Windows Analysis Report Foreign_Bank Account Details.exe

Overview

General Information

Sample Name: Foreign_Bank Account Details.exe
Analysis ID: 500790
MD5: 8906fa5fed7b1d3d2e5579d97419c076
SHA1: f4488a79fcb657eb1f3f23c6ce181ae7176fb11c
SHA256: d1a3f5513cfaf506e96e6304d259fb03f5dc23542301fc9c7335a6e921ad65f9
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1hKAWruhccvaKl72"}
Multi AV Scanner detection for submitted file
Source: Foreign_Bank Account Details.exe ReversingLabs: Detection: 33%

Compliance:

barindex
Uses 32bit PE files
Source: Foreign_Bank Account Details.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 5x nop then mov edx, edx 0_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 6x nop then mov edx, edx 0_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 0_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 5x nop then mov edx, edx 0_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 6x nop then mov edx, edx 0_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 0_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 0_2_00402267
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 5x nop then mov edx, edx 0_2_004020E7
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 6x nop then mov edx, edx 0_2_004020E7
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 0_2_004020E7
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 0_2_004022E9
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 0_2_00402379
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 5x nop then mov edx, edx 0_2_0040191F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 6x nop then mov edx, edx 0_2_0040191F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 0_2_0040191F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 6x nop then mov edx, edx 0_2_004021F3
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 0_2_004021F3

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1hKAWruhccvaKl72

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Foreign_Bank Account Details.exe, 00000000.00000002.765735335.000000000072A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: Foreign_Bank Account Details.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Foreign_Bank Account Details.exe, 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamefigurmrk.exe vs Foreign_Bank Account Details.exe
Source: Foreign_Bank Account Details.exe Binary or memory string: OriginalFilenamefigurmrk.exe vs Foreign_Bank Account Details.exe
PE file contains strange resources
Source: Foreign_Bank Account Details.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004012D8 0_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00402061 0_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004020E7 0_2_004020E7
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004022E9 0_2_004022E9
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_0040191F 0_2_0040191F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020CBFDE 0_2_020CBFDE
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C80F9 0_2_020C80F9
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C5E21 0_2_020C5E21
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C6651 0_2_020C6651
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C6E70 0_2_020C6E70
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C8698 0_2_020C8698
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020CA6A7 0_2_020CA6A7
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C6ABF 0_2_020C6ABF
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C7AFA 0_2_020C7AFA
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020CAEF3 0_2_020CAEF3
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C639E 0_2_020C639E
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020CA3AD 0_2_020CA3AD
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C8BBD 0_2_020C8BBD
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C67BE 0_2_020C67BE
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020CABE2 0_2_020CABE2
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C6BFC 0_2_020C6BFC
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020CB009 0_2_020CB009
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C5C13 0_2_020C5C13
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020CAC45 0_2_020CAC45
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C5C54 0_2_020C5C54
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C5C74 0_2_020C5C74
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C80C2 0_2_020C80C2
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C4D15 0_2_020C4D15
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C8154 0_2_020C8154
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C796A 0_2_020C796A
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C9D8F 0_2_020C9D8F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C8598 0_2_020C8598
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020CA5DF 0_2_020CA5DF
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C85E0 0_2_020C85E0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C80F9 NtAllocateVirtualMemory, 0_2_020C80F9
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C8234 NtAllocateVirtualMemory, 0_2_020C8234
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C8253 NtAllocateVirtualMemory, 0_2_020C8253
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C82B3 NtAllocateVirtualMemory, 0_2_020C82B3
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C8352 NtAllocateVirtualMemory, 0_2_020C8352
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C8371 NtAllocateVirtualMemory, 0_2_020C8371
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C80C2 NtAllocateVirtualMemory, 0_2_020C80C2
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C8154 NtAllocateVirtualMemory, 0_2_020C8154
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C819A NtAllocateVirtualMemory, 0_2_020C819A
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Process Stats: CPU usage > 98%
Source: Foreign_Bank Account Details.exe ReversingLabs: Detection: 33%
Source: Foreign_Bank Account Details.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00414356 push eax; ret 0_2_004147B5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00404A4A push edx; iretd 0_2_00404A75
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00404252 push eax; iretd 0_2_00404251
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00404A5E push edx; iretd 0_2_00404A75
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00402E00 push edx; iretd 0_2_00402E01
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_0040562D push edi; iretd 0_2_00405661
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004052C1 pushfd ; retf 0_2_00405307
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004048C4 push edi; iretd 0_2_004048C5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004040D2 push es; ret 0_2_0040416D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004040DE push es; ret 0_2_0040416D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004076EF pushfd ; retf 0_2_004076F3
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004068F0 push eax; iretd 0_2_004068FD
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004058F6 push edx; iretd 0_2_004058F9
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004082F9 push eax; iretd 0_2_00408305
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00406E91 push ecx; iretd 0_2_00406E9D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00408298 push ebx; iretd 0_2_00408299
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00406C9E push eax; iretd 0_2_00406ED5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00406EBF push eax; iretd 0_2_00406ED5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00403948 push ecx; iretd 0_2_00403949
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_0040416E push es; ret 0_2_0040416D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00404112 push es; ret 0_2_0040416D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00405F20 push esi; iretd 0_2_00405F21
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004061CE push esi; iretd 0_2_004061E5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004055CF push edi; iretd 0_2_00405661
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004059E4 push edi; iretd 0_2_004059E5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_0040638D push 569795EEh; iretd 0_2_004063A5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00402F9E push esi; iretd 0_2_00402FA1
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004059A0 push eax; iretd 0_2_004059A1
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004041BB push eax; iretd 0_2_00404251
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004043BB push edx; iretd 0_2_004043C1
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C7689 push 737A652Eh; iretd 0_2_020C9824
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C7A45 rdtsc 0_2_020C7A45

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_004012D8 mov ebx, dword ptr fs:[00000030h] 0_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_00402061 mov ebx, dword ptr fs:[00000030h] 0_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_0040191F mov ebx, dword ptr fs:[00000030h] 0_2_0040191F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C9EE3 mov eax, dword ptr fs:[00000030h] 0_2_020C9EE3
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020CB009 mov eax, dword ptr fs:[00000030h] 0_2_020CB009
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020CA450 mov eax, dword ptr fs:[00000030h] 0_2_020CA450
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C78C4 mov eax, dword ptr fs:[00000030h] 0_2_020C78C4
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020C7A45 rdtsc 0_2_020C7A45
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 0_2_020CBFDE RtlAddVectoredExceptionHandler, 0_2_020CBFDE
Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 500790 Sample: Foreign_Bank Account Details.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 80 7 Potential malicious icon found 2->7 9 Found malware configuration 2->9 11 Multi AV Scanner detection for submitted file 2->11 13 3 other signatures 2->13 5 Foreign_Bank Account Details.exe 2->5         started        process3
No contacted IP infos