Windows Analysis Report FACTURA.exe

Overview

General Information

Sample Name: FACTURA.exe
Analysis ID: 499407
MD5: 740463ed3266f7aee8331978f50c731c
SHA1: a9310948476693d72be937f23e1b53b3607bf92f
SHA256: fa9e12a03b909482d5bacd2d7ab1a8d672528bfcf43402c04b6d3a30702b0c4d
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=dor"}

Compliance:

barindex
Uses 32bit PE files
Source: FACTURA.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=dor

System Summary:

barindex
Uses 32bit PE files
Source: FACTURA.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to call native functions
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A78BE NtAllocateVirtualMemory, 0_2_021A78BE
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A7A9E NtAllocateVirtualMemory, 0_2_021A7A9E
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A78C2 NtAllocateVirtualMemory, 0_2_021A78C2
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A7973 NtAllocateVirtualMemory, 0_2_021A7973
Sample file is different than original file name gathered from version info
Source: FACTURA.exe, 00000000.00000000.286217984.000000000041B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCounterfoil7.exe vs FACTURA.exe
Source: FACTURA.exe, 00000000.00000002.809631589.00000000022A0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCounterfoil7.exeFE2XCollides Systems, Inc. Collides Systems, Inc. vs FACTURA.exe
Source: FACTURA.exe Binary or memory string: OriginalFilenameCounterfoil7.exe vs FACTURA.exe
PE file contains strange resources
Source: FACTURA.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\FACTURA.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A78BE 0_2_021A78BE
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021ABD75 0_2_021ABD75
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021ABE16 0_2_021ABE16
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AAE3D 0_2_021AAE3D
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AA22C 0_2_021AA22C
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021ABE7E 0_2_021ABE7E
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A7E6A 0_2_021A7E6A
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A626C 0_2_021A626C
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AB68E 0_2_021AB68E
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A76B0 0_2_021A76B0
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A5EAA 0_2_021A5EAA
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A5B0A 0_2_021A5B0A
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021ABF0E 0_2_021ABF0E
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AA302 0_2_021AA302
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AAF36 0_2_021AAF36
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A6349 0_2_021A6349
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021ABF6C 0_2_021ABF6C
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A8362 0_2_021A8362
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A7F90 0_2_021A7F90
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021ABFB9 0_2_021ABFB9
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A5FB4 0_2_021A5FB4
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A53A7 0_2_021A53A7
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A57C6 0_2_021A57C6
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AB3C6 0_2_021AB3C6
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AA7FA 0_2_021AA7FA
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A540E 0_2_021A540E
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A5C38 0_2_021A5C38
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A642E 0_2_021A642E
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AA456 0_2_021AA456
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AB056 0_2_021AB056
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A809A 0_2_021A809A
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A7093 0_2_021A7093
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A54AC 0_2_021A54AC
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AC0A4 0_2_021AC0A4
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A50D1 0_2_021A50D1
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AB0D4 0_2_021AB0D4
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A78C2 0_2_021A78C2
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AACC4 0_2_021AACC4
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A58FC 0_2_021A58FC
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A60E2 0_2_021A60E2
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A650A 0_2_021A650A
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AC151 0_2_021AC151
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AB148 0_2_021AB148
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A7973 0_2_021A7973
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AAD64 0_2_021AAD64
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A1991 0_2_021A1991
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021ABDAA 0_2_021ABDAA
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A7DA7 0_2_021A7DA7
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AA1A5 0_2_021AA1A5
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AC1D6 0_2_021AC1D6
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A51EB 0_2_021A51EB
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A59E6 0_2_021A59E6
Source: C:\Users\user\Desktop\FACTURA.exe File created: C:\Users\user\AppData\Local\Temp\~DFF9C88DFC12285A65.TMP Jump to behavior
Source: FACTURA.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FACTURA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal68.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A0B20 push ds; iretd 0_2_021A0B5F
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A3CBF push es; retf 0_2_021A3D20
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A4191 push es; iretd 0_2_021A42B3
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A2DC7 push esi; iretd 0_2_021A2DC8
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\FACTURA.exe RDTSC instruction interceptor: First address: 000000000040F386 second address: 000000000040F386 instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 mfence 0x00000006 popad 0x00000007 pushfd 0x00000008 popfd 0x00000009 cmp eax, 000000F9h 0x0000000e dec edi 0x0000000f wait 0x00000010 cmp eax, 67h 0x00000013 cmp edi, 00000000h 0x00000016 jne 00007F49089A7E50h 0x00000018 pushfd 0x00000019 popfd 0x0000001a wait 0x0000001b pushad 0x0000001c mfence 0x0000001f mfence 0x00000022 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A7514 rdtsc 0_2_021A7514

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\FACTURA.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A9A96 mov eax, dword ptr fs:[00000030h] 0_2_021A9A96
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A9A94 mov eax, dword ptr fs:[00000030h] 0_2_021A9A94
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A6FB7 mov eax, dword ptr fs:[00000030h] 0_2_021A6FB7
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A9FE0 mov eax, dword ptr fs:[00000030h] 0_2_021A9FE0
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AACC4 mov eax, dword ptr fs:[00000030h] 0_2_021AACC4
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021A7514 rdtsc 0_2_021A7514
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021ABD75 RtlAddVectoredExceptionHandler, 0_2_021ABD75
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021ABE16 RtlAddVectoredExceptionHandler, 0_2_021ABE16
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021ABE7E RtlAddVectoredExceptionHandler, 0_2_021ABE7E
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021ABF0E RtlAddVectoredExceptionHandler, 0_2_021ABF0E
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AC30D RtlAddVectoredExceptionHandler, 0_2_021AC30D
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021ABF6C RtlAddVectoredExceptionHandler, 0_2_021ABF6C
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021ABFB9 RtlAddVectoredExceptionHandler, 0_2_021ABFB9
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AC0A4 RtlAddVectoredExceptionHandler, 0_2_021AC0A4
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AC151 RtlAddVectoredExceptionHandler, 0_2_021AC151
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021ABDAA RtlAddVectoredExceptionHandler, 0_2_021ABDAA
Source: C:\Users\user\Desktop\FACTURA.exe Code function: 0_2_021AC1D6 RtlAddVectoredExceptionHandler, 0_2_021AC1D6
Source: FACTURA.exe, 00000000.00000002.809398242.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: FACTURA.exe, 00000000.00000002.809398242.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: FACTURA.exe, 00000000.00000002.809398242.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: FACTURA.exe, 00000000.00000002.809398242.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Progmanlock
No contacted IP infos