Windows Analysis Report Statement of Account.exe

Overview

General Information

Sample Name: Statement of Account.exe
Analysis ID: 502024
MD5: 1232806812f946a2afabc5f5fe489de5
SHA1: f9a820627667403e90b3a387de0b644f8f0ddc31
SHA256: 86907475c81bc4700fc465c758592c51e905feed8aecdc0c10ccb6a8c650218a
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Uses 32bit PE files
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.783365997.0000000004BF0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download"}
Multi AV Scanner detection for submitted file
Source: Statement of Account.exe ReversingLabs: Detection: 21%
Machine Learning detection for sample
Source: Statement of Account.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Statement of Account.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_00403248
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edi, edi 0_2_00403248
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_00403248
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_00403248
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then sub ecx, F6DD248Dh 0_2_0040225E
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_0040225E
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edi, edi 0_2_0040225E
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_0040225E
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_0040225E
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edi, edi 0_2_0040346B
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_0040346B
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_0040346B
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_00403611
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_00403611
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_00403827
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edi, edi 0_2_004032D4
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_004032D4
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_004032D4
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_00403697
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_00403697
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_004038AC
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edi, edi 0_2_0040336A
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_0040336A
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_0040336A
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_0040371F
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_0040371F
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_004039C9
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edi, edi 0_2_004033EA
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_004033EA
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_004033EA
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_00403581
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_00403581
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_00403586
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_00403586
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_00403588
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_00403588
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_0040358A
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_0040358A
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_0040358C
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_0040358C
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_0040358E
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_0040358E
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_00403590
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_00403590
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_00403592
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_00403592
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_00403596
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_00403596
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_00403598
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_00403598
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_0040359A
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_0040359A
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_0040359C
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_0040359C
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_0040359E
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_0040359E
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_004035A0
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_004035A0
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_004035A2
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_004035A2
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_004035A4
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_004035A4
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_004035A6
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_004035A6
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_004035A8
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_004035A8
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_004035AA
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_004035AA
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_004031BE
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edi, edi 0_2_004031BE
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 4x nop then mov edx, edx 0_2_004031BE
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 5x nop then xor eax, dword ptr [edx+esi] 0_2_004031BE

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: Statement of Account.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Statement of Account.exe, 00000000.00000000.254053791.000000000041C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameedderfu.exe vs Statement of Account.exe
Source: Statement of Account.exe, 00000000.00000002.782119525.0000000002220000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameedderfu.exeFE2X vs Statement of Account.exe
Source: Statement of Account.exe Binary or memory string: OriginalFilenameedderfu.exe vs Statement of Account.exe
PE file contains strange resources
Source: Statement of Account.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_00401868 0_2_00401868
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_00403248 0_2_00403248
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_0040225E 0_2_0040225E
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_0040346B 0_2_0040346B
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_00403611 0_2_00403611
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_004032D4 0_2_004032D4
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_0040336A 0_2_0040336A
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_004033EA 0_2_004033EA
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_00403590 0_2_00403590
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_004031BE 0_2_004031BE
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_04BFA8A1 0_2_04BFA8A1
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_04BF01FB 0_2_04BF01FB
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_04BF5B52 0_2_04BF5B52
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: String function: 0040177E appears 94 times
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Statement of Account.exe Process Stats: CPU usage > 98%
Source: Statement of Account.exe ReversingLabs: Detection: 21%
Source: Statement of Account.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Statement of Account.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.783365997.0000000004BF0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_00404E6E push esp; retf 0_2_00404E8E
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_00407C85 push C8F569B9h; ret 0_2_00407C8A
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_00403E8E push esi; retf 0_2_00403E95
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_04BF194C push ds; ret 0_2_04BF194F
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_04BF3F03 push edx; iretd 0_2_04BF3F04
Source: initial sample Static PE information: section name: .text entropy: 6.81553512761
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_04BF7A2F rdtsc 0_2_04BF7A2F

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Statement of Account.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_00403248 mov ebx, dword ptr fs:[00000030h] 0_2_00403248
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_0040225E mov ebx, dword ptr fs:[00000030h] 0_2_0040225E
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_004031BE mov ebx, dword ptr fs:[00000030h] 0_2_004031BE
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_04BF75F7 mov eax, dword ptr fs:[00000030h] 0_2_04BF75F7
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_04BF9952 mov eax, dword ptr fs:[00000030h] 0_2_04BF9952
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_04BF9EF4 mov eax, dword ptr fs:[00000030h] 0_2_04BF9EF4
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Statement of Account.exe Code function: 0_2_04BF7A2F rdtsc 0_2_04BF7A2F
Source: Statement of Account.exe, 00000000.00000002.781361345.0000000000DB0000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: Statement of Account.exe, 00000000.00000002.781361345.0000000000DB0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Statement of Account.exe, 00000000.00000002.781361345.0000000000DB0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Statement of Account.exe, 00000000.00000002.781361345.0000000000DB0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
No contacted IP infos