Windows Analysis Report DHL.com

Overview

General Information

Sample Name:	DHL.com (renamed file extension from com to exe)
Analysis ID:	490026
MD5:	8fab6753620475b356fb55cb3339aa8f
SHA1:	d1d7badd885b824b212be62c7caa7ff33d419d05
SHA256:	83e4ae7f04653b03a31836d92b1d70b1d9264a2fe7a4570cf39f4be1bf134e2b
Tags:	comDHLexeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

GuLoader behavior detected

Yara detected GuLoader

Hides threads from debuggers

Writes to foreign memory regions

Tries to detect Any.run

C2 URLs / IPs found in malware configuration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to call native functions

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Signatures

AV Detection:

Found malware configuration

Source: DHL.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "http://107.189.4.115/ncHJfummF147.bin"}

Multi AV Scanner detection for submitted file

Source: DHL.exe	Virustotal: Detection: 28%			Perma Link
Source: DHL.exe	ReversingLabs: Detection: 11%

Machine Learning detection for sample

Source: DHL.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.DHL.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 1.0.DHL.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen

Compliance:

Uses 32bit PE files

Source: DHL.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://107.189.4.115/ncHJfummF147.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: DHL.exe, 00000001.00000002.712237574.000000000071A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Uses 32bit PE files

Source: DHL.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: DHL.exe, 00000001.00000002.712188985.000000000041D000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSEMIQUOTE.exe vs DHL.exe
Source: DHL.exe	Binary or memory string: OriginalFilenameSEMIQUOTE.exe vs DHL.exe

PE file contains strange resources

Source: DHL.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Detected potential crypto function

Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023B2214	1_2_023B2214
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023AFA47	1_2_023AFA47
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023ADB58	1_2_023ADB58
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A563C	1_2_023A563C
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023B0034	1_2_023B0034
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A5628	1_2_023A5628
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A4017	1_2_023A4017
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A5846	1_2_023A5846
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A4EB0	1_2_023A4EB0
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023B00B5	1_2_023B00B5
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A4EAD	1_2_023A4EAD
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A409A	1_2_023A409A
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A4EF0	1_2_023A4EF0
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A58E0	1_2_023A58E0
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A56CA	1_2_023A56CA
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A4933	1_2_023A4933
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023AF37A	1_2_023AF37A
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A594A	1_2_023A594A
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A574C	1_2_023A574C
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A59A3	1_2_023A59A3
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A598D	1_2_023A598D
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023B0B86	1_2_023B0B86
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023AEFE8	1_2_023AEFE8
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A59D2	1_2_023A59D2
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A3FC2	1_2_023A3FC2
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A57C3	1_2_023A57C3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030E2214	26_2_030E2214
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D574C	26_2_030D574C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D57C3	26_2_030D57C3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D3FC2	26_2_030D3FC2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D5628	26_2_030D5628
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D563C	26_2_030D563C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D56CA	26_2_030D56CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D4933	26_2_030D4933
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D594A	26_2_030D594A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D598D	26_2_030D598D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D59A3	26_2_030D59A3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D59D2	26_2_030D59D2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D4017	26_2_030D4017
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D5846	26_2_030D5846
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D409A	26_2_030D409A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D58E0	26_2_030D58E0

Contains functionality to call native functions

Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023B2214 NtResumeThread,	1_2_023B2214
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023B1C6C NtProtectVirtualMemory,	1_2_023B1C6C
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023AFA47 NtAllocateVirtualMemory,	1_2_023AFA47

Abnormal high CPU Usage

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\DHL.exe	Process Stats: CPU usage > 98%

Source: DHL.exe	Virustotal: Detection: 28%
Source: DHL.exe	ReversingLabs: Detection: 11%

Source: DHL.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\DHL.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL.exe 'C:\Users\user\Desktop\DHL.exe'
Source: C:\Users\user\Desktop\DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe'
Source: C:\Users\user\Desktop\DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe'
Source: C:\Users\user\Desktop\DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe'	Jump to behavior

Source: C:\Users\user\Desktop\DHL.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFBEC8D2F5C809F532.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/0@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 00000001.00000002.712369007.00000000023A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.791045987.00000000030D0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_00402416 push 0040107Ch; ret	1_2_00402433
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_00402434 push 0040107Ch; ret	1_2_00402447
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_00408695 push 0000007Bh; iretd	1_2_004087CD
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_004090BB push 00000054h; iretd	1_2_004090BA
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_00404F07 push ebp; retf	1_2_00404EFF
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_00408FD0 push 00000054h; iretd	1_2_004090BA
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A50F2 pushfd ; retf	1_2_023A50FE
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023A155E push ebp; iretd	1_2_023A1560
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D0763 push cs; iretd	26_2_030D076B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D091D push FFFFFF96h; iretd	26_2_030D091F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D155E push ebp; iretd	26_2_030D1560
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030D50F1 pushfd ; retf	26_2_030D50FE

Source: C:\Users\user\Desktop\DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\user\Desktop\DHL.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\DHL.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DHL.exe, 00000001.00000002.712246912.0000000000731000.00000004.00000020.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE-3){
Source: DHL.exe, 00000001.00000002.712412278.00000000023E0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: DHL.exe, 00000001.00000002.712412278.00000000023E0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: DHL.exe, 00000001.00000002.712246912.0000000000731000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DHL.exe

Code function: 1_2_023A4E28 rdtsc

1_2_023A4E28

Source: C:\Users\user\Desktop\DHL.exe

System information queried: ModuleInformation

Jump to behavior

Source: DHL.exe, 00000001.00000002.712412278.00000000023E0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: DHL.exe, 00000001.00000002.712246912.0000000000731000.00000004.00000020.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe-3){
Source: DHL.exe, 00000001.00000002.712412278.00000000023E0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: DHL.exe, 00000001.00000002.712246912.0000000000731000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\DHL.exe

Thread information set: HideFromDebugger

Jump to behavior

Found potential dummy code loops (likely to delay analysis)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023B0B86 mov eax, dword ptr fs:[00000030h]	1_2_023B0B86
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023AEBEB mov eax, dword ptr fs:[00000030h]	1_2_023AEBEB
Source: C:\Users\user\Desktop\DHL.exe	Code function: 1_2_023AF5DE mov eax, dword ptr fs:[00000030h]	1_2_023AF5DE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030DEBEB mov eax, dword ptr fs:[00000030h]	26_2_030DEBEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 26_2_030DF5DE mov eax, dword ptr fs:[00000030h]	26_2_030DF5DE

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DHL.exe

Code function: 1_2_023A4E28 rdtsc

1_2_023A4E28

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 26_2_030E2214 RtlAddVectoredExceptionHandler,

26_2_030E2214

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 30D0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe'			Jump to behavior
Source: C:\Users\user\Desktop\DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL.exe'			Jump to behavior

Source: ieinstal.exe, 0000001A.00000002.791529522.0000000003A10000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: ieinstal.exe, 0000001A.00000002.791529522.0000000003A10000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000001A.00000002.791529522.0000000003A10000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: ieinstal.exe, 0000001A.00000002.791529522.0000000003A10000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://107.189.4.115/ncHJfummF147.bin	true	Avira URL Cloud: safe	unknown

ID:	490026
Product:	CloudBasic
Start time:	21:26:50
Start date:	24.09.2021
Sample:	DHL.com
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8fab6753620475b356fb55cb3339aa8f
SHA1:	d1d7badd885b824b212be62c7caa7ff33d419d05
SHA256:	83e4ae7f04653b03a31836d92b1d70b1d9264a2fe7a4570cf39f4be1bf134e2b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report DHL.com

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted URLs