Windows Analysis Report FACTURA.exe

Overview

General Information

Sample Name:	FACTURA.exe
Analysis ID:	502111
MD5:	d9b54bd175163eae11715a5b89b32aba
SHA1:	8a926c701db271e1f2edfec8890a865248e52d24
SHA256:	3e123fbdc89e8c9c59a0c5a3a1c2d8fda13f5d8551da654bef2f17f34f578075
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Contains functionality to call native functions

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Detected potential crypto function

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1AoRiyDm8nMjHX"}

Compliance:

Uses 32bit PE files

Source: FACTURA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1AoRiyDm8nMjHX

System Summary:

Uses 32bit PE files

Source: FACTURA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to call native functions

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7298 NtAllocateVirtualMemory,	0_2_021D7298
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7614 NtAllocateVirtualMemory,	0_2_021D7614
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D763B NtAllocateVirtualMemory,	0_2_021D763B
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D727C NtAllocateVirtualMemory,	0_2_021D727C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D72B5 NtAllocateVirtualMemory,	0_2_021D72B5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D775D NtAllocateVirtualMemory,	0_2_021D775D

Sample file is different than original file name gathered from version info

Source: FACTURA.exe, 00000000.00000000.676817252.0000000000416000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameHippa6.exe vs FACTURA.exe
Source: FACTURA.exe	Binary or memory string: OriginalFilenameHippa6.exe vs FACTURA.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\FACTURA.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_00401440	0_2_00401440
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_0040167C	0_2_0040167C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_0040162F	0_2_0040162F
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_00404D2C	0_2_00404D2C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7298	0_2_021D7298
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DB9D6	0_2_021DB9D6
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7614	0_2_021D7614
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBA08	0_2_021DBA08
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5207	0_2_021D5207
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D763B	0_2_021D763B
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAA32	0_2_021DAA32
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAE44	0_2_021DAE44
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D727C	0_2_021D727C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DA26F	0_2_021DA26F
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D566A	0_2_021D566A
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBA65	0_2_021DBA65
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAABB	0_2_021DAABB
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D72B5	0_2_021D72B5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBAD8	0_2_021DBAD8
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5AE0	0_2_021D5AE0
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5F15	0_2_021D5F15
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5B2B	0_2_021D5B2B
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7B4E	0_2_021D7B4E
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D9F4A	0_2_021D9F4A
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBB47	0_2_021DBB47
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5F40	0_2_021D5F40
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D9F6A	0_2_021D9F6A
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAB61	0_2_021DAB61
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DB386	0_2_021DB386
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D57B4	0_2_021D57B4
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7BB3	0_2_021D7BB3
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBBAF	0_2_021DBBAF
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D8FDA	0_2_021D8FDA
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DA013	0_2_021DA013
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D8400	0_2_021D8400
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAC2D	0_2_021DAC2D
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D742B	0_2_021D742B
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5C51	0_2_021D5C51
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBC4D	0_2_021DBC4D
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D6066	0_2_021D6066
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D58A1	0_2_021D58A1
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7CC5	0_2_021D7CC5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D54EB	0_2_021D54EB
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DA11F	0_2_021DA11F
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAD09	0_2_021DAD09
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DB138	0_2_021DB138
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5557	0_2_021D5557
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D516C	0_2_021D516C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D5D9D	0_2_021D5D9D
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBDBA	0_2_021DBDBA
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D59DD	0_2_021D59DD
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D09C5	0_2_021D09C5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D7DF4	0_2_021D7DF4
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D99F0	0_2_021D99F0
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D61E9	0_2_021D61E9

Source: C:\Users\user\Desktop\FACTURA.exe

File created: C:\Users\user\AppData\Local\Temp\~DF6F8D286EA7402917.TMP

Jump to behavior

Source: FACTURA.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FACTURA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\FACTURA.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1202548059.00000000021D0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_00403F79 push ss; iretd	0_2_00403F85
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_00404B0F push cs; retf	0_2_00404B2B
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D338C pushad ; iretd	0_2_021D34D5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D3457 pushad ; iretd	0_2_021D34D5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D348A pushad ; iretd	0_2_021D34D5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D9900 push edi; ret	0_2_021D9956

Source: C:\Users\user\Desktop\FACTURA.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\FACTURA.exe	RDTSC instruction interceptor: First address: 000000000040F124 second address: 000000000040F124 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 wait 0x00000006 popad 0x00000007 pushfd 0x00000008 popfd 0x00000009 wait 0x0000000a dec edi 0x0000000b lfence 0x0000000e pushfd 0x0000000f popfd 0x00000010 cmp edi, 00000000h 0x00000013 jne 00007F2F4096AF93h 0x00000015 nop 0x00000016 pushfd 0x00000017 popfd 0x00000018 pushad 0x00000019 lfence 0x0000001c cmp eax, 4Ch 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FACTURA.exe	RDTSC instruction interceptor: First address: 00000000021D6F4D second address: 00000000021D6F4D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4344BD4Eh 0x00000007 xor eax, 9523C638h 0x0000000c xor eax, 8C421A1Dh 0x00000011 sub eax, 5A25616Ah 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F2F4096DCB8h 0x0000001e lfence 0x00000021 mov edx, FAD6A590h 0x00000026 xor edx, B228D1B3h 0x0000002c xor edx, 57AF33B0h 0x00000032 xor edx, 60AF4787h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+00000182h], ebx 0x0000004b mov ebx, F34FAB69h 0x00000050 add ebx, D3E79685h 0x00000056 xor ebx, 85E85CE5h 0x0000005c sub ebx, 42DF1D0Bh 0x00000062 cmp ecx, ebx 0x00000064 mov ebx, dword ptr [ebp+00000182h] 0x0000006a jne 00007F2F4096DC70h 0x0000006c mov dword ptr [ebp+00000168h], edi 0x00000072 cmp dx, bx 0x00000075 mov edi, ecx 0x00000077 push edi 0x00000078 mov edi, dword ptr [ebp+00000168h] 0x0000007e call 00007F2F4096DD18h 0x00000083 call 00007F2F4096DCD9h 0x00000088 lfence 0x0000008b mov edx, FAD6A590h 0x00000090 xor edx, B228D1B3h 0x00000096 xor edx, 57AF33B0h 0x0000009c xor edx, 60AF4787h 0x000000a2 mov edx, dword ptr [edx] 0x000000a4 lfence 0x000000a7 ret 0x000000a8 mov esi, edx 0x000000aa pushad 0x000000ab rdtsc

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\FACTURA.exe

Code function: 0_2_021D726A rdtsc

0_2_021D726A

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\FACTURA.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAA32 mov eax, dword ptr fs:[00000030h]	0_2_021DAA32
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DAABB mov eax, dword ptr fs:[00000030h]	0_2_021DAABB
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D4794 mov eax, dword ptr fs:[00000030h]	0_2_021D4794
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D4383 mov eax, dword ptr fs:[00000030h]	0_2_021D4383
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D97FC mov eax, dword ptr fs:[00000030h]	0_2_021D97FC
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D97FE mov eax, dword ptr fs:[00000030h]	0_2_021D97FE
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D98B3 mov eax, dword ptr fs:[00000030h]	0_2_021D98B3
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D6DDC mov eax, dword ptr fs:[00000030h]	0_2_021D6DDC
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021D9DE9 mov eax, dword ptr fs:[00000030h]	0_2_021D9DE9

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\FACTURA.exe

Code function: 0_2_021D726A rdtsc

0_2_021D726A

Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DB9D6 RtlAddVectoredExceptionHandler,	0_2_021DB9D6
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBA08 RtlAddVectoredExceptionHandler,	0_2_021DBA08
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBE7C RtlAddVectoredExceptionHandler,	0_2_021DBE7C
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBA65 RtlAddVectoredExceptionHandler,	0_2_021DBA65
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBAD8 RtlAddVectoredExceptionHandler,	0_2_021DBAD8
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBEF5 RtlAddVectoredExceptionHandler,	0_2_021DBEF5
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBB47 RtlAddVectoredExceptionHandler,	0_2_021DBB47
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBBAF RtlAddVectoredExceptionHandler,	0_2_021DBBAF
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBC4D RtlAddVectoredExceptionHandler,	0_2_021DBC4D
Source: C:\Users\user\Desktop\FACTURA.exe	Code function: 0_2_021DBDBA RtlAddVectoredExceptionHandler,	0_2_021DBDBA

Source: FACTURA.exe, 00000000.00000002.1202275518.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: FACTURA.exe, 00000000.00000002.1202275518.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: FACTURA.exe, 00000000.00000002.1202275518.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: FACTURA.exe, 00000000.00000002.1202275518.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	502111
Product:	CloudBasic
Start time:	16:06:26
Start date:	13.10.2021
Sample:	FACTURA.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	d9b54bd175163eae11715a5b89b32aba
SHA1:	8a926c701db271e1f2edfec8890a865248e52d24
SHA256:	3e123fbdc89e8c9c59a0c5a3a1c2d8fda13f5d8551da654bef2f17f34f578075
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report FACTURA.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map