Windows Analysis Report correction HAWB.exe

Overview

General Information

Sample Name: correction HAWB.exe
Analysis ID: 501939
MD5: a4ef1695bddce6530a28e0d72ae7f8c4
SHA1: 3905f0749e1c55ad4d8fb2a1969cf3f74bc0aeb4
SHA256: 64939ef2abe9b397b1f99bb4ba00c7e49be75f14013647c8e0605fb5fdb3b14b
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.818731947.00000000020D0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&M-"}
Multi AV Scanner detection for submitted file
Source: correction HAWB.exe Virustotal: Detection: 25% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: correction HAWB.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_004022AE
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_00403451
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_00403660
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_0040386A
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_00403A74
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_00403236
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_004034DC
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_004036E9
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_004038EC
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_00403345
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_00403563
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_00403973
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_004035E1
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_004037ED
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_004039F7
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 4x nop then ret 0_2_004031AF

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&M-

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: correction HAWB.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: correction HAWB.exe, 00000000.00000000.289960859.000000000041D000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameThievesb9.exe vs correction HAWB.exe
Source: correction HAWB.exe, 00000000.00000002.818954308.00000000029C0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameThievesb9.exeFE2X, vs correction HAWB.exe
Source: correction HAWB.exe Binary or memory string: OriginalFilenameThievesb9.exe vs correction HAWB.exe
PE file contains strange resources
Source: correction HAWB.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_00401868 0_2_00401868
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_004022AE 0_2_004022AE
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_00403236 0_2_00403236
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_00403345 0_2_00403345
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_004031AF 0_2_004031AF
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_020D838A 0_2_020D838A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: String function: 0040177E appears 94 times
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\correction HAWB.exe Process Stats: CPU usage > 98%
Source: correction HAWB.exe Virustotal: Detection: 25%
Source: correction HAWB.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\correction HAWB.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.818731947.00000000020D0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_00406072 push ecx; iretd 0_2_00406076
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_00403CCE push ecx; iretd 0_2_00403CDD
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_00407AEA push edi; iretd 0_2_00407AEE
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_00405356 pushad ; ret 0_2_00405360
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_00406D22 pushad ; ret 0_2_00406D28
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_004055DD push ebx; iretd 0_2_00405607
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_00407D89 push ebp; retf 0_2_00407D8A
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_00404F95 pushad ; ret 0_2_00404F98
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_00407DB2 push edi; iretd 0_2_00407DB3
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_020D2B14 push FFFFFFC1h; ret 0_2_020D2B16
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_020D095A push ds; retf 0_2_020D095B
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_020D1F85 pushad ; iretd 0_2_020D1FC2
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_020D7C64 rdtsc 0_2_020D7C64

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\correction HAWB.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_004022AE mov ebx, dword ptr fs:[00000030h] 0_2_004022AE
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_00403236 mov ebx, dword ptr fs:[00000030h] 0_2_00403236
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_004031AF mov ebx, dword ptr fs:[00000030h] 0_2_004031AF
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_020D7824 mov eax, dword ptr fs:[00000030h] 0_2_020D7824
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_020DA13C mov eax, dword ptr fs:[00000030h] 0_2_020DA13C
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_020D9B4B mov eax, dword ptr fs:[00000030h] 0_2_020D9B4B
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 0_2_020D7C64 rdtsc 0_2_020D7C64
Source: correction HAWB.exe, 00000000.00000002.818357395.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: correction HAWB.exe, 00000000.00000002.818357395.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: correction HAWB.exe, 00000000.00000002.818357395.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Progman
Source: correction HAWB.exe, 00000000.00000002.818357395.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 501939 Sample: correction HAWB.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 80 7 Potential malicious icon found 2->7 9 Found malware configuration 2->9 11 Multi AV Scanner detection for submitted file 2->11 13 3 other signatures 2->13 5 correction HAWB.exe 2->5         started        process3
No contacted IP infos

Contacted Domains

Name IP Active
windowsupdate.s.llnwi.net 178.79.242.0 true