Windows Analysis Report Kapitu.exe

Overview

General Information

Sample Name: Kapitu.exe
Analysis ID: 491405
MD5: 149b6bd6b0d3dd2b0fbb111632d59fcc
SHA1: 33cdaa42e1a5c1fad1aa4f38dd9ad6ea75113aa7
SHA256: b622dbe802148305104ef456835748d2fc0d8edeffa64787c43c78bcb1914b2f
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
PE file contains strange resources
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: Kapitu.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloadV"}
Machine Learning detection for sample
Source: Kapitu.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Kapitu.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=downloadV

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Kapitu.exe, 00000000.00000002.824160244.000000000071A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: Kapitu.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
PE file contains strange resources
Source: Kapitu.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Kapitu.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_02157807 0_2_02157807
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_0215E1B8 0_2_0215E1B8
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_0215E3A7 0_2_0215E3A7
Source: C:\Users\user\Desktop\Kapitu.exe File created: C:\Users\user\AppData\Local\Temp\~DF4D2070BA92FABBC9.TMP Jump to behavior
Source: Kapitu.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Kapitu.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Kapitu.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal68.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.824313775.0000000002150000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_00403C75 pushfd ; retf 0_2_00403C76
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_0040487A push esp; iretd 0_2_00404843
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_0040480A push esp; iretd 0_2_00404843
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_00405F60 push ss; retf 0_2_00405F68
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_00404F20 push 00000016h; ret 0_2_00404F28
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_004033DC push eax; ret 0_2_004033E9
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_02152C34 push edi; retf 0_2_02152C3F
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_02152EF9 push ebx; iretd 0_2_02152FEF
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_02152F3E push ebx; iretd 0_2_02152FEF
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_02152F88 push ebx; iretd 0_2_02152FEF
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_021549BD push edx; retf 0_2_021549D1
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_02152BFC push edi; retf 0_2_02152C3F
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_021507E5 push ecx; retf 0_2_021507E6
Source: C:\Users\user\Desktop\Kapitu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Kapitu.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_0215D408 mov eax, dword ptr fs:[00000030h] 0_2_0215D408
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_02159717 mov eax, dword ptr fs:[00000030h] 0_2_02159717
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_0215CD70 mov eax, dword ptr fs:[00000030h] 0_2_0215CD70
Source: C:\Users\user\Desktop\Kapitu.exe Code function: 0_2_0215E3A7 mov eax, dword ptr fs:[00000030h] 0_2_0215E3A7
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Kapitu.exe, 00000000.00000002.824238572.0000000000CA0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Kapitu.exe, 00000000.00000002.824238572.0000000000CA0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Kapitu.exe, 00000000.00000002.824238572.0000000000CA0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Kapitu.exe, 00000000.00000002.824238572.0000000000CA0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491405 Sample: Kapitu.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 68 8 Found malware configuration 2->8 10 Yara detected GuLoader 2->10 12 C2 URLs / IPs found in malware configuration 2->12 14 Machine Learning detection for sample 2->14 5 Kapitu.exe 1 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16
No contacted IP infos