Windows Analysis Report nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Overview

General Information

Sample Name: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Analysis ID: 491288
MD5: cd65994e4f53363527e3651759103759
SHA1: 241dda06961d323299c19c1f558168864867169e
SHA256: 634115d5eb91226011678443a96617cb0bcc1831621b418a0e16860b79502de7
Tags: DHLexeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.822232989.0000000000630000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://178.32.63.50/moss/nancata_Rbk"}
Multi AV Scanner detection for submitted file
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Virustotal: Detection: 29% Perma Link
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe ReversingLabs: Detection: 13%
Machine Learning detection for sample
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://178.32.63.50/moss/nancata_Rbk

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.822268717.00000000006AA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.822145627.0000000000418000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMESALLIANCER.exe vs nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Binary or memory string: OriginalFilenameMESALLIANCER.exe vs nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
PE file contains strange resources
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Process Stats: CPU usage > 98%
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Virustotal: Detection: 29%
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe ReversingLabs: Detection: 13%
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.822232989.0000000000630000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 0_2_00408ECD push edi; iretd 0_2_00408ECE
Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 0_2_00406B5B push 8A084572h; ret 0_2_00406B68
Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Code function: 0_2_00407333 push esp; iretd 0_2_00407342
Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe Process Stats: CPU usage > 90% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.822515492.0000000000D30000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.822515492.0000000000D30000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.822515492.0000000000D30000.00000002.00020000.sdmp Binary or memory string: Progman
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.822515492.0000000000D30000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491288 Sample: nDHL_Shipment_Notification_... Startdate: 27/09/2021 Architecture: WINDOWS Score: 84 8 Potential malicious icon found 2->8 10 Found malware configuration 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 3 other signatures 2->14 5 nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://178.32.63.50/moss/nancata_Rbk true
  • Avira URL Cloud: safe
 unknown