Windows Analysis Report Payment_Advice.exe

Overview

General Information

Sample Name: Payment_Advice.exe
Analysis ID: 491364
MD5: 3a27f66a430a3b54d24fb8f75e837175
SHA1: 4af41cd66669d3c2307c1b5af5c198778d174826
SHA256: dd996392170826c47b9ab378464423e470a1bdfdff7bcd183c61e3e7896d4326
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.816420146.0000000002270000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=do"}
Multi AV Scanner detection for submitted file
Source: Payment_Advice.exe ReversingLabs: Detection: 11%

Compliance:

barindex
Uses 32bit PE files
Source: Payment_Advice.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=do

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment_Advice.exe
Executable has a suspicious name (potential lure to open the executable)
Source: Payment_Advice.exe Static file information: Suspicious name
Uses 32bit PE files
Source: Payment_Advice.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Payment_Advice.exe, 00000000.00000002.813548449.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAFFEJENDES.exe vs Payment_Advice.exe
Source: Payment_Advice.exe Binary or memory string: OriginalFilenameAFFEJENDES.exe vs Payment_Advice.exe
PE file contains strange resources
Source: Payment_Advice.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_02277792 0_2_02277792
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_0227BB90 0_2_0227BB90
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_022752DA 0_2_022752DA
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_02279B36 0_2_02279B36
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_02277B60 0_2_02277B60
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_02275463 0_2_02275463
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_02277528 0_2_02277528
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_0227A9AA 0_2_0227A9AA
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_02277792 NtAllocateVirtualMemory, 0_2_02277792
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Payment_Advice.exe Process Stats: CPU usage > 98%
Source: Payment_Advice.exe ReversingLabs: Detection: 11%
Source: Payment_Advice.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Payment_Advice.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe File created: C:\Users\user\AppData\Local\Temp\~DF32C15638EC5B1167.TMP Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.816420146.0000000002270000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_0040407C pushfd ; retf 0_2_0040417B
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_00404004 pushfd ; retf 0_2_0040417B
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_004040D2 pushfd ; retf 0_2_0040417B
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_00406AAD push edi; retf 0_2_00406AB8
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_00408578 push BCCCD893h; retf 0_2_0040857D
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_00405124 push ebp; ret 0_2_00405126
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_0040332B pushad ; ret 0_2_004034E9
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_004053ED push 98EC4AA3h; iretd 0_2_00405421
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_004031F9 push cs; retf 0_2_004031FA
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_00403397 pushad ; ret 0_2_004034E9
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_0040639F push eax; iretd 0_2_004063A0
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_00406BB3 push edi; ret 0_2_00406BC2
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_02270475 push ds; iretd 0_2_022704F9
Source: C:\Users\user\Desktop\Payment_Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Payment_Advice.exe RDTSC instruction interceptor: First address: 000000000040EAAD second address: 000000000040EAAD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 nop 0x00000006 popad 0x00000007 cmp ecx, 000000E3h 0x0000000d wait 0x0000000e dec edi 0x0000000f cmp ecx, 0000009Bh 0x00000015 cmp ecx, 21h 0x00000018 cmp edi, 00000000h 0x0000001b jne 00007F774439025Ch 0x0000001d wait 0x0000001e nop 0x0000001f pushad 0x00000020 mfence 0x00000023 mfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Payment_Advice.exe RDTSC instruction interceptor: First address: 000000000227703A second address: 000000000227703A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 3D8136F2h 0x00000007 sub eax, 4424654Ch 0x0000000c add eax, 25DE290Dh 0x00000011 xor eax, 1F3AFAB2h 0x00000016 cpuid 0x00000018 jmp 00007F774490E99Ah 0x0000001a test dx, ax 0x0000001d popad 0x0000001e call 00007F774490E95Bh 0x00000023 lfence 0x00000026 mov edx, 9B1CCDD8h 0x0000002b xor edx, AF97A1F8h 0x00000031 xor edx, A8058B4Dh 0x00000037 xor edx, E370E779h 0x0000003d mov edx, dword ptr [edx] 0x0000003f lfence 0x00000042 ret 0x00000043 sub edx, esi 0x00000045 ret 0x00000046 pop ecx 0x00000047 add edi, edx 0x00000049 dec ecx 0x0000004a mov dword ptr [ebp+000001E8h], ecx 0x00000050 mov ecx, 9B315063h 0x00000055 add ecx, 41FD8E20h 0x0000005b xor ecx, BAB84FC4h 0x00000061 sub ecx, 67969147h 0x00000067 cmp dword ptr [ebp+000001E8h], ecx 0x0000006d mov ecx, dword ptr [ebp+000001E8h] 0x00000073 jne 00007F774490E90Dh 0x00000075 mov dword ptr [ebp+00000216h], edx 0x0000007b mov edx, ecx 0x0000007d push edx 0x0000007e mov edx, dword ptr [ebp+00000216h] 0x00000084 cmp bl, dl 0x00000086 call 00007F774490E9BCh 0x0000008b call 00007F774490E9C9h 0x00000090 lfence 0x00000093 mov edx, 9B1CCDD8h 0x00000098 xor edx, AF97A1F8h 0x0000009e xor edx, A8058B4Dh 0x000000a4 xor edx, E370E779h 0x000000aa mov edx, dword ptr [edx] 0x000000ac lfence 0x000000af ret 0x000000b0 mov esi, edx 0x000000b2 pushad 0x000000b3 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_02277032 rdtsc 0_2_02277032

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Payment_Advice.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_02276E76 mov eax, dword ptr fs:[00000030h] 0_2_02276E76
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_02279E4A mov eax, dword ptr fs:[00000030h] 0_2_02279E4A
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_022798A6 mov eax, dword ptr fs:[00000030h] 0_2_022798A6
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_02274D08 mov eax, dword ptr fs:[00000030h] 0_2_02274D08
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_02277032 rdtsc 0_2_02277032
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_0227BB90 RtlAddVectoredExceptionHandler, 0_2_0227BB90
Source: Payment_Advice.exe, 00000000.00000002.814578023.0000000000D60000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Payment_Advice.exe, 00000000.00000002.814578023.0000000000D60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Payment_Advice.exe, 00000000.00000002.814578023.0000000000D60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Payment_Advice.exe, 00000000.00000002.814578023.0000000000D60000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491364 Sample: Payment_Advice.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 84 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 3 other signatures 2->14 5 Payment_Advice.exe 1 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16 18 Tries to detect virtualization through RDTSC time measurements 5->18
No contacted IP infos