Windows Analysis Report DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Overview

General Information

Sample Name:	DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Analysis ID:	491287
MD5:	8e2b177d2ab29c95f067559a029cf5e8
SHA1:	f347fa229d51836344ab5bf89fa531e19aa5e324
SHA256:	b9fdde7d748e27a130c509a589a2c8b92aad279604d3e4ee7ac28187fc5660be
Tags:	DHLexeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Potential malicious icon found

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Found potential dummy code loops (likely to delay analysis)

Uses 32bit PE files

Contains functionality to call native functions

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Detected potential crypto function

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Virustotal: Detection: 31%			Perma Link
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	ReversingLabs: Detection: 17%

Compliance:

Uses 32bit PE files

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Uses 32bit PE files

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to call native functions

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Code function: 0_2_02BEC119 NtAllocateVirtualMemory,

0_2_02BEC119

Sample file is different than original file name gathered from version info

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.871466300.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVOLDFRELSERS.exe vs DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Binary or memory string: OriginalFilenameVOLDFRELSERS.exe vs DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

PE file contains strange resources

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_00403DD6	0_2_00403DD6
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_0040415B	0_2_0040415B
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BEC119	0_2_02BEC119
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE42B5	0_2_02BE42B5
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE4484	0_2_02BE4484
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BECED6	0_2_02BECED6
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE303C	0_2_02BE303C
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE4419	0_2_02BE4419
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE4245	0_2_02BE4245
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE3BBE	0_2_02BE3BBE
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE3BBC	0_2_02BE3BBC
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE2F9B	0_2_02BE2F9B
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE4195	0_2_02BE4195
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE2F90	0_2_02BE2F90
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE4184	0_2_02BE4184
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE452C	0_2_02BE452C
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE3700	0_2_02BE3700
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE4358	0_2_02BE4358

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Virustotal: Detection: 31%
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	ReversingLabs: Detection: 17%

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal76.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.872323022.0000000002BE0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_00409455 push es; iretd	0_2_00409456
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_00407E31 push ds; retf	0_2_00407E32
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_004072C1 push edx; retf	0_2_004072C2
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_00406294 push edx; retf	0_2_00406297
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_00406D73 push es; retf	0_2_00406D76
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_004099EF push esp; iretd	0_2_004099F2
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_00407BFF push FFFFFFA7h; iretd	0_2_00407C53
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE0390 push BDC367A8h; ret	0_2_02BE0383
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE4F84 push esi; iretd	0_2_02BE4F87

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Code function: 0_2_02BE3B3F rdtsc

0_2_02BE3B3F

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE58BF mov eax, dword ptr fs:[00000030h]	0_2_02BE58BF
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE88B4 mov eax, dword ptr fs:[00000030h]	0_2_02BE88B4
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BECED6 mov eax, dword ptr fs:[00000030h]	0_2_02BECED6
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE5833 mov eax, dword ptr fs:[00000030h]	0_2_02BE5833
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE5859 mov eax, dword ptr fs:[00000030h]	0_2_02BE5859
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BEB5AE mov eax, dword ptr fs:[00000030h]	0_2_02BEB5AE
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BE599C mov eax, dword ptr fs:[00000030h]	0_2_02BE599C
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_02BEBDCB mov eax, dword ptr fs:[00000030h]	0_2_02BEBDCB

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Code function: 0_2_02BE3B3F rdtsc

0_2_02BE3B3F

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.871715764.0000000000DF0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.871715764.0000000000DF0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.871715764.0000000000DF0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.871715764.0000000000DF0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	491287
Product:	CloudBasic
Start time:	12:40:43
Start date:	27.09.2021
Sample:	DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8e2b177d2ab29c95f067559a029cf5e8
SHA1:	f347fa229d51836344ab5bf89fa531e19aa5e324
SHA256:	b9fdde7d748e27a130c509a589a2c8b92aad279604d3e4ee7ac28187fc5660be
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map