Windows Analysis Report REQUIREMENT.exe

Overview

General Information

Sample Name: REQUIREMENT.exe
Analysis ID: 502075
MD5: fb70ff484021669624233d0fbd77ec6a
SHA1: 6820b13631967663ec2637c43c828468633051fd
SHA256: 2b40757a6763aa725d86426ce3cd16fcf1380a9152837d4fbe5e5b085710054c
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.1188115207.0000000002C50000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloa"}

Compliance:

barindex
Uses 32bit PE files
Source: REQUIREMENT.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=downloa

System Summary:

barindex
Uses 32bit PE files
Source: REQUIREMENT.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to call native functions
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C576AD NtAllocateVirtualMemory, 0_2_02C576AD
Sample file is different than original file name gathered from version info
Source: REQUIREMENT.exe, 00000000.00000000.665138036.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStablerne.exe vs REQUIREMENT.exe
Source: REQUIREMENT.exe Binary or memory string: OriginalFilenameStablerne.exe vs REQUIREMENT.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\REQUIREMENT.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_004016F9 0_2_004016F9
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_00401746 0_2_00401746
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_0040150A 0_2_0040150A
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C576AD 0_2_02C576AD
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C5BBCC 0_2_02C5BBCC
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C5AAF9 0_2_02C5AAF9
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C55A93 0_2_02C55A93
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C558A9 0_2_02C558A9
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C5A8BF 0_2_02C5A8BF
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C59A51 0_2_02C59A51
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C57A08 0_2_02C57A08
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C55E2B 0_2_02C55E2B
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C573C1 0_2_02C573C1
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C56185 0_2_02C56185
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C59D8D 0_2_02C59D8D
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C55F15 0_2_02C55F15
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C55F11 0_2_02C55F11
Source: C:\Users\user\Desktop\REQUIREMENT.exe File created: C:\Users\user\AppData\Local\Temp\~DF487C68D7539D4AB0.TMP Jump to behavior
Source: REQUIREMENT.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\REQUIREMENT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\REQUIREMENT.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal68.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1188115207.0000000002C50000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_00404C7B push eax; retf 0_2_00404C82
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_00404619 push esp; retf 0_2_0040461A
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_00405035 push ss; retf 0_2_00405037
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_00403ADA push ecx; retf 0_2_00403ADC
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_0040528D push esp; retf 0_2_0040528E
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_004044B5 push eax; retf 0_2_004044B6
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_00403B4B push ebp; retf 0_2_00403B4C
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_00405775 push eax; retf 0_2_00405779
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_00404F2B push edi; iretd 0_2_00404F3A
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C542C3 push eax; ret 0_2_02C542D0
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C526CA push FFFFFF81h; ret 0_2_02C526CC
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C540EC push eax; retn 0010h 0_2_02C5412E
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C5209B push ecx; ret 0_2_02C5209C
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C53E65 pushad ; ret 0_2_02C53E68
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C5A1C7 push eax; retf B6D8h 0_2_02C5C7F0
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C513C7 push eax; retf 0_2_02C513C8
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C50792 push ds; ret 0_2_02C50794
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C54B54 push ecx; ret 0_2_02C54B5A
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C54125 push eax; retn 0010h 0_2_02C5412E
Source: C:\Users\user\Desktop\REQUIREMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUIREMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUIREMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\REQUIREMENT.exe RDTSC instruction interceptor: First address: 000000000040F697 second address: 000000000040F697 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 popfd 0x00000004 cmp ecx, 0Fh 0x00000007 popad 0x00000008 wait 0x00000009 mfence 0x0000000c dec edi 0x0000000d wait 0x0000000e wait 0x0000000f cmp edi, 00000000h 0x00000012 jne 00007F6D0C3927BDh 0x00000014 pushfd 0x00000015 popfd 0x00000016 cmp ecx, 000000CAh 0x0000001c pushad 0x0000001d cmp eax, 000000F0h 0x00000022 cmp eax, 02h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\REQUIREMENT.exe RDTSC instruction interceptor: First address: 0000000002C5A0C8 second address: 0000000002C5A0C8 instructions: 0x00000000 rdtsc 0x00000002 mov eax, AA54BF9Eh 0x00000007 xor eax, 18F07B17h 0x0000000c xor eax, 2300AFC3h 0x00000011 xor eax, 91A46B4Bh 0x00000016 cpuid 0x00000018 popad 0x00000019 cmp dl, 00000034h 0x0000001c call 00007F6D0C93C838h 0x00000021 lfence 0x00000024 mov edx, 246E52A3h 0x00000029 xor edx, 20DEFFF8h 0x0000002f xor edx, 4C51A0A7h 0x00000035 xor edx, 371F0DE8h 0x0000003b mov edx, dword ptr [edx] 0x0000003d lfence 0x00000040 jmp 00007F6D0C93C876h 0x00000042 cmp ecx, eax 0x00000044 cmp bh, ah 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a add edi, edx 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007F6D0C93C817h 0x0000005b test bx, 23AAh 0x00000060 call 00007F6D0C93C874h 0x00000065 call 00007F6D0C93C85Ch 0x0000006a lfence 0x0000006d mov edx, 246E52A3h 0x00000072 xor edx, 20DEFFF8h 0x00000078 xor edx, 4C51A0A7h 0x0000007e xor edx, 371F0DE8h 0x00000084 mov edx, dword ptr [edx] 0x00000086 lfence 0x00000089 jmp 00007F6D0C93C876h 0x0000008b cmp ecx, eax 0x0000008d cmp bh, ah 0x0000008f ret 0x00000090 mov esi, edx 0x00000092 pushad 0x00000093 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C5A0C0 rdtsc 0_2_02C5A0C0

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\REQUIREMENT.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C594D3 mov eax, dword ptr fs:[00000030h] 0_2_02C594D3
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C5AAF9 mov eax, dword ptr fs:[00000030h] 0_2_02C5AAF9
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C57244 mov eax, dword ptr fs:[00000030h] 0_2_02C57244
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C59C43 mov eax, dword ptr fs:[00000030h] 0_2_02C59C43
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C5A0C0 rdtsc 0_2_02C5A0C0
Source: C:\Users\user\Desktop\REQUIREMENT.exe Code function: 0_2_02C5BBCC RtlAddVectoredExceptionHandler, 0_2_02C5BBCC
Source: REQUIREMENT.exe, 00000000.00000002.1187775011.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: REQUIREMENT.exe, 00000000.00000002.1187775011.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: REQUIREMENT.exe, 00000000.00000002.1187775011.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Progman
Source: REQUIREMENT.exe, 00000000.00000002.1187775011.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502075 Sample: REQUIREMENT.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 68 8 Found malware configuration 2->8 10 Yara detected GuLoader 2->10 12 C2 URLs / IPs found in malware configuration 2->12 5 REQUIREMENT.exe 1 2->5         started        process3 signatures4 14 Found potential dummy code loops (likely to delay analysis) 5->14 16 Tries to detect virtualization through RDTSC time measurements 5->16
No contacted IP infos