Windows Analysis Report BESTPREIS-ANFRAGE.exe

Overview

General Information

Sample Name: BESTPREIS-ANFRAGE.exe
Analysis ID: 490033
MD5: 8d3b546ad98991973c7e6711e41a89ad
SHA1: c14f4afa5d0c5b29087d5d43a6c9f1b9c2393c19
SHA256: 5fdae1f887f2b5fd73bd94b5bf0f4168600c285238114fb016afe88da811312c
Tags: DEUexegeoGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.856631658.0000000002260000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1rXtK"}
Multi AV Scanner detection for submitted file
Source: BESTPREIS-ANFRAGE.exe ReversingLabs: Detection: 28%

Compliance:

barindex
Uses 32bit PE files
Source: BESTPREIS-ANFRAGE.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1rXtK

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: BESTPREIS-ANFRAGE.exe, 00000000.00000002.856430845.000000000074A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: BESTPREIS-ANFRAGE.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: BESTPREIS-ANFRAGE.exe, 00000000.00000002.856347893.0000000000416000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameVENALIZE.exe vs BESTPREIS-ANFRAGE.exe
Source: BESTPREIS-ANFRAGE.exe Binary or memory string: OriginalFilenameVENALIZE.exe vs BESTPREIS-ANFRAGE.exe
PE file contains strange resources
Source: BESTPREIS-ANFRAGE.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_0226C61F 0_2_0226C61F
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02266672 0_2_02266672
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02260775 0_2_02260775
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_022677B2 0_2_022677B2
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_022657B0 0_2_022657B0
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02260780 0_2_02260780
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_0226544D 0_2_0226544D
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_0226557A 0_2_0226557A
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_022665A3 0_2_022665A3
Contains functionality to call native functions
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02267B4F NtAllocateVirtualMemory, 0_2_02267B4F
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02267C4A NtAllocateVirtualMemory, 0_2_02267C4A
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Process Stats: CPU usage > 98%
Source: BESTPREIS-ANFRAGE.exe ReversingLabs: Detection: 28%
Source: BESTPREIS-ANFRAGE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe File created: C:\Users\user\AppData\Local\Temp\~DFEC32C876104529D6.TMP Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.856631658.0000000002260000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_00409087 push ss; ret 0_2_004090BD
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_00408917 pushfd ; retf 0_2_00408918
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_004059D8 push edx; retf 0_2_00405A0E
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_00408A48 push ecx; ret 0_2_00408A56
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_00402A69 push es; iretd 0_2_00402A6F
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_00405218 push ebx; iretd 0_2_00405229
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_00409B16 pushad ; retf 0_2_00409B19
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02264B33 push es; iretd 0_2_02264B4D
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02260B6A push ebp; iretd 0_2_02260B77
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02264EFD push esp; iretd 0_2_02264F00
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02261C0A push cs; ret 0_2_02261C47
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_0226A410 pushad ; iretd 0_2_0226A414
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02268CB0 push 2E9BB4ECh; iretd 0_2_02268CB5
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02261D1D push ecx; retf 0_2_02261D1E
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02264DEE push eax; iretd 0_2_02264DF5
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe RDTSC instruction interceptor: First address: 000000000040E830 second address: 000000000040E830 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 popfd 0x00000004 mfence 0x00000007 popad 0x00000008 nop 0x00000009 mfence 0x0000000c dec edi 0x0000000d cmp eax, 000000D2h 0x00000012 pushfd 0x00000013 popfd 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007F682498CB8Eh 0x00000019 nop 0x0000001a pushfd 0x0000001b popfd 0x0000001c pushad 0x0000001d wait 0x0000001e cmp ecx, 00000084h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe RDTSC instruction interceptor: First address: 0000000002267298 second address: 0000000002267298 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 1185650Fh 0x00000007 xor eax, 7B4D8634h 0x0000000c xor eax, 869DF991h 0x00000011 add eax, 13AAE557h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F6824AEA438h 0x0000001e lfence 0x00000021 mov edx, AEB5F928h 0x00000026 xor edx, 1B41005Dh 0x0000002c add edx, 46E6D0EDh 0x00000032 xor edx, 8325CA76h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+000001E9h], eax 0x0000004b mov eax, BC0FD70Dh 0x00000050 xor eax, CB05B517h 0x00000055 xor eax, 98705113h 0x0000005a xor eax, EF7A3309h 0x0000005f cmp ecx, eax 0x00000061 mov eax, dword ptr [ebp+000001E9h] 0x00000067 jne 00007F6824AEA3F2h 0x00000069 mov dword ptr [ebp+000001BBh], esi 0x0000006f mov esi, ecx 0x00000071 push esi 0x00000072 cmp bh, ch 0x00000074 mov esi, dword ptr [ebp+000001BBh] 0x0000007a test dl, cl 0x0000007c call 00007F6824AEA4F1h 0x00000081 call 00007F6824AEA459h 0x00000086 lfence 0x00000089 mov edx, AEB5F928h 0x0000008e xor edx, 1B41005Dh 0x00000094 add edx, 46E6D0EDh 0x0000009a xor edx, 8325CA76h 0x000000a0 mov edx, dword ptr [edx] 0x000000a2 lfence 0x000000a5 ret 0x000000a6 mov esi, edx 0x000000a8 pushad 0x000000a9 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02267290 rdtsc 0_2_02267290

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_022670AD mov eax, dword ptr fs:[00000030h] 0_2_022670AD
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_0226A1B6 mov eax, dword ptr fs:[00000030h] 0_2_0226A1B6
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02269C63 mov eax, dword ptr fs:[00000030h] 0_2_02269C63
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe Code function: 0_2_02267290 rdtsc 0_2_02267290
Source: BESTPREIS-ANFRAGE.exe, 00000000.00000002.856524305.0000000000DD0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: BESTPREIS-ANFRAGE.exe, 00000000.00000002.856524305.0000000000DD0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: BESTPREIS-ANFRAGE.exe, 00000000.00000002.856524305.0000000000DD0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: BESTPREIS-ANFRAGE.exe, 00000000.00000002.856524305.0000000000DD0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 490033 Sample: BESTPREIS-ANFRAGE.exe Startdate: 24/09/2021 Architecture: WINDOWS Score: 76 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 C2 URLs / IPs found in malware configuration 2->14 5 BESTPREIS-ANFRAGE.exe 1 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16 18 Tries to detect virtualization through RDTSC time measurements 5->18
No contacted IP infos