Windows Analysis Report FAKTURA I PARAGONY.exe

Overview

General Information

Sample Name: FAKTURA I PARAGONY.exe
Analysis ID: 501176
MD5: 0277ce10266c718b31d46a622acf1a43
SHA1: f9a05406e2407434e5359a8757d6f2bf0166b20e
SHA256: 1113efa42a416df493d712368060e751482e644c13f6c115a507ff001a322724
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.857981611.0000000002260000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1Vr1"}
Multi AV Scanner detection for submitted file
Source: FAKTURA I PARAGONY.exe Virustotal: Detection: 40% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: FAKTURA I PARAGONY.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1Vr1

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.857167751.00000000006AA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: FAKTURA I PARAGONY.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: FAKTURA I PARAGONY.exe, 00000000.00000000.331579410.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamePYRAMIDLIKE.exe vs FAKTURA I PARAGONY.exe
Source: FAKTURA I PARAGONY.exe Binary or memory string: OriginalFilenamePYRAMIDLIKE.exe vs FAKTURA I PARAGONY.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_004016E3 0_2_004016E3
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_004014F4 0_2_004014F4
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_00401730 0_2_00401730
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_022675BF 0_2_022675BF
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_0226B99E 0_2_0226B99E
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02265A38 0_2_02265A38
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02266003 0_2_02266003
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_0226607C 0_2_0226607C
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02267ABC 0_2_02267ABC
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02267C8D 0_2_02267C8D
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02265C88 0_2_02265C88
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_0226569F 0_2_0226569F
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02261EEF 0_2_02261EEF
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02265ECF 0_2_02265ECF
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_0226633B 0_2_0226633B
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02265B39 0_2_02265B39
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02265506 0_2_02265506
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02265917 0_2_02265917
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02267D19 0_2_02267D19
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_0226517A 0_2_0226517A
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_0226557B 0_2_0226557B
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02267B5E 0_2_02267B5E
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02265DA6 0_2_02265DA6
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_022673A6 0_2_022673A6
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02267395 0_2_02267395
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02266192 0_2_02266192
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_022657D4 0_2_022657D4
Contains functionality to call native functions
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_022675BF NtAllocateVirtualMemory, 0_2_022675BF
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_0226761F NtAllocateVirtualMemory, 0_2_0226761F
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_022676A4 NtAllocateVirtualMemory, 0_2_022676A4
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02267690 NtAllocateVirtualMemory, 0_2_02267690
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_0226774C NtAllocateVirtualMemory, 0_2_0226774C
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Process Stats: CPU usage > 98%
Source: FAKTURA I PARAGONY.exe Virustotal: Detection: 40%
Source: FAKTURA I PARAGONY.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe File created: C:\Users\user\AppData\Local\Temp\~DF54C4517C2DC63B6B.TMP Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.857981611.0000000002260000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_0040545F push eax; iretd 0_2_0040545E
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_00405426 push eax; iretd 0_2_0040545E
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_00402F51 push 758B20A2h; ret 0_2_00402F56
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_00406154 push eax; ret 0_2_00406162
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_00403B21 push ds; ret 0_2_00403B23
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_004049E5 push eax; iretd 0_2_004049E6
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_004043FF push eax; iretd 0_2_00404416
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_00403585 push eax; iretd 0_2_004035A6
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_0226400B push eax; iretd 0_2_0226400C
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02261146 pushfd ; ret 0_2_02261183
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_022611E2 pushfd ; ret 0_2_02261183
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe RDTSC instruction interceptor: First address: 000000000040F206 second address: 000000000040F206 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 popfd 0x00000004 wait 0x00000005 popad 0x00000006 nop 0x00000007 cmp ecx, 000000D2h 0x0000000d dec edi 0x0000000e lfence 0x00000011 pushfd 0x00000012 popfd 0x00000013 cmp edi, 00000000h 0x00000016 jne 00007FC6009FA743h 0x00000018 pushfd 0x00000019 popfd 0x0000001a wait 0x0000001b pushad 0x0000001c pushfd 0x0000001d popfd 0x0000001e nop 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe RDTSC instruction interceptor: First address: 0000000002266EFB second address: 0000000002266EFB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 21D60935h 0x00000007 xor eax, 8FACA394h 0x0000000c xor eax, 93E4BB61h 0x00000011 xor eax, 3D9E11C1h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FC600C340D0h 0x0000001e lfence 0x00000021 mov edx, 857A903Ah 0x00000026 add edx, 67C7CA1Ch 0x0000002c xor edx, 06B8F8E0h 0x00000032 xor edx, 9404A2A2h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 cmp ch, dh 0x00000046 dec ecx 0x00000047 mov dword ptr [ebp+000001F9h], edx 0x0000004d mov edx, 3A4CFEADh 0x00000052 xor edx, 5F64774Ch 0x00000058 test edx, ecx 0x0000005a xor edx, 0A87EF9Dh 0x00000060 sub edx, 6FAF667Ch 0x00000066 cmp ecx, edx 0x00000068 mov edx, dword ptr [ebp+000001F9h] 0x0000006e jne 00007FC600C3401Fh 0x00000070 mov dword ptr [ebp+00000188h], edi 0x00000076 mov edi, ecx 0x00000078 push edi 0x00000079 mov edi, dword ptr [ebp+00000188h] 0x0000007f call 00007FC600C340C9h 0x00000084 call 00007FC600C340F1h 0x00000089 lfence 0x0000008c mov edx, 857A903Ah 0x00000091 add edx, 67C7CA1Ch 0x00000097 xor edx, 06B8F8E0h 0x0000009d xor edx, 9404A2A2h 0x000000a3 mov edx, dword ptr [edx] 0x000000a5 lfence 0x000000a8 ret 0x000000a9 mov esi, edx 0x000000ab pushad 0x000000ac rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_0226721A rdtsc 0_2_0226721A

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02269878 mov eax, dword ptr fs:[00000030h] 0_2_02269878
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02266D2F mov eax, dword ptr fs:[00000030h] 0_2_02266D2F
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_02269DA2 mov eax, dword ptr fs:[00000030h] 0_2_02269DA2
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_0226721A rdtsc 0_2_0226721A
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe Code function: 0_2_0226B99E RtlAddVectoredExceptionHandler, 0_2_0226B99E
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.857418346.0000000000D30000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.857418346.0000000000D30000.00000002.00020000.sdmp Binary or memory string: Progman
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.857418346.0000000000D30000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.857418346.0000000000D30000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 501176 Sample: FAKTURA I PARAGONY.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 76 7 Found malware configuration 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 3 other signatures 2->13 5 FAKTURA I PARAGONY.exe 1 2->5         started        process3
No contacted IP infos