Windows Analysis Report Unreal.exe

Overview

General Information

Sample Name: Unreal.exe
Analysis ID: 491482
MD5: 35a93d1f2edc044b3d8289abfeb17a43
SHA1: c29f2524ae4bd239c849720b1fc6ce5c13bee93b
SHA256: 88d3b3a6564e25b63b31f4a00361384fd294f228763b3bde4e3162144971d385
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: Unreal.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=dow"}
Multi AV Scanner detection for submitted file
Source: Unreal.exe ReversingLabs: Detection: 13%
Machine Learning detection for sample
Source: Unreal.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Unreal.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=dow

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Unreal.exe, 00000001.00000002.1194418396.00000000006CA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: Unreal.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
PE file contains strange resources
Source: Unreal.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C0A31F 1_2_02C0A31F
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C00AC4 1_2_02C00AC4
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C07281 1_2_02C07281
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C09AA7 1_2_02C09AA7
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C0E2B0 1_2_02C0E2B0
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C07996 1_2_02C07996
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C095CB 1_2_02C095CB
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C0E567 1_2_02C0E567
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C09515 1_2_02C09515
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C0A31F NtAllocateVirtualMemory, 1_2_02C0A31F
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Unreal.exe Process Stats: CPU usage > 98%
Source: Unreal.exe ReversingLabs: Detection: 13%
Source: Unreal.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Unreal.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Unreal.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Unreal.exe File created: C:\Users\user\AppData\Local\Temp\~DFBFBC969339417D40.TMP Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/0@0/0
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.1194764231.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_00406669 push ds; iretd 1_2_0040666C
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_00404623 push esp; iretd 1_2_00404625
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_004064A6 push ebx; retf 1_2_004064B5
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_0040276E push ebx; iretd 1_2_00402771
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C05AED push eax; retf 1_2_02C05A8A
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C03221 push esp; retf 1_2_02C03223
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C00B2A push FFFFFFDEh; iretd 1_2_02C00B2C
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C01B33 push cs; iretd 1_2_02C01B34
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C02544 push ebp; retf 1_2_02C02546
Source: C:\Users\user\Desktop\Unreal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C099BA rdtsc 1_2_02C099BA

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Unreal.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C09749 mov eax, dword ptr fs:[00000030h] 1_2_02C09749
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C0E567 mov eax, dword ptr fs:[00000030h] 1_2_02C0E567
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C0D56C mov eax, dword ptr fs:[00000030h] 1_2_02C0D56C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Unreal.exe Code function: 1_2_02C099BA rdtsc 1_2_02C099BA
Source: Unreal.exe, 00000001.00000002.1194495461.0000000000D60000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Unreal.exe, 00000001.00000002.1194495461.0000000000D60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Unreal.exe, 00000001.00000002.1194495461.0000000000D60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Unreal.exe, 00000001.00000002.1194495461.0000000000D60000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491482 Sample: Unreal.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 76 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 2 other signatures 2->14 5 Unreal.exe 1 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16
No contacted IP infos