Windows Analysis Report mU9H96igb3

Overview

General Information

Sample Name: mU9H96igb3 (renamed file extension from none to exe)
Analysis ID: 502656
MD5: 8777020a37b6797241a489a707b9784b
SHA1: a1ed1029b967295f9ce5e9d219f41dc6c7fc4d1a
SHA256: 8a45d901cab57a1b65c32aea2452f56436dcf01c37bdf7875838e6054f395d90
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.1193811530.0000000004BF0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://implantecapilarpereira.com/NetGen"}
Multi AV Scanner detection for submitted file
Source: mU9H96igb3.exe Virustotal: Detection: 32% Perma Link
Source: mU9H96igb3.exe Metadefender: Detection: 25% Perma Link
Source: mU9H96igb3.exe ReversingLabs: Detection: 24%
Machine Learning detection for sample
Source: mU9H96igb3.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: mU9H96igb3.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://implantecapilarpereira.com/NetGen

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: mU9H96igb3.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: mU9H96igb3.exe, 00000000.00000000.665404546.0000000000431000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe
Source: mU9H96igb3.exe Binary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe
PE file contains strange resources
Source: mU9H96igb3.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C0557A 0_2_04C0557A
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C1474A 0_2_04C1474A
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C000C6 0_2_04C000C6
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C0ECDD 0_2_04C0ECDD
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C100B4 0_2_04C100B4
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C0087E 0_2_04C0087E
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C0E400 0_2_04C0E400
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C07574 0_2_04C07574
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04BF4AA2 0_2_04BF4AA2
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C11BCE 0_2_04C11BCE
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C06BF6 0_2_04C06BF6
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C04B8B 0_2_04C04B8B
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C1130A 0_2_04C1130A
Contains functionality to call native functions
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C0557A NtAllocateVirtualMemory, 0_2_04C0557A
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process Stats: CPU usage > 98%
Source: mU9H96igb3.exe Virustotal: Detection: 32%
Source: mU9H96igb3.exe Metadefender: Detection: 25%
Source: mU9H96igb3.exe ReversingLabs: Detection: 24%
Source: mU9H96igb3.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\mU9H96igb3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal88.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1193811530.0000000004BF0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_0041A474 push ebp; ret 0_2_0041A4CD
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_0040E9CB push ecx; retf 0_2_0040E9CC
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_004191F0 push ecx; ret 0_2_004191F1
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_004131A3 push ecx; ret 0_2_004132DD
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_004086CE push eax; retf 0_2_004086CF
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_00411ACE push ecx; ret 0_2_00411B05
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_004132DE push ecx; ret 0_2_0041331D
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_0041729D push edx; retf 0_2_004172A6
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_0040DAAA push ecx; ret 0_2_0040DAD5
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_0040E6B3 push ecx; ret 0_2_0040E6C1
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_00417AB9 push eax; ret 0_2_00417AC3
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_0040A750 push ss; retf 0_2_0040A751
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_00411B06 push ecx; ret 0_2_00411B05
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_00407B81 push esi; retf 0_2_00407B83
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C14084 push FFFFFF94h; retf 0_2_04BF2B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04BF1611 push esi; iretd 0_2_04BF167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04BF2A10 push FFFFFF94h; retf 0_2_04BF2B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04BF465A push ebx; retf 0_2_04BF4661
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04BF67BC push es; ret 0_2_04BF67F4
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C06BF6 push FFFFFF94h; retf 0_2_04BF2B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04BF1327 push esi; iretd 0_2_04BF167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04BF1366 push esi; iretd 0_2_04BF167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\mU9H96igb3.exe RDTSC instruction interceptor: First address: 0000000004C0F8E2 second address: 0000000004C0F8E2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 3AB33088h 0x00000007 sub eax, 03336DF3h 0x0000000c xor eax, 78D04D3Fh 0x00000011 xor eax, 4FAF8FABh 0x00000016 cpuid 0x00000018 popad 0x00000019 jmp 00007FC97CF5E8D9h 0x0000001e cmp eax, edx 0x00000020 call 00007FC97CF5E7AAh 0x00000025 lfence 0x00000028 mov edx, 337D36F1h 0x0000002d xor edx, 66E5A0A3h 0x00000033 xor edx, 9D6B538Dh 0x00000039 xor edx, B70DC5CBh 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 jmp 00007FC97CF5E8DDh 0x00000049 test cl, bl 0x0000004b ret 0x0000004c sub edx, esi 0x0000004e ret 0x0000004f add edi, edx 0x00000051 dec dword ptr [ebp+000000F8h] 0x00000057 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005e jne 00007FC97CF5E78Ch 0x00000060 call 00007FC97CF5E91Fh 0x00000065 call 00007FC97CF5E906h 0x0000006a lfence 0x0000006d mov edx, 337D36F1h 0x00000072 xor edx, 66E5A0A3h 0x00000078 xor edx, 9D6B538Dh 0x0000007e xor edx, B70DC5CBh 0x00000084 mov edx, dword ptr [edx] 0x00000086 lfence 0x00000089 jmp 00007FC97CF5E8DDh 0x0000008e test cl, bl 0x00000090 ret 0x00000091 mov esi, edx 0x00000093 pushad 0x00000094 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C0F8DA rdtsc 0_2_04C0F8DA

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C0C054 mov eax, dword ptr fs:[00000030h] 0_2_04C0C054
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C0E990 mov eax, dword ptr fs:[00000030h] 0_2_04C0E990
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C046A0 mov eax, dword ptr fs:[00000030h] 0_2_04C046A0
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C11BCE mov eax, dword ptr fs:[00000030h] 0_2_04C11BCE
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C0F8DA rdtsc 0_2_04C0F8DA
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 0_2_04C1474A RtlAddVectoredExceptionHandler, 0_2_04C1474A
Source: mU9H96igb3.exe, 00000000.00000002.1192442091.0000000000DC0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: mU9H96igb3.exe, 00000000.00000002.1192442091.0000000000DC0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: mU9H96igb3.exe, 00000000.00000002.1192442091.0000000000DC0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: mU9H96igb3.exe, 00000000.00000002.1192442091.0000000000DC0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502656 Sample: mU9H96igb3 Startdate: 14/10/2021 Architecture: WINDOWS Score: 88 8 Potential malicious icon found 2->8 10 Found malware configuration 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 3 other signatures 2->14 5 mU9H96igb3.exe 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16 18 Tries to detect virtualization through RDTSC time measurements 5->18
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://implantecapilarpereira.com/NetGen true
  • Avira URL Cloud: safe
 unknown