Windows Analysis Report Unreal.exe

Overview

General Information

Sample Name: Unreal.exe
Analysis ID: 491723
MD5: 35a93d1f2edc044b3d8289abfeb17a43
SHA1: c29f2524ae4bd239c849720b1fc6ce5c13bee93b
SHA256: 88d3b3a6564e25b63b31f4a00361384fd294f228763b3bde4e3162144971d385
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to call native functions
PE file contains strange resources
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: Unreal.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=dow"}
Multi AV Scanner detection for submitted file
Source: Unreal.exe Virustotal: Detection: 41% Perma Link
Source: Unreal.exe ReversingLabs: Detection: 13%
Machine Learning detection for sample
Source: Unreal.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Unreal.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=dow

System Summary:

barindex
Uses 32bit PE files
Source: Unreal.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_0220A31F NtAllocateVirtualMemory, 0_2_0220A31F
PE file contains strange resources
Source: Unreal.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Unreal.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_0220A31F 0_2_0220A31F
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_02209AA7 0_2_02209AA7
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_0220E2B0 0_2_0220E2B0
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_02207281 0_2_02207281
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_02200AC4 0_2_02200AC4
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_02207996 0_2_02207996
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_02209515 0_2_02209515
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_0220E567 0_2_0220E567
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_022095CB 0_2_022095CB
Source: Unreal.exe Virustotal: Detection: 41%
Source: Unreal.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\Unreal.exe File created: C:\Users\user\AppData\Local\Temp\~DF0C2B1CB96367F264.TMP Jump to behavior
Source: Unreal.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Unreal.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Unreal.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.757328142.0000000002200000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_00406669 push ds; iretd 0_2_0040666C
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_00404623 push esp; iretd 0_2_00404625
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_004064A6 push ebx; retf 0_2_004064B5
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_0040276E push ebx; iretd 0_2_00402771
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_02203221 push esp; retf 0_2_02203223
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_02205AED push eax; retf 0_2_02205A8A
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_02200B2A push FFFFFFDEh; iretd 0_2_02200B2C
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_02201B33 push cs; iretd 0_2_02201B34
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_02202544 push ebp; retf 0_2_02202546
Source: C:\Users\user\Desktop\Unreal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_022099BA rdtsc 0_2_022099BA

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Unreal.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_02209749 mov eax, dword ptr fs:[00000030h] 0_2_02209749
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_0220E567 mov eax, dword ptr fs:[00000030h] 0_2_0220E567
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_0220D56C mov eax, dword ptr fs:[00000030h] 0_2_0220D56C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Unreal.exe Code function: 0_2_022099BA rdtsc 0_2_022099BA
Source: Unreal.exe, 00000000.00000002.757104366.0000000000D70000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Unreal.exe, 00000000.00000002.757104366.0000000000D70000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Unreal.exe, 00000000.00000002.757104366.0000000000D70000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: Unreal.exe, 00000000.00000002.757104366.0000000000D70000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: Unreal.exe, 00000000.00000002.757104366.0000000000D70000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491723 Sample: Unreal.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 76 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 2 other signatures 2->14 5 Unreal.exe 1 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16
No contacted IP infos