Windows Analysis Report Hesap Hareketleri 28-09-2021.exe

Overview

General Information

Sample Name: Hesap Hareketleri 28-09-2021.exe
Analysis ID: 491950
MD5: 2fca7a3e51417ee2e8aefafede0847d9
SHA1: 931518250bed6cd21b6cab529ed3ad9ead83cdcf
SHA256: bffbffc2b1be154742fb81ecea14cb779b8fd81581ffce2855cf588f21a8020f
Tags: exegeoTUR
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id"}
Multi AV Scanner detection for submitted file
Source: Hesap Hareketleri 28-09-2021.exe ReversingLabs: Detection: 26%
Machine Learning detection for sample
Source: Hesap Hareketleri 28-09-2021.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Hesap Hareketleri 28-09-2021.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867529345.000000000073A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: Hesap Hareketleri 28-09-2021.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000000.344162020.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTOBENET.exe vs Hesap Hareketleri 28-09-2021.exe
Source: Hesap Hareketleri 28-09-2021.exe Binary or memory string: OriginalFilenameTOBENET.exe vs Hesap Hareketleri 28-09-2021.exe
PE file contains strange resources
Source: Hesap Hareketleri 28-09-2021.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071727D 1_2_0071727D
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071BB62 1_2_0071BB62
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00715A60 1_2_00715A60
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071C264 1_2_0071C264
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071AA45 1_2_0071AA45
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00717447 1_2_00717447
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071584B 1_2_0071584B
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071A64C 1_2_0071A64C
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071604F 1_2_0071604F
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00715630 1_2_00715630
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071743A 1_2_0071743A
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00715625 1_2_00715625
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071262A 1_2_0071262A
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071522C 1_2_0071522C
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071561F 1_2_0071561F
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00715E04 1_2_00715E04
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00713AF5 1_2_00713AF5
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00715CD4 1_2_00715CD4
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00715ADA 1_2_00715ADA
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_007156DD 1_2_007156DD
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_007162C4 1_2_007162C4
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_007176B9 1_2_007176B9
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_007150AA 1_2_007150AA
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00710480 1_2_00710480
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00715F75 1_2_00715F75
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00715561 1_2_00715561
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071595B 1_2_0071595B
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071A727 1_2_0071A727
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_007107F5 1_2_007107F5
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_007163E5 1_2_007163E5
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071ABDA 1_2_0071ABDA
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00715BC0 1_2_00715BC0
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_007155B3 1_2_007155B3
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071079A 1_2_0071079A
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071727D NtAllocateVirtualMemory, 1_2_0071727D
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_007176B9 NtAllocateVirtualMemory, 1_2_007176B9
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00717890 NtAllocateVirtualMemory, 1_2_00717890
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00717719 NtAllocateVirtualMemory, 1_2_00717719
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Process Stats: CPU usage > 98%
Source: Hesap Hareketleri 28-09-2021.exe ReversingLabs: Detection: 26%
Source: Hesap Hareketleri 28-09-2021.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe File created: C:\Users\user\AppData\Local\Temp\~DF4ED96077179BC113.TMP Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, type: MEMORY
PE file contains an invalid checksum
Source: Hesap Hareketleri 28-09-2021.exe Static PE information: real checksum: 0x24c6f should be: 0x20bce
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00402AE8 push es; ret 1_2_00402B24
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_004064F7 push 13C55635h; retf 1_2_00406525
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0040431A pushfd ; retf 1_2_0040431B
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00711A34 push ebp; iretd 1_2_00711A95
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00711EFD push esi; iretd 1_2_00711F68
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00711544 push ecx; ret 1_2_00711545
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00711922 push esi; iretd 1_2_00711F68
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00711927 push ebp; iretd 1_2_00711A95
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071712B push ds; iretd 1_2_0071712E
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00717112 push ds; iretw 1_2_00717114
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00711915 push ebp; iretd 1_2_00711A95
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00711915 push esi; iretd 1_2_00711F68
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00711993 push ebp; iretd 1_2_00711A95
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe RDTSC instruction interceptor: First address: 000000000040EB3B second address: 000000000040EB3B instructions: 0x00000000 rdtsc 0x00000002 cmp ecx, 000000A1h 0x00000008 cmp eax, 000000C9h 0x0000000d popad 0x0000000e lfence 0x00000011 lfence 0x00000014 dec edi 0x00000015 lfence 0x00000018 pushfd 0x00000019 popfd 0x0000001a cmp edi, 00000000h 0x0000001d jne 00007F72DC9E1FC6h 0x0000001f lfence 0x00000022 cmp eax, 00000089h 0x00000027 pushad 0x00000028 mfence 0x0000002b wait 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe RDTSC instruction interceptor: First address: 0000000000716F2F second address: 0000000000716F2F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8219BBE4h 0x00000007 xor eax, 75E10D96h 0x0000000c sub eax, 173DA739h 0x00000011 sub eax, E0BB0F38h 0x00000016 cpuid 0x00000018 popad 0x00000019 jmp 00007F72DCE2065Eh 0x0000001b test al, dl 0x0000001d call 00007F72DCE20618h 0x00000022 lfence 0x00000025 mov edx, C4E9AE68h 0x0000002a xor edx, 87763148h 0x00000030 xor edx, B74B9B40h 0x00000036 xor edx, 8B2A0474h 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 ret 0x00000042 sub edx, esi 0x00000044 ret 0x00000045 pop ecx 0x00000046 jmp 00007F72DCE2065Ah 0x00000048 cmp dl, bl 0x0000004a add edi, edx 0x0000004c dec ecx 0x0000004d mov dword ptr [ebp+00000182h], ecx 0x00000053 mov ecx, 9B298471h 0x00000058 xor ecx, C9916611h 0x0000005e add ecx, 132F64BEh 0x00000064 add ecx, 9A17B8E2h 0x0000006a cmp dword ptr [ebp+00000182h], ecx 0x00000070 mov ecx, dword ptr [ebp+00000182h] 0x00000076 jne 00007F72DCE20583h 0x0000007c mov dword ptr [ebp+000001D9h], esi 0x00000082 mov esi, ecx 0x00000084 push esi 0x00000085 mov esi, dword ptr [ebp+000001D9h] 0x0000008b call 00007F72DCE206C4h 0x00000090 call 00007F72DCE20689h 0x00000095 lfence 0x00000098 mov edx, C4E9AE68h 0x0000009d xor edx, 87763148h 0x000000a3 xor edx, B74B9B40h 0x000000a9 xor edx, 8B2A0474h 0x000000af mov edx, dword ptr [edx] 0x000000b1 lfence 0x000000b4 ret 0x000000b5 mov esi, edx 0x000000b7 pushad 0x000000b8 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071726F rdtsc 1_2_0071726F

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00719EDE mov eax, dword ptr fs:[00000030h] 1_2_00719EDE
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00716D70 mov eax, dword ptr fs:[00000030h] 1_2_00716D70
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_00719913 mov eax, dword ptr fs:[00000030h] 1_2_00719913
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071ABDA mov eax, dword ptr fs:[00000030h] 1_2_0071ABDA
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071726F rdtsc 1_2_0071726F
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe Code function: 1_2_0071BB62 RtlAddVectoredExceptionHandler, 1_2_0071BB62
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491950 Sample: Hesap Hareketleri 28-09-2021.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 80 7 Found malware configuration 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 4 other signatures 2->13 5 Hesap Hareketleri 28-09-2021.exe 1 2->5         started        process3
No contacted IP infos