Windows Analysis Report Dokument VAT I - 85926 09 2021 MAG-8.exe

Overview

General Information

Sample Name: Dokument VAT I - 85926 09 2021 MAG-8.exe
Analysis ID: 491309
MD5: 0a2f51e6d3650f115c1b5484afbdf3a7
SHA1: 6283d55e065802036f0e5da958bfd458a7999c09
SHA256: e49ff3e9ecbbe320e8cd29470d13b72643674b66e75ab5a824dda36eef6bf05e
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.815595666.00000000021E0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1nGJi"}
Multi AV Scanner detection for submitted file
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe Virustotal: Detection: 20% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1nGJi

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe, 00000001.00000002.810461563.00000000006FA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe, 00000001.00000000.284587684.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAfblomstrings8.exe vs Dokument VAT I - 85926 09 2021 MAG-8.exe
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe Binary or memory string: OriginalFilenameAfblomstrings8.exe vs Dokument VAT I - 85926 09 2021 MAG-8.exe
PE file contains strange resources
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E7466 1_2_021E7466
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021EB95B 1_2_021EB95B
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E5E19 1_2_021E5E19
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E9416 1_2_021E9416
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E6014 1_2_021E6014
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E720B 1_2_021E720B
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E503A 1_2_021E503A
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E5838 1_2_021E5838
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E9638 1_2_021E9638
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E564E 1_2_021E564E
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021EA464 1_2_021EA464
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E7488 1_2_021E7488
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E5ABA 1_2_021E5ABA
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E5ED2 1_2_021E5ED2
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E54EB 1_2_021E54EB
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E5511 1_2_021E5511
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021EA92B 1_2_021EA92B
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E595E 1_2_021E595E
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E5776 1_2_021E5776
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E6166 1_2_021E6166
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E59B1 1_2_021E59B1
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E53AC 1_2_021E53AC
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E59A6 1_2_021E59A6
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E5BCA 1_2_021E5BCA
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E7466 NtAllocateVirtualMemory, 1_2_021E7466
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E7488 NtAllocateVirtualMemory, 1_2_021E7488
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Process Stats: CPU usage > 98%
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe Virustotal: Detection: 20%
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe File created: C:\Users\user\AppData\Local\Temp\~DFBDA2D233B6FDE700.TMP Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.815595666.00000000021E0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_00403E4C push esp; iretd 1_2_00403E82
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_00404E5C push esp; ret 1_2_00404E5D
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_00405029 push FFFFFFFBh; ret 1_2_0040502D
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_0040769A push ebp; ret 1_2_0040769D
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_004040B4 push esp; ret 1_2_004040B5
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_00403F77 push esp; ret 1_2_00403FF9
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_00407304 push esp; ret 1_2_004072ED
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_0040713E push esp; ret 1_2_004072ED
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_004071F5 push esp; ret 1_2_004072ED
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_00408789 push esp; ret 1_2_00408795
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_00407D93 push esp; ret 1_2_00407D99
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E3EF5 pushad ; retf 1_2_021E3EF6
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E413D push edx; iretd 1_2_021E415C
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E4552 push ecx; ret 1_2_021E4575
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E858D push esi; ret 1_2_021E858E
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E73B9 push edi; iretd 1_2_021E73CD
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E3BB7 push edx; ret 1_2_021E3BBE
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E73CF pushad ; ret 1_2_021E73D1
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E73E2 push edi; iretd 1_2_021E73CD
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe RDTSC instruction interceptor: First address: 000000000040E86D second address: 000000000040E86D instructions: 0x00000000 rdtsc 0x00000002 wait 0x00000003 nop 0x00000004 popad 0x00000005 mfence 0x00000008 mfence 0x0000000b dec edi 0x0000000c cmp eax, 63h 0x0000000f cmp eax, 04h 0x00000012 cmp edi, 00000000h 0x00000015 jne 00007F28FCD8F3C0h 0x00000017 cmp ecx, 06h 0x0000001a mfence 0x0000001d pushad 0x0000001e pushfd 0x0000001f popfd 0x00000020 pushfd 0x00000021 popfd 0x00000022 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E70A2 rdtsc 1_2_021E70A2

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E9C00 mov eax, dword ptr fs:[00000030h] 1_2_021E9C00
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E9624 mov eax, dword ptr fs:[00000030h] 1_2_021E9624
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021EA92B mov eax, dword ptr fs:[00000030h] 1_2_021EA92B
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E6BA5 mov eax, dword ptr fs:[00000030h] 1_2_021E6BA5
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021E70A2 rdtsc 1_2_021E70A2
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe Code function: 1_2_021EB95B RtlAddVectoredExceptionHandler, 1_2_021EB95B
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe, 00000001.00000002.815103622.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe, 00000001.00000002.815103622.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe, 00000001.00000002.815103622.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe, 00000001.00000002.815103622.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491309 Sample: Dokument VAT I - 85926 09 2... Startdate: 27/09/2021 Architecture: WINDOWS Score: 76 7 Found malware configuration 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 3 other signatures 2->13 5 Dokument VAT I - 85926 09 2021 MAG-8.exe 1 2->5         started        process3
No contacted IP infos