Windows Analysis Report FACTURA.exe

Overview

General Information

Sample Name: FACTURA.exe
Analysis ID: 491983
MD5: dbe61cfd43c95752f6dfbde236558782
SHA1: 71b7f9ea7778a67ffc75fa0f7d8a74dc243aae22
SHA256: 7194eca2c497f9ea9c3bb989fb7f328d9740b6d396af39ec66ec730c0db61044
Tags: exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.825566947.0000000002AD0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id="}
Multi AV Scanner detection for submitted file
Source: FACTURA.exe Virustotal: Detection: 24% Perma Link
Source: FACTURA.exe ReversingLabs: Detection: 26%

Compliance:

barindex
Uses 32bit PE files
Source: FACTURA.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=

System Summary:

barindex
Uses 32bit PE files
Source: FACTURA.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: FACTURA.exe, 00000000.00000002.824965821.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameexposure.exe vs FACTURA.exe
Source: FACTURA.exe Binary or memory string: OriginalFilenameexposure.exe vs FACTURA.exe
PE file contains strange resources
Source: FACTURA.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_004088D4 0_2_004088D4
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02ADBE11 0_2_02ADBE11
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD7A42 0_2_02AD7A42
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD62B9 0_2_02AD62B9
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD7AB5 0_2_02AD7AB5
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD04B7 0_2_02AD04B7
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD6085 0_2_02AD6085
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02ADAC9F 0_2_02ADAC9F
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD042D 0_2_02AD042D
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD6438 0_2_02AD6438
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD5E73 0_2_02AD5E73
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD7A40 0_2_02AD7A40
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD77AC 0_2_02AD77AC
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD61A5 0_2_02AD61A5
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD65B1 0_2_02AD65B1
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD579C 0_2_02AD579C
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD5FEF 0_2_02AD5FEF
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD5F12 0_2_02AD5F12
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD9F6C 0_2_02AD9F6C
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02ADA97E 0_2_02ADA97E
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD6540 0_2_02AD6540
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD735A 0_2_02AD735A
Contains functionality to call native functions
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD7A42 NtAllocateVirtualMemory, 0_2_02AD7A42
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD7AB5 NtAllocateVirtualMemory, 0_2_02AD7AB5
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD7A40 NtAllocateVirtualMemory, 0_2_02AD7A40
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD7BC1 NtAllocateVirtualMemory, 0_2_02AD7BC1
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\FACTURA.exe Process Stats: CPU usage > 98%
Source: FACTURA.exe Virustotal: Detection: 24%
Source: FACTURA.exe ReversingLabs: Detection: 26%
Source: FACTURA.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FACTURA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe File created: C:\Users\user\AppData\Local\Temp\~DFC7F0E2A53F7EEA66.TMP Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.825566947.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_00404C45 push ds; retf 0_2_00404C50
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_00404CEF push es; retf 0_2_00404CF5
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_00402EAF push edi; ret 0_2_00402EB0
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_0040710A push ebp; iretd 0_2_0040710B
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_00407328 push edx; ret 0_2_0040732B
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD8AC9 push ebp; iretd 0_2_02AD8AFE
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD4E7A push B48F7408h; retf 0_2_02AD4E7F
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD3B19 push 89000002h; ret 0_2_02AD3B1F
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\FACTURA.exe RDTSC instruction interceptor: First address: 000000000040ED87 second address: 000000000040ED87 instructions: 0x00000000 rdtsc 0x00000002 mfence 0x00000005 nop 0x00000006 popad 0x00000007 cmp ecx, 7Dh 0x0000000a mfence 0x0000000d dec edi 0x0000000e mfence 0x00000011 wait 0x00000012 cmp edi, 00000000h 0x00000015 jne 00007FC810A3F940h 0x00000017 mfence 0x0000001a cmp eax, 32h 0x0000001d pushad 0x0000001e wait 0x0000001f lfence 0x00000022 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD72A1 rdtsc 0_2_02AD72A1

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\FACTURA.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD70C9 mov eax, dword ptr fs:[00000030h] 0_2_02AD70C9
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD9C78 mov eax, dword ptr fs:[00000030h] 0_2_02AD9C78
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02ADA199 mov eax, dword ptr fs:[00000030h] 0_2_02ADA199
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD4929 mov eax, dword ptr fs:[00000030h] 0_2_02AD4929
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02AD72A1 rdtsc 0_2_02AD72A1
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_02ADBE11 RtlAddVectoredExceptionHandler, 0_2_02ADBE11
Source: FACTURA.exe, 00000000.00000002.825239169.0000000000D70000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: FACTURA.exe, 00000000.00000002.825239169.0000000000D70000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: FACTURA.exe, 00000000.00000002.825239169.0000000000D70000.00000002.00020000.sdmp Binary or memory string: Progman
Source: FACTURA.exe, 00000000.00000002.825239169.0000000000D70000.00000002.00020000.sdmp Binary or memory string: Progmanlock
No contacted IP infos