Windows Analysis Report PEDIDO.exe

Overview

General Information

Sample Name: PEDIDO.exe
Analysis ID: 502290
MD5: 83046fa32e563289dbd98efe27f884f4
SHA1: fdacb1537161c011f5803471b6971225010d4e71
SHA256: 6b3d06b20b3ae5a3dd8d3a2eb9eb1f1a86d9ba5eb59f5ef75cfa1b2f28dcfd6c
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.778170637.00000000021D0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?expordD|"}

Compliance:

barindex
Uses 32bit PE files
Source: PEDIDO.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?expordD|

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: PEDIDO.exe, 00000000.00000002.775910735.000000000079A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: PEDIDO.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D754D NtAllocateVirtualMemory, 0_2_021D754D
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D7685 NtAllocateVirtualMemory, 0_2_021D7685
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D7500 NtAllocateVirtualMemory, 0_2_021D7500
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D75B8 NtAllocateVirtualMemory, 0_2_021D75B8
Sample file is different than original file name gathered from version info
Source: PEDIDO.exe, 00000000.00000002.775473557.0000000000416000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSkovslotte5.exe vs PEDIDO.exe
Source: PEDIDO.exe Binary or memory string: OriginalFilenameSkovslotte5.exe vs PEDIDO.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\PEDIDO.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_00401441 0_2_00401441
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_0040167D 0_2_0040167D
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_00401630 0_2_00401630
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021DB8DA 0_2_021DB8DA
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D754D 0_2_021D754D
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D5814 0_2_021D5814
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D7A10 0_2_021D7A10
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D7C39 0_2_021D7C39
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D6068 0_2_021D6068
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021DA48D 0_2_021DA48D
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D5A83 0_2_021D5A83
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D5CBC 0_2_021D5CBC
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D62B0 0_2_021D62B0
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D54DB 0_2_021D54DB
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D9ED7 0_2_021D9ED7
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D6EC8 0_2_021D6EC8
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D56FC 0_2_021D56FC
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D7B1C 0_2_021D7B1C
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D7D1B 0_2_021D7D1B
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D6F08 0_2_021D6F08
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D5F07 0_2_021D5F07
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D7500 0_2_021D7500
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D5B38 0_2_021D5B38
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021DA941 0_2_021DA941
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D7342 0_2_021D7342
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D5167 0_2_021D5167
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D5B94 0_2_021D5B94
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021DA7BC 0_2_021DA7BC
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D15B1 0_2_021D15B1
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D51B1 0_2_021D51B1
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D79A0 0_2_021D79A0
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D59D5 0_2_021D59D5
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D7BF4 0_2_021D7BF4
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D5DF0 0_2_021D5DF0
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D67E9 0_2_021D67E9
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D55E0 0_2_021D55E0
Source: C:\Users\user\Desktop\PEDIDO.exe File created: C:\Users\user~1\AppData\Local\Temp\~DFA503C7990D69B3B8.TMP Jump to behavior
Source: PEDIDO.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PEDIDO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal68.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.778170637.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_00406171 push ds; ret 0_2_00406172
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D0678 push ecx; iretd 0_2_021D0680
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D24A4 push ebx; retf 0_2_021D24A5
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D1728 push ecx; iretd 0_2_021D18BD
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D8B9E push es; iretd 0_2_021D8B9F
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D15B1 push ecx; iretd 0_2_021D18BD
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D17C4 push ecx; iretd 0_2_021D18BD
Source: C:\Users\user\Desktop\PEDIDO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\PEDIDO.exe RDTSC instruction interceptor: First address: 000000000040F011 second address: 000000000040F011 instructions: 0x00000000 rdtsc 0x00000002 wait 0x00000003 mfence 0x00000006 popad 0x00000007 nop 0x00000008 nop 0x00000009 dec edi 0x0000000a mfence 0x0000000d cmp ecx, 000000D9h 0x00000013 cmp edi, 00000000h 0x00000016 jne 00007F6A04DFC4ABh 0x00000018 pushfd 0x00000019 popfd 0x0000001a cmp eax, 3Eh 0x0000001d pushad 0x0000001e lfence 0x00000021 cmp ecx, 00000096h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\PEDIDO.exe RDTSC instruction interceptor: First address: 00000000021D6E81 second address: 00000000021D6E81 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 22DB5954h 0x00000007 xor eax, 441A9EA9h 0x0000000c sub eax, 6FF07AD2h 0x00000011 xor eax, F6D14D2Ah 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F6A04394AB8h 0x0000001e lfence 0x00000021 mov edx, 46F988CAh 0x00000026 xor edx, 81718B2Dh 0x0000002c xor edx, 9D47D208h 0x00000032 xor edx, 2531D1FBh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 cmp dx, cx 0x00000044 pop ecx 0x00000045 add edi, edx 0x00000047 dec ecx 0x00000048 mov dword ptr [ebp+0000019Eh], edi 0x0000004e mov edi, 702D4F49h 0x00000053 cmp edx, ecx 0x00000055 add edi, 87EB9CDBh 0x0000005b sub edi, 175830E3h 0x00000061 add edi, 1F3F44BFh 0x00000067 cmp ecx, edi 0x00000069 mov edi, dword ptr [ebp+0000019Eh] 0x0000006f jne 00007F6A04394A6Ch 0x00000071 mov dword ptr [ebp+000001CFh], eax 0x00000077 mov eax, ecx 0x00000079 test dl, cl 0x0000007b push eax 0x0000007c mov eax, dword ptr [ebp+000001CFh] 0x00000082 call 00007F6A04394B7Fh 0x00000087 call 00007F6A04394AD9h 0x0000008c lfence 0x0000008f mov edx, 46F988CAh 0x00000094 xor edx, 81718B2Dh 0x0000009a xor edx, 9D47D208h 0x000000a0 xor edx, 2531D1FBh 0x000000a6 mov edx, dword ptr [edx] 0x000000a8 lfence 0x000000ab ret 0x000000ac mov esi, edx 0x000000ae pushad 0x000000af rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D6E18 rdtsc 0_2_021D6E18

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\PEDIDO.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D980C mov eax, dword ptr fs:[00000030h] 0_2_021D980C
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D6CBF mov eax, dword ptr fs:[00000030h] 0_2_021D6CBF
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D9D56 mov eax, dword ptr fs:[00000030h] 0_2_021D9D56
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021DA941 mov eax, dword ptr fs:[00000030h] 0_2_021DA941
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021D6E18 rdtsc 0_2_021D6E18
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 0_2_021DB8DA RtlAddVectoredExceptionHandler, 0_2_021DB8DA
Source: PEDIDO.exe, 00000000.00000002.777397061.0000000000D20000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: PEDIDO.exe, 00000000.00000002.777397061.0000000000D20000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: PEDIDO.exe, 00000000.00000002.777397061.0000000000D20000.00000002.00020000.sdmp Binary or memory string: Progman
Source: PEDIDO.exe, 00000000.00000002.777397061.0000000000D20000.00000002.00020000.sdmp Binary or memory string: Progmanlock
No contacted IP infos