Windows Analysis Report pRcHGlVekw

Overview

General Information

Sample Name: pRcHGlVekw (renamed file extension from none to exe)
Analysis ID: 458794
MD5: d2cb32f7c7f384b4baa8dd13d6b5bbab
SHA1: 355acb5af5caaeb59fd7c9e0a54b501c24d47919
SHA256: 2bd846bdda945dc48a21c9bda1497feb9e67df8cfb024cc8669041490c7c9a90
Tags: 32exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.730158990.0000000000740000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.binkw"}
Multi AV Scanner detection for submitted file
Source: pRcHGlVekw.exe Virustotal: Detection: 31% Perma Link
Source: pRcHGlVekw.exe ReversingLabs: Detection: 17%
Machine Learning detection for sample
Source: pRcHGlVekw.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: pRcHGlVekw.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.binkw

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: pRcHGlVekw.exe, 00000001.00000002.730373505.000000000076A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_007459EA NtAllocateVirtualMemory, 1_2_007459EA
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00745A22 NtAllocateVirtualMemory, 1_2_00745A22
Detected potential crypto function
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00742A67 1_2_00742A67
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00748053 1_2_00748053
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00742021 1_2_00742021
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00743A2B 1_2_00743A2B
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00748817 1_2_00748817
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_007486D9 1_2_007486D9
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00747C9A 1_2_00747C9A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00748960 1_2_00748960
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00741557 1_2_00741557
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00743944 1_2_00743944
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00742B4B 1_2_00742B4B
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_0074392D 1_2_0074392D
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00744111 1_2_00744111
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00743B1F 1_2_00743B1F
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_007497F3 1_2_007497F3
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_007479D6 1_2_007479D6
PE file contains strange resources
Source: pRcHGlVekw.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pRcHGlVekw.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: pRcHGlVekw.exe, 00000001.00000002.729344916.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLIEGEMAN.exe vs pRcHGlVekw.exe
Source: pRcHGlVekw.exe, 00000001.00000002.730002789.00000000005E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs pRcHGlVekw.exe
Source: pRcHGlVekw.exe Binary or memory string: OriginalFilenameLIEGEMAN.exe vs pRcHGlVekw.exe
Uses 32bit PE files
Source: pRcHGlVekw.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal80.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\pRcHGlVekw.exe File created: C:\Users\user\AppData\Local\Temp\~DF33F62ECDF925AC8A.TMP Jump to behavior
Source: pRcHGlVekw.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: pRcHGlVekw.exe Virustotal: Detection: 31%
Source: pRcHGlVekw.exe ReversingLabs: Detection: 17%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.730158990.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00407108 push ebp; retf 1_2_00407109
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00749E74 pushfd ; iretd 1_2_00749EE0
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_0074A037 push ds; retf 1_2_0074A03A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_0074A033 push ds; retf 1_2_0074A036
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_0074A027 push ds; retf 1_2_0074A02A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_0074A02F push ds; retf 1_2_0074A032
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_0074A02B push ds; retf 1_2_0074A02E
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00748013 pushfd ; iretd 1_2_00749EE0
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_007462B4 push edi; ret 1_2_007462B6
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_007473D8 pushfd ; iretd 1_2_00749EE0
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_0074979D push edx; iretd 1_2_007497A3
Source: initial sample Static PE information: section name: .text entropy: 7.08042704515
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\pRcHGlVekw.exe RDTSC instruction interceptor: First address: 0000000000747EBB second address: 0000000000747EBB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 01B6460Dh 0x00000007 xor eax, BEFED3B1h 0x0000000c sub eax, 17554910h 0x00000011 add eax, 580CB355h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F29B0A819F0h 0x0000001e lfence 0x00000021 mov edx, 1889B9A2h 0x00000026 xor edx, A7C3F6EDh 0x0000002c add edx, 20E9D255h 0x00000032 xor edx, 9FCA21B0h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d test dh, 0000006Eh 0x00000040 test cx, cx 0x00000043 cmp cx, dx 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test dh, ah 0x0000004c add edi, edx 0x0000004e dec dword ptr [ebp+000000F8h] 0x00000054 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005b jne 00007F29B0A818EAh 0x0000005d call 00007F29B0A8194Dh 0x00000062 call 00007F29B0A81A11h 0x00000067 lfence 0x0000006a mov edx, 1889B9A2h 0x0000006f xor edx, A7C3F6EDh 0x00000075 add edx, 20E9D255h 0x0000007b xor edx, 9FCA21B0h 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 test dh, 0000006Eh 0x00000089 test cx, cx 0x0000008c cmp cx, dx 0x0000008f ret 0x00000090 mov esi, edx 0x00000092 pushad 0x00000093 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00747EB3 rdtsc 1_2_00747EB3
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00747EB3 rdtsc 1_2_00747EB3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00748817 mov eax, dword ptr fs:[00000030h] 1_2_00748817
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00743944 mov eax, dword ptr fs:[00000030h] 1_2_00743944
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00747540 mov eax, dword ptr fs:[00000030h] 1_2_00747540
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_0074392D mov eax, dword ptr fs:[00000030h] 1_2_0074392D
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_007455ED mov eax, dword ptr fs:[00000030h] 1_2_007455ED
Source: C:\Users\user\Desktop\pRcHGlVekw.exe Code function: 1_2_00747BB8 mov eax, dword ptr fs:[00000030h] 1_2_00747BB8
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: pRcHGlVekw.exe, 00000001.00000002.731079680.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: pRcHGlVekw.exe, 00000001.00000002.731079680.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: pRcHGlVekw.exe, 00000001.00000002.731079680.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: pRcHGlVekw.exe, 00000001.00000002.731079680.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458794 Sample: pRcHGlVekw Startdate: 03/08/2021 Architecture: WINDOWS Score: 80 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 2 other signatures 2->14 5 pRcHGlVekw.exe 1 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16 18 Tries to detect virtualization through RDTSC time measurements 5->18
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://101.99.94.119/WEALTH_fkWglQyCXO188.binkw true
  • Avira URL Cloud: safe
 unknown