Windows Analysis Report usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe

Overview

General Information

Sample Name: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
Analysis ID: 482656
MD5: 257e1f881863b023fcddaedb2ac22e68
SHA1: 9cff8e3a2a2cb5ad3acba8d4260b2581e0098ac9
SHA256: 856d455d07bff404e39b422f1ad0bbff9397707c86670dbc1134729b44a8c868
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.777526639.0000000002210000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=10smU8Pga"}
Machine Learning detection for sample
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=10smU8Pga
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe String found in binary or memory: http://creativecommons.org/licenses/by-nc-sa/3.0/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000001.00000002.775792747.000000000070A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
Executable has a suspicious name (potential lure to open the executable)
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Static file information: Suspicious name
Uses 32bit PE files
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000001.00000000.250160600.000000000041E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDoorstep2.exe vs usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Binary or memory string: OriginalFilenameDoorstep2.exe vs usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
PE file contains strange resources
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02216F8F 1_2_02216F8F
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02212AE6 1_2_02212AE6
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02212AD8 1_2_02212AD8
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_0221279D 1_2_0221279D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_022127F0 1_2_022127F0
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02216FC8 1_2_02216FC8
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02217023 1_2_02217023
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02216C33 1_2_02216C33
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_0221A848 1_2_0221A848
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02213C97 1_2_02213C97
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02213C9B 1_2_02213C9B
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_022150F5 1_2_022150F5
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02213D33 1_2_02213D33
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02215100 1_2_02215100
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_022151AB 1_2_022151AB
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_022195AE 1_2_022195AE
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_0221518E 1_2_0221518E
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02213DE8 1_2_02213DE8
Contains functionality to call native functions
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02216F8F NtAllocateVirtualMemory, 1_2_02216F8F
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02216FC8 NtAllocateVirtualMemory, 1_2_02216FC8
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02217023 NtAllocateVirtualMemory, 1_2_02217023
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_022170A6 NtAllocateVirtualMemory, 1_2_022170A6
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_022170DB NtAllocateVirtualMemory, 1_2_022170DB
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process Stats: CPU usage > 98%
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.777526639.0000000002210000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_00417BB0 push dword ptr [edi+000000BCh]; ret 1_2_004185BC
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_00406E76 push 31716A05h; retf 1_2_00406E7B
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_00405A07 push ebx; iretd 1_2_00405A09
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_00404430 pushfd ; retf 1_2_00404432
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_004064DA push esi; ret 1_2_004064E5
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_0040708F push ebx; iretd 1_2_00407091
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_004052A7 push ebx; iretd 1_2_004052A9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_00404F7C push es; iretd 1_2_00404F7D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_00405F08 push es; iretd 1_2_00405F09
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_0040392D push esi; ret 1_2_00403934
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_004063CF push ebx; iretd 1_2_004063D1
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_00406FD7 push ebx; iretd 1_2_00406FD9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_004039AE push ds; iretd 1_2_004039DF
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_004069B4 push es; iretd 1_2_004069B5
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_022106C4 push ecx; retf 1_2_022106C5
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02216B90 push 84000039h; ret 1_2_02216B95
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02213921 push esi; retf 1_2_02213922
Source: initial sample Static PE information: section name: .text entropy: 7.12774451895
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02219CE4 rdtsc 1_2_02219CE4

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02216AA7 mov eax, dword ptr fs:[00000030h] 1_2_02216AA7
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02219781 mov eax, dword ptr fs:[00000030h] 1_2_02219781
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02214390 mov eax, dword ptr fs:[00000030h] 1_2_02214390
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02219069 mov eax, dword ptr fs:[00000030h] 1_2_02219069
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_0221A848 mov eax, dword ptr fs:[00000030h] 1_2_0221A848
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02213C97 mov eax, dword ptr fs:[00000030h] 1_2_02213C97
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 1_2_02219CE4 rdtsc 1_2_02219CE4
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000001.00000002.776406971.0000000000C90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000001.00000002.776406971.0000000000C90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000001.00000002.776406971.0000000000C90000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000001.00000002.776406971.0000000000C90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000001.00000002.776406971.0000000000C90000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482656 Sample: usd15.030 payment copy & si... Startdate: 14/09/2021 Architecture: WINDOWS Score: 84 7 Potential malicious icon found 2->7 9 Found malware configuration 2->9 11 Yara detected GuLoader 2->11 13 5 other signatures 2->13 5 usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe 2->5         started        process3
No contacted IP infos