], A8C87E56h 0x00000036 cmp esi, 10940B3Dh 0x0000003c pushad 0x0000003d mov eax, 00000064h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000000766745 second address: 00000000007667B7 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor dword ptr [ebp+0000024Eh], 5DA6E97Bh 0x0000000d cmp cx, 91C2h 0x00000012 test bh, dh 0x00000014 cmp ecx, dword ptr [ebp+0000024Eh] 0x0000001a jne 00007FE334DBC193h 0x00000020 cmp cx, 8B05h 0x00000025 mov dword ptr [ebp+00000212h], edi 0x0000002b test bh, dh 0x0000002d mov edi, ecx 0x0000002f push edi 0x00000030 cmp ecx, edx 0x00000032 mov edi, dword ptr [ebp+00000212h] 0x00000038 cmp bl, bl 0x0000003a test esi, 5BD1BFCAh 0x00000040 call 00007FE334DBC2DDh 0x00000045 call 00007FE334DBC24Eh 0x0000004a lfence 0x0000004d mov edx, C7DAD013h 0x00000052 add edx, 5901ADA8h 0x00000058 xor edx, 770150F3h 0x0000005e xor edx, 28232D5Ch 0x00000064 mov edx, dword ptr [edx] 0x00000066 lfence 0x00000069 ret 0x0000006a mov esi, edx 0x0000006c pushad 0x0000006d rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Code function: 0_2_00766F5D rdtsc

0_2_00766F5D

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Code function: 0_2_00766F5D rdtsc

0_2_00766F5D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00769473 mov eax, dword ptr fs:[00000030h]	0_2_00769473
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00763A0C mov eax, dword ptr fs:[00000030h]	0_2_00763A0C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076416B mov eax, dword ptr fs:[00000030h]	0_2_0076416B
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076652D mov eax, dword ptr fs:[00000030h]	0_2_0076652D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00763DC6 mov eax, dword ptr fs:[00000030h]	0_2_00763DC6
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00768FC0 mov eax, dword ptr fs:[00000030h]	0_2_00768FC0
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A1CD mov eax, dword ptr fs:[00000030h]	0_2_0076A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_007641BA mov eax, dword ptr fs:[00000030h]	0_2_007641BA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0076A1CD mov eax, dword ptr fs:[00000030h]	0_2_0076A1CD

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: BANK DETAILS.exe, 00000000.00000002.1183852579.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: BANK DETAILS.exe, 00000000.00000002.1183852579.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: BANK DETAILS.exe, 00000000.00000002.1183852579.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: BANK DETAILS.exe, 00000000.00000002.1183852579.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Code function: 0_2_00762C11 cpuid

0_2_00762C11

ID:	458685
Product:	CloudBasic
Start time:	16:43:54
Start date:	03.08.2021
Sample:	BANK DETAILS.bat
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	37ecfc300780ade05b85fc969675e415
SHA1:	4874e705a0a075997da7d7bd8cf6f8608376600a
SHA256:	552db26bdd2347a216bb88e706ebf2bc9a145c8a5d38d082c53dcdd2f344c162
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report BANK DETAILS.bat

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map