Windows Analysis Report BANK DETAILS.exe

Overview

General Information

Sample Name:	BANK DETAILS.exe
Analysis ID:	458685
MD5:	37ecfc300780ade05b85fc969675e415
SHA1:	4874e705a0a075997da7d7bd8cf6f8608376600a
SHA256:	552db26bdd2347a216bb88e706ebf2bc9a145c8a5d38d082c53dcdd2f344c162
Tags:	batexe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.1308788382.0000000002130000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1xfZvLwUHsJmtVI"}

Multi AV Scanner detection for submitted file

Source: BANK DETAILS.exe	Virustotal: Detection: 19%			Perma Link
Source: BANK DETAILS.exe	ReversingLabs: Detection: 15%

Compliance:

Uses 32bit PE files

Source: BANK DETAILS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1xfZvLwUHsJmtVI

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02136F5D NtAllocateVirtualMemory,		0_2_02136F5D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02137139 NtAllocateVirtualMemory,		0_2_02137139

Detected potential crypto function

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02136F5D	0_2_02136F5D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130612	0_2_02130612
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A015	0_2_0213A015
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135404	0_2_02135404
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135608	0_2_02135608
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02133A0C	0_2_02133A0C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02131030	0_2_02131030
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02137639	0_2_02137639
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A63F	0_2_0213A63F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213163E	0_2_0213163E
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213682A	0_2_0213682A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213325B	0_2_0213325B
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02139C43	0_2_02139C43
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213AE73	0_2_0213AE73
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135479	0_2_02135479
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213B878	0_2_0213B878
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213147F	0_2_0213147F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213586F	0_2_0213586F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A896	0_2_0213A896
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213B699	0_2_0213B699
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130E85	0_2_02130E85
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213B4B1	0_2_0213B4B1
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021398DA	0_2_021398DA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021342D8	0_2_021342D8
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02134EC9	0_2_02134EC9
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02132ECF	0_2_02132ECF
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021396F1	0_2_021396F1
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021346FA	0_2_021346FA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130EFC	0_2_02130EFC
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A4ED	0_2_0213A4ED
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02139D11	0_2_02139D11
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213911A	0_2_0213911A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213651A	0_2_0213651A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02136F07	0_2_02136F07
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213B30C	0_2_0213B30C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130B35	0_2_02130B35
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130F35	0_2_02130F35
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135335	0_2_02135335
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02139738	0_2_02139738
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A53D	0_2_0213A53D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02132F27	0_2_02132F27
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02132129	0_2_02132129
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02132546	0_2_02132546
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213AB46	0_2_0213AB46
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130F49	0_2_02130F49
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213416B	0_2_0213416B
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213976C	0_2_0213976C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130791	0_2_02130791
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02131599	0_2_02131599
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130F98	0_2_02130F98
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02131782	0_2_02131782
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02133185	0_2_02133185
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02134F8D	0_2_02134F8D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A1CD	0_2_0213A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213B3B7	0_2_0213B3B7
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021341BA	0_2_021341BA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135FB8	0_2_02135FB8
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02134BA2	0_2_02134BA2
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021315D3	0_2_021315D3
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021307D2	0_2_021307D2
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021325C4	0_2_021325C4
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A1CD	0_2_0213A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021331F5	0_2_021331F5
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021325E2	0_2_021325E2
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02138BE6	0_2_02138BE6

PE file contains strange resources

Source: BANK DETAILS.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: BANK DETAILS.exe, 00000000.00000002.1308709099.00000000020C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs BANK DETAILS.exe
Source: BANK DETAILS.exe, 00000000.00000000.220585259.000000000041B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMeloplasttyskl2.exe vs BANK DETAILS.exe
Source: BANK DETAILS.exe, 00000000.00000002.1308835835.0000000002180000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMeloplasttyskl2.exeFE2Xee vs BANK DETAILS.exe
Source: BANK DETAILS.exe	Binary or memory string: OriginalFilenameMeloplasttyskl2.exe vs BANK DETAILS.exe

Uses 32bit PE files

Source: BANK DETAILS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\BANK DETAILS.exe

File created: C:\Users\user\AppData\Local\Temp\~DF0AA8BB7106EF905B.TMP

Jump to behavior

Source: BANK DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BANK DETAILS.exe	Virustotal: Detection: 19%
Source: BANK DETAILS.exe	ReversingLabs: Detection: 15%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1308788382.0000000002130000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00412CC0 push dword ptr [ebp-14h]; ret	0_2_00414DE8
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00404460 pushfd ; ret	0_2_00404475
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_004045EE push cs; iretd	0_2_00404609
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0040428E push ds; iretd	0_2_0040429A

Source: initial sample

Static PE information: section name: .text entropy: 6.81210830027

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02136F5D NtAllocateVirtualMemory,	0_2_02136F5D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130612	0_2_02130612
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135404	0_2_02135404
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135608	0_2_02135608
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02133A0C	0_2_02133A0C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02131030	0_2_02131030
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02137639	0_2_02137639
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213163E	0_2_0213163E
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213682A	0_2_0213682A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213AE73	0_2_0213AE73
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135479	0_2_02135479
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213147F	0_2_0213147F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02132066	0_2_02132066
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130E85	0_2_02130E85
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02134EC9	0_2_02134EC9
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021346FA	0_2_021346FA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130EFC	0_2_02130EFC
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02136F07	0_2_02136F07
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130B35	0_2_02130B35
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130F35	0_2_02130F35
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135335	0_2_02135335
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130F49	0_2_02130F49
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02131599	0_2_02131599
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130F98	0_2_02130F98
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02131782	0_2_02131782
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02134F8D	0_2_02134F8D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A1CD	0_2_0213A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02134BA2	0_2_02134BA2
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021315D3	0_2_021315D3
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A1CD	0_2_0213A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02138BE6	0_2_02138BE6

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000002136F8A second address: 0000000002136F8A instructions:
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000002139377 second address: 0000000002139377 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000002136F8A second address: 0000000002136F8A instructions:
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000002139479 second address: 00000000021394C2 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, dword ptr fs:[00000030h] 0x00000009 mov eax, dword ptr [eax+0Ch] 0x0000000c mov eax, dword ptr [eax+14h] 0x0000000f test al, cl 0x00000011 mov ecx, dword ptr [eax] 0x00000013 mov eax, ecx 0x00000015 cmp ebx, eax 0x00000017 jmp 00007F2CCC39AE9Bh 0x00000019 test bx, bx 0x0000001c mov ebx, dword ptr [eax+28h] 0x0000001f mov dword ptr [ebp+00000277h], ebx 0x00000025 mov ebx, EFC24E89h 0x0000002a pushad 0x0000002b mov edi, 00000074h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000002139377 second address: 0000000002139377 instructions:
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 00000000021370DF second address: 0000000002137117 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor edi, 4F0B01ABh 0x00000009 cmp ch, ah 0x0000000b push edi 0x0000000c cmp bx, bx 0x0000000f mov edi, dword ptr [ebp+00000203h] 0x00000015 cmp ah, 00000001h 0x00000018 test ecx, ebx 0x0000001a mov dword ptr [ebp+00000148h], 00000000h 0x00000024 add ebx, 04h 0x00000027 mov dword ptr [ebp+0000024Ah], eax 0x0000002d cmp ch, FFFFFFDAh 0x00000030 mov eax, ebx 0x00000032 pushad 0x00000033 mov ecx, 00000042h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 000000000213B44E second address: 0000000002139479 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 call 00007F2CCC9A9EE0h 0x00000008 test dl, dl 0x0000000a pushad 0x0000000b test bh, ah 0x0000000d cmp cl, bl 0x0000000f push 92D68FDCh 0x00000014 call 00007F2CCC9AA816h 0x00000019 pushad 0x0000001a mov edi, 00000045h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 00000000021366CF second address: 00000000021367B7 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp cx, 8B05h 0x00000008 mov dword ptr [ebp+00000212h], edi 0x0000000e test bh, dh 0x00000010 mov edi, ecx 0x00000012 push edi 0x00000013 cmp ecx, edx 0x00000015 mov edi, dword ptr [ebp+00000212h] 0x0000001b cmp bl, bl 0x0000001d test esi, 5BD1BFCAh 0x00000023 call 00007F2CCC39AF3Dh 0x00000028 call 00007F2CCC39AEAEh 0x0000002d lfence 0x00000030 mov edx, C7DAD013h 0x00000035 add edx, 5901ADA8h 0x0000003b xor edx, 770150F3h 0x00000041 xor edx, 28232D5Ch 0x00000047 mov edx, dword ptr [edx] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 00000000021367B7 second address: 0000000002136703 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 27269D29h 0x00000007 xor eax, A18D231Eh 0x0000000c xor eax, 1CE799B1h 0x00000011 sub eax, 9A4C2785h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F2CCC9AB37Dh 0x0000001e lfence 0x00000021 mov edx, C7DAD013h 0x00000026 add edx, 5901ADA8h 0x0000002c xor edx, 770150F3h 0x00000032 xor edx, 28232D5Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 cmp esi, C7A87762h 0x00000047 pushad 0x00000048 mov eax, 00000008h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000002136703 second address: 0000000002136745 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pop ecx 0x00000004 cmp cx, E7B5h 0x00000009 add edi, edx 0x0000000b test bh, dh 0x0000000d dec ecx 0x0000000e mov dword ptr [ebp+0000024Eh], 76D68B9Dh 0x00000018 cmp ecx, edx 0x0000001a xor dword ptr [ebp+0000024Eh], 83B81CB0h 0x00000024 cmp bl, bl 0x00000026 test esi, 7FF4DB34h 0x0000002c xor dword ptr [ebp+0000024Eh], A8C87E56h 0x00000036 cmp esi, 10940B3Dh 0x0000003c pushad 0x0000003d mov eax, 00000064h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000002136745 second address: 00000000021367B7 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor dword ptr [ebp+0000024Eh], 5DA6E97Bh 0x0000000d cmp cx, 91C2h 0x00000012 test bh, dh 0x00000014 cmp ecx, dword ptr [ebp+0000024Eh] 0x0000001a jne 00007F2CCC9AB2E3h 0x00000020 cmp cx, 8B05h 0x00000025 mov dword ptr [ebp+00000212h], edi 0x0000002b test bh, dh 0x0000002d mov edi, ecx 0x0000002f push edi 0x00000030 cmp ecx, edx 0x00000032 mov edi, dword ptr [ebp+00000212h] 0x00000038 cmp bl, bl 0x0000003a test esi, 5BD1BFCAh 0x00000040 call 00007F2CCC9AB42Dh 0x00000045 call 00007F2CCC9AB39Eh 0x0000004a lfence 0x0000004d mov edx, C7DAD013h 0x00000052 add edx, 5901ADA8h 0x00000058 xor edx, 770150F3h 0x0000005e xor edx, 28232D5Ch 0x00000064 mov edx, dword ptr [edx] 0x00000066 lfence 0x00000069 ret 0x0000006a mov esi, edx 0x0000006c pushad 0x0000006d rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Code function: 0_2_02136F5D rdtsc

0_2_02136F5D

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Code function: 0_2_02136F5D rdtsc

0_2_02136F5D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02133A0C mov eax, dword ptr fs:[00000030h]	0_2_02133A0C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02139473 mov eax, dword ptr fs:[00000030h]	0_2_02139473
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213652D mov eax, dword ptr fs:[00000030h]	0_2_0213652D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213416B mov eax, dword ptr fs:[00000030h]	0_2_0213416B
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A1CD mov eax, dword ptr fs:[00000030h]	0_2_0213A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021341BA mov eax, dword ptr fs:[00000030h]	0_2_021341BA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02138FC0 mov eax, dword ptr fs:[00000030h]	0_2_02138FC0
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02133DC6 mov eax, dword ptr fs:[00000030h]	0_2_02133DC6
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A1CD mov eax, dword ptr fs:[00000030h]	0_2_0213A1CD

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: BANK DETAILS.exe, 00000000.00000002.1308437695.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: BANK DETAILS.exe, 00000000.00000002.1308437695.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: BANK DETAILS.exe, 00000000.00000002.1308437695.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: BANK DETAILS.exe, 00000000.00000002.1308437695.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Code function: 0_2_02132C11 cpuid

0_2_02132C11

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Found malware configuration

Source: 00000000.00000002.1308788382.0000000002130000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1xfZvLwUHsJmtVI"}

Multi AV Scanner detection for submitted file

Source: BANK DETAILS.exe	Virustotal: Detection: 19%			Perma Link
Source: BANK DETAILS.exe	ReversingLabs: Detection: 15%

Compliance:

Uses 32bit PE files

Source: BANK DETAILS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1xfZvLwUHsJmtVI

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02136F5D NtAllocateVirtualMemory,		0_2_02136F5D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02137139 NtAllocateVirtualMemory,		0_2_02137139

Detected potential crypto function

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02136F5D	0_2_02136F5D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130612	0_2_02130612
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A015	0_2_0213A015
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135404	0_2_02135404
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135608	0_2_02135608
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02133A0C	0_2_02133A0C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02131030	0_2_02131030
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02137639	0_2_02137639
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A63F	0_2_0213A63F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213163E	0_2_0213163E
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213682A	0_2_0213682A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213325B	0_2_0213325B
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02139C43	0_2_02139C43
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213AE73	0_2_0213AE73
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135479	0_2_02135479
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213B878	0_2_0213B878
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213147F	0_2_0213147F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213586F	0_2_0213586F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A896	0_2_0213A896
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213B699	0_2_0213B699
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130E85	0_2_02130E85
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213B4B1	0_2_0213B4B1
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021398DA	0_2_021398DA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021342D8	0_2_021342D8
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02134EC9	0_2_02134EC9
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02132ECF	0_2_02132ECF
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021396F1	0_2_021396F1
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021346FA	0_2_021346FA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130EFC	0_2_02130EFC
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A4ED	0_2_0213A4ED
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02139D11	0_2_02139D11
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213911A	0_2_0213911A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213651A	0_2_0213651A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02136F07	0_2_02136F07
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213B30C	0_2_0213B30C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130B35	0_2_02130B35
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130F35	0_2_02130F35
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135335	0_2_02135335
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02139738	0_2_02139738
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A53D	0_2_0213A53D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02132F27	0_2_02132F27
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02132129	0_2_02132129
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02132546	0_2_02132546
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213AB46	0_2_0213AB46
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130F49	0_2_02130F49
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213416B	0_2_0213416B
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213976C	0_2_0213976C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130791	0_2_02130791
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02131599	0_2_02131599
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130F98	0_2_02130F98
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02131782	0_2_02131782
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02133185	0_2_02133185
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02134F8D	0_2_02134F8D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A1CD	0_2_0213A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213B3B7	0_2_0213B3B7
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021341BA	0_2_021341BA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135FB8	0_2_02135FB8
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02134BA2	0_2_02134BA2
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021315D3	0_2_021315D3
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021307D2	0_2_021307D2
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021325C4	0_2_021325C4
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A1CD	0_2_0213A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021331F5	0_2_021331F5
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021325E2	0_2_021325E2
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02138BE6	0_2_02138BE6

PE file contains strange resources

Source: BANK DETAILS.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: BANK DETAILS.exe, 00000000.00000002.1308709099.00000000020C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs BANK DETAILS.exe
Source: BANK DETAILS.exe, 00000000.00000000.220585259.000000000041B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMeloplasttyskl2.exe vs BANK DETAILS.exe
Source: BANK DETAILS.exe, 00000000.00000002.1308835835.0000000002180000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMeloplasttyskl2.exeFE2Xee vs BANK DETAILS.exe
Source: BANK DETAILS.exe	Binary or memory string: OriginalFilenameMeloplasttyskl2.exe vs BANK DETAILS.exe

Uses 32bit PE files

Source: BANK DETAILS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\BANK DETAILS.exe

File created: C:\Users\user\AppData\Local\Temp\~DF0AA8BB7106EF905B.TMP

Jump to behavior

Source: BANK DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BANK DETAILS.exe	Virustotal: Detection: 19%
Source: BANK DETAILS.exe	ReversingLabs: Detection: 15%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1308788382.0000000002130000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00412CC0 push dword ptr [ebp-14h]; ret	0_2_00414DE8
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_00404460 pushfd ; ret	0_2_00404475
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_004045EE push cs; iretd	0_2_00404609
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0040428E push ds; iretd	0_2_0040429A

Source: initial sample

Static PE information: section name: .text entropy: 6.81210830027

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02136F5D NtAllocateVirtualMemory,	0_2_02136F5D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130612	0_2_02130612
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135404	0_2_02135404
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135608	0_2_02135608
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02133A0C	0_2_02133A0C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02131030	0_2_02131030
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02137639	0_2_02137639
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213163E	0_2_0213163E
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213682A	0_2_0213682A
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213AE73	0_2_0213AE73
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135479	0_2_02135479
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213147F	0_2_0213147F
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02132066	0_2_02132066
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130E85	0_2_02130E85
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02134EC9	0_2_02134EC9
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021346FA	0_2_021346FA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130EFC	0_2_02130EFC
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02136F07	0_2_02136F07
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130B35	0_2_02130B35
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130F35	0_2_02130F35
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02135335	0_2_02135335
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130F49	0_2_02130F49
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02131599	0_2_02131599
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02130F98	0_2_02130F98
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02131782	0_2_02131782
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02134F8D	0_2_02134F8D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A1CD	0_2_0213A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02134BA2	0_2_02134BA2
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021315D3	0_2_021315D3
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A1CD	0_2_0213A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02138BE6	0_2_02138BE6

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000002136F8A second address: 0000000002136F8A instructions:
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000002139377 second address: 0000000002139377 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000002136F8A second address: 0000000002136F8A instructions:
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000002139479 second address: 00000000021394C2 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, dword ptr fs:[00000030h] 0x00000009 mov eax, dword ptr [eax+0Ch] 0x0000000c mov eax, dword ptr [eax+14h] 0x0000000f test al, cl 0x00000011 mov ecx, dword ptr [eax] 0x00000013 mov eax, ecx 0x00000015 cmp ebx, eax 0x00000017 jmp 00007F2CCC39AE9Bh 0x00000019 test bx, bx 0x0000001c mov ebx, dword ptr [eax+28h] 0x0000001f mov dword ptr [ebp+00000277h], ebx 0x00000025 mov ebx, EFC24E89h 0x0000002a pushad 0x0000002b mov edi, 00000074h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000002139377 second address: 0000000002139377 instructions:
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 00000000021370DF second address: 0000000002137117 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor edi, 4F0B01ABh 0x00000009 cmp ch, ah 0x0000000b push edi 0x0000000c cmp bx, bx 0x0000000f mov edi, dword ptr [ebp+00000203h] 0x00000015 cmp ah, 00000001h 0x00000018 test ecx, ebx 0x0000001a mov dword ptr [ebp+00000148h], 00000000h 0x00000024 add ebx, 04h 0x00000027 mov dword ptr [ebp+0000024Ah], eax 0x0000002d cmp ch, FFFFFFDAh 0x00000030 mov eax, ebx 0x00000032 pushad 0x00000033 mov ecx, 00000042h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 000000000213B44E second address: 0000000002139479 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 call 00007F2CCC9A9EE0h 0x00000008 test dl, dl 0x0000000a pushad 0x0000000b test bh, ah 0x0000000d cmp cl, bl 0x0000000f push 92D68FDCh 0x00000014 call 00007F2CCC9AA816h 0x00000019 pushad 0x0000001a mov edi, 00000045h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 00000000021366CF second address: 00000000021367B7 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp cx, 8B05h 0x00000008 mov dword ptr [ebp+00000212h], edi 0x0000000e test bh, dh 0x00000010 mov edi, ecx 0x00000012 push edi 0x00000013 cmp ecx, edx 0x00000015 mov edi, dword ptr [ebp+00000212h] 0x0000001b cmp bl, bl 0x0000001d test esi, 5BD1BFCAh 0x00000023 call 00007F2CCC39AF3Dh 0x00000028 call 00007F2CCC39AEAEh 0x0000002d lfence 0x00000030 mov edx, C7DAD013h 0x00000035 add edx, 5901ADA8h 0x0000003b xor edx, 770150F3h 0x00000041 xor edx, 28232D5Ch 0x00000047 mov edx, dword ptr [edx] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 00000000021367B7 second address: 0000000002136703 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 27269D29h 0x00000007 xor eax, A18D231Eh 0x0000000c xor eax, 1CE799B1h 0x00000011 sub eax, 9A4C2785h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F2CCC9AB37Dh 0x0000001e lfence 0x00000021 mov edx, C7DAD013h 0x00000026 add edx, 5901ADA8h 0x0000002c xor edx, 770150F3h 0x00000032 xor edx, 28232D5Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 cmp esi, C7A87762h 0x00000047 pushad 0x00000048 mov eax, 00000008h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000002136703 second address: 0000000002136745 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pop ecx 0x00000004 cmp cx, E7B5h 0x00000009 add edi, edx 0x0000000b test bh, dh 0x0000000d dec ecx 0x0000000e mov dword ptr [ebp+0000024Eh], 76D68B9Dh 0x00000018 cmp ecx, edx 0x0000001a xor dword ptr [ebp+0000024Eh], 83B81CB0h 0x00000024 cmp bl, bl 0x00000026 test esi, 7FF4DB34h 0x0000002c xor dword ptr [ebp+0000024Eh], A8C87E56h 0x00000036 cmp esi, 10940B3Dh 0x0000003c pushad 0x0000003d mov eax, 00000064h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\BANK DETAILS.exe	RDTSC instruction interceptor: First address: 0000000002136745 second address: 00000000021367B7 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor dword ptr [ebp+0000024Eh], 5DA6E97Bh 0x0000000d cmp cx, 91C2h 0x00000012 test bh, dh 0x00000014 cmp ecx, dword ptr [ebp+0000024Eh] 0x0000001a jne 00007F2CCC9AB2E3h 0x00000020 cmp cx, 8B05h 0x00000025 mov dword ptr [ebp+00000212h], edi 0x0000002b test bh, dh 0x0000002d mov edi, ecx 0x0000002f push edi 0x00000030 cmp ecx, edx 0x00000032 mov edi, dword ptr [ebp+00000212h] 0x00000038 cmp bl, bl 0x0000003a test esi, 5BD1BFCAh 0x00000040 call 00007F2CCC9AB42Dh 0x00000045 call 00007F2CCC9AB39Eh 0x0000004a lfence 0x0000004d mov edx, C7DAD013h 0x00000052 add edx, 5901ADA8h 0x00000058 xor edx, 770150F3h 0x0000005e xor edx, 28232D5Ch 0x00000064 mov edx, dword ptr [edx] 0x00000066 lfence 0x00000069 ret 0x0000006a mov esi, edx 0x0000006c pushad 0x0000006d rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Code function: 0_2_02136F5D rdtsc

0_2_02136F5D

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Code function: 0_2_02136F5D rdtsc

0_2_02136F5D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02133A0C mov eax, dword ptr fs:[00000030h]	0_2_02133A0C
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02139473 mov eax, dword ptr fs:[00000030h]	0_2_02139473
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213652D mov eax, dword ptr fs:[00000030h]	0_2_0213652D
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213416B mov eax, dword ptr fs:[00000030h]	0_2_0213416B
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A1CD mov eax, dword ptr fs:[00000030h]	0_2_0213A1CD
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_021341BA mov eax, dword ptr fs:[00000030h]	0_2_021341BA
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02138FC0 mov eax, dword ptr fs:[00000030h]	0_2_02138FC0
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_02133DC6 mov eax, dword ptr fs:[00000030h]	0_2_02133DC6
Source: C:\Users\user\Desktop\BANK DETAILS.exe	Code function: 0_2_0213A1CD mov eax, dword ptr fs:[00000030h]	0_2_0213A1CD

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: BANK DETAILS.exe, 00000000.00000002.1308437695.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: BANK DETAILS.exe, 00000000.00000002.1308437695.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: BANK DETAILS.exe, 00000000.00000002.1308437695.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: BANK DETAILS.exe, 00000000.00000002.1308437695.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\BANK DETAILS.exe

Code function: 0_2_02132C11 cpuid

0_2_02132C11

ID:	458685
Product:	CloudBasic
Start time:	16:52:33
Start date:	03.08.2021
Sample:	BANK DETAILS.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	37ecfc300780ade05b85fc969675e415
SHA1:	4874e705a0a075997da7d7bd8cf6f8608376600a
SHA256:	552db26bdd2347a216bb88e706ebf2bc9a145c8a5d38d082c53dcdd2f344c162
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report BANK DETAILS.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map